Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 06:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1595f751a2a23185cfd78f911031fc1_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e1595f751a2a23185cfd78f911031fc1_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
e1595f751a2a23185cfd78f911031fc1_JC.exe
-
Size
96KB
-
MD5
e1595f751a2a23185cfd78f911031fc1
-
SHA1
dd04c1d8e72c2eeae3ee9809d9af961e7c6106b0
-
SHA256
6e098e753b4d0755b7cc643013881e371a5a233dd9db45c92c5aea199faae844
-
SHA512
350d377099d16d2226f15b4a2b885785a051007f9b1cf8a8d6f705ec23b9748c8525c96f3c99c14ce69cee62d7798e342c882f45c5902cf50b4c14d90a324e5f
-
SSDEEP
1536:s9K9EnmKoYJ05k+zIvALWM8tJPm/np6vzppq+GEJOiXduV9jojTIvjrH:ss9rYJPv//m/poC+GEJO+d69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchpjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfoffmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnopmegg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgocek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedmhlqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjljpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miiofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lghgocek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hohhfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e1595f751a2a23185cfd78f911031fc1_JC.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcmedli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccoplcii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqqqokla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmokbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhdjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqeodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpmbjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Halkahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpppbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akpmhdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aelgdhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdonndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffdgef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfflfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faopib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqajqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elpqemll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nndemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdjckfda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpmhdqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpgmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coidpiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgaknbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oojhfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hchpjddc.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Hkiicmdh.exe 2760 Hfhcoj32.exe 2864 Ilnomp32.exe 2724 Ippdgc32.exe 2944 Jpigma32.exe 676 Kdpfadlm.exe 1056 Lldmleam.exe 524 Njfjnpgp.exe 2632 Aomnhd32.exe 2348 Cgoelh32.exe 1292 Dbaice32.exe 1304 Ibipmiek.exe 1644 Jfdhmk32.exe 2272 Khadpa32.exe 2536 Ljigih32.exe 2892 Mhcmedli.exe 2212 Mimpkcdn.exe 3012 Nfgjml32.exe 2664 Objjnkie.exe 1372 Plpopddd.exe 2144 Pfebnmcj.exe 552 Qlfdac32.exe 2040 Fdgdji32.exe 2020 Hjfnnajl.exe 864 Iakino32.exe 2184 Jpjifjdg.exe 2288 Kambcbhb.exe 2712 Lplbjm32.exe 1696 Lnkege32.exe 2752 Mcaafk32.exe 2452 Ndlpdbnj.exe 2384 Nndemg32.exe 1816 Okhefl32.exe 1516 Oaigib32.exe 2656 Obkcajde.exe 2772 Pnhjgj32.exe 2828 Pmpdmfff.exe 1040 Pdjljpnc.exe 888 Aebobgmi.exe 1952 Ficehj32.exe 2672 Hagianlf.exe 616 Omcngamh.exe 2404 Qncfphff.exe 2316 Apilcoho.exe 2300 Amoibc32.exe 648 Cdpdnpif.exe 1324 Fappgflg.exe 1344 Johoic32.exe 2648 Kkalcdao.exe 1628 Lepclldc.exe 1676 Miiofn32.exe 2016 Ojndpqpq.exe 1728 Pofldf32.exe 1200 Pgcnnh32.exe 752 Pegnglnm.exe 2176 Acohnhab.exe 2524 Beggec32.exe 2588 Gddobpbe.exe 2840 Iopeoknn.exe 2448 Laackgka.exe 2512 Lhklha32.exe 1920 Mhfoleio.exe 564 Oaciom32.exe 2620 Oajopl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 2088 Hkiicmdh.exe 2088 Hkiicmdh.exe 2760 Hfhcoj32.exe 2760 Hfhcoj32.exe 2864 Ilnomp32.exe 2864 Ilnomp32.exe 2724 Ippdgc32.exe 2724 Ippdgc32.exe 2944 Jpigma32.exe 2944 Jpigma32.exe 676 Kdpfadlm.exe 676 Kdpfadlm.exe 1056 Lldmleam.exe 1056 Lldmleam.exe 524 Njfjnpgp.exe 524 Njfjnpgp.exe 2632 Aomnhd32.exe 2632 Aomnhd32.exe 2348 Cgoelh32.exe 2348 Cgoelh32.exe 1292 Dbaice32.exe 1292 Dbaice32.exe 1304 Ibipmiek.exe 1304 Ibipmiek.exe 1644 Jfdhmk32.exe 1644 Jfdhmk32.exe 2272 Khadpa32.exe 2272 Khadpa32.exe 2536 Ljigih32.exe 2536 Ljigih32.exe 2892 Mhcmedli.exe 2892 Mhcmedli.exe 2212 Mimpkcdn.exe 2212 Mimpkcdn.exe 3012 Nfgjml32.exe 3012 Nfgjml32.exe 2664 Objjnkie.exe 2664 Objjnkie.exe 1372 Plpopddd.exe 1372 Plpopddd.exe 2144 Pfebnmcj.exe 2144 Pfebnmcj.exe 552 Qlfdac32.exe 552 Qlfdac32.exe 2040 Fdgdji32.exe 2040 Fdgdji32.exe 2020 Hjfnnajl.exe 2020 Hjfnnajl.exe 864 Iakino32.exe 864 Iakino32.exe 2184 Jpjifjdg.exe 2184 Jpjifjdg.exe 2288 Kambcbhb.exe 2288 Kambcbhb.exe 2712 Lplbjm32.exe 2712 Lplbjm32.exe 1696 Lnkege32.exe 1696 Lnkege32.exe 2752 Mcaafk32.exe 2752 Mcaafk32.exe 2452 Ndlpdbnj.exe 2452 Ndlpdbnj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fkfcdpfg.exe Coidpiac.exe File created C:\Windows\SysWOW64\Ffdgef32.exe Fjimefie.exe File created C:\Windows\SysWOW64\Gekdej32.dll Fnbhmlkk.exe File created C:\Windows\SysWOW64\Iijbnkne.exe Ipameehe.exe File created C:\Windows\SysWOW64\Ldbjai32.dll Mdlfpcnd.exe File created C:\Windows\SysWOW64\Jgidhgbh.dll Blkoocfl.exe File opened for modification C:\Windows\SysWOW64\Hjdfgojp.exe Hbmnfajm.exe File created C:\Windows\SysWOW64\Ipckannc.dll Hebqbl32.exe File created C:\Windows\SysWOW64\Mamjchoa.exe Makmnh32.exe File created C:\Windows\SysWOW64\Heiomc32.dll Fkfcdpfg.exe File opened for modification C:\Windows\SysWOW64\Hagianlf.exe Ficehj32.exe File created C:\Windows\SysWOW64\Oaciom32.exe Mhfoleio.exe File created C:\Windows\SysWOW64\Ipmohome.dll Hfflfp32.exe File created C:\Windows\SysWOW64\Fpcqnh32.dll Jlhjijpe.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Cbcdjpba.exe File opened for modification C:\Windows\SysWOW64\Lkahbkgk.exe Jollgl32.exe File opened for modification C:\Windows\SysWOW64\Cpnchjpa.exe Cbjbof32.exe File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe Iakino32.exe File created C:\Windows\SysWOW64\Aebobgmi.exe Pdjljpnc.exe File created C:\Windows\SysWOW64\Omcngamh.exe Hagianlf.exe File opened for modification C:\Windows\SysWOW64\Pegnglnm.exe Pgcnnh32.exe File created C:\Windows\SysWOW64\Kneacffj.dll Ipameehe.exe File created C:\Windows\SysWOW64\Iiicgkof.dll Mhpigk32.exe File opened for modification C:\Windows\SysWOW64\Fjimefie.exe Fgjpijjb.exe File opened for modification C:\Windows\SysWOW64\Pfebnmcj.exe Plpopddd.exe File created C:\Windows\SysWOW64\Khejqp32.dll Hjplao32.exe File created C:\Windows\SysWOW64\Opqjjalh.dll Nqijmkfm.exe File created C:\Windows\SysWOW64\Kdqgpq32.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Cjdonndl.exe Cplkehnk.exe File created C:\Windows\SysWOW64\Dqqqokla.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Impblnna.exe Iedmhlqf.exe File created C:\Windows\SysWOW64\Mefnjbik.dll Afmokbop.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Jpigma32.exe File created C:\Windows\SysWOW64\Apimlcdc.dll Plpopddd.exe File created C:\Windows\SysWOW64\Omlahqeo.exe Kdooij32.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Kpblne32.exe File created C:\Windows\SysWOW64\Mnpicg32.dll Anfjpa32.exe File created C:\Windows\SysWOW64\Bfoffmhd.exe Bdpjjaiq.exe File created C:\Windows\SysWOW64\Hojeka32.exe Hebqbl32.exe File created C:\Windows\SysWOW64\Jfdhmk32.exe Ibipmiek.exe File created C:\Windows\SysWOW64\Aknpmobg.dll Obkcajde.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Miiofn32.exe File created C:\Windows\SysWOW64\Bhiglh32.exe Akpmhdqd.exe File created C:\Windows\SysWOW64\Nqjmec32.exe Npecjdaf.exe File created C:\Windows\SysWOW64\Fjhjlm32.exe Eqklhh32.exe File created C:\Windows\SysWOW64\Miiofn32.exe Lepclldc.exe File created C:\Windows\SysWOW64\Hchpjddc.exe Hjplao32.exe File created C:\Windows\SysWOW64\Npecjdaf.exe Nocgbl32.exe File created C:\Windows\SysWOW64\Jeapek32.dll Amledj32.exe File created C:\Windows\SysWOW64\Ffglae32.dll Fehjcc32.exe File opened for modification C:\Windows\SysWOW64\Amidmldj.exe Aikkgnnc.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Jpigma32.exe File opened for modification C:\Windows\SysWOW64\Qlfdac32.exe Pfebnmcj.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Baannfim.exe Bikemiik.exe File created C:\Windows\SysWOW64\Dpdoea32.dll Baannfim.exe File created C:\Windows\SysWOW64\Mjdicq32.dll Impblnna.exe File created C:\Windows\SysWOW64\Mimpkcdn.exe Mhcmedli.exe File created C:\Windows\SysWOW64\Pbkgegad.exe Omlahqeo.exe File created C:\Windows\SysWOW64\Akpmhdqd.exe Ahbqliap.exe File opened for modification C:\Windows\SysWOW64\Ogfagmck.exe Nqlikc32.exe File created C:\Windows\SysWOW64\Afamgpga.exe Aofhcmig.exe File created C:\Windows\SysWOW64\Kepgjk32.dll Lhklha32.exe File created C:\Windows\SysWOW64\Ichlpm32.dll Omlahqeo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhdke32.dll" Pgcnnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeblgodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Hohhfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqmijp32.dll" Jfoeqmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphajbdq.dll" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpckee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpnchjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqacmd32.dll" Ekcpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefnockl.dll" Mcaafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aebobgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbchijge.dll" Pbnfdpge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfbigh.dll" Bhmonoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idiphpjd.dll" Nqjmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qehlbk32.dll" Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoenh32.dll" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjecp32.dll" Omcngamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beggec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhmbfhfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlkonhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnigm32.dll" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alfdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll" Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkhbkg32.dll" Ajpgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll" Jpjifjdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekdej32.dll" Fnbhmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pddlggin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jollgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimimg32.dll" Aofhcmig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amledj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Janbihjm.dll" Bpajjmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmadag32.dll" Dbjonicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnogkqfo.dll" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfeiqmh.dll" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjcpm32.dll" Nhjofbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqjmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnojpdfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcqoe32.dll" Jggljqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnooj32.dll" Cbjbof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 e1595f751a2a23185cfd78f911031fc1_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miphjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpckee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnleo32.dll" Hpckee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihinap.dll" Amidmldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnoahal.dll" Enblpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2088 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 27 PID 2852 wrote to memory of 2088 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 27 PID 2852 wrote to memory of 2088 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 27 PID 2852 wrote to memory of 2088 2852 e1595f751a2a23185cfd78f911031fc1_JC.exe 27 PID 2088 wrote to memory of 2760 2088 Hkiicmdh.exe 28 PID 2088 wrote to memory of 2760 2088 Hkiicmdh.exe 28 PID 2088 wrote to memory of 2760 2088 Hkiicmdh.exe 28 PID 2088 wrote to memory of 2760 2088 Hkiicmdh.exe 28 PID 2760 wrote to memory of 2864 2760 Hfhcoj32.exe 29 PID 2760 wrote to memory of 2864 2760 Hfhcoj32.exe 29 PID 2760 wrote to memory of 2864 2760 Hfhcoj32.exe 29 PID 2760 wrote to memory of 2864 2760 Hfhcoj32.exe 29 PID 2864 wrote to memory of 2724 2864 Ilnomp32.exe 30 PID 2864 wrote to memory of 2724 2864 Ilnomp32.exe 30 PID 2864 wrote to memory of 2724 2864 Ilnomp32.exe 30 PID 2864 wrote to memory of 2724 2864 Ilnomp32.exe 30 PID 2724 wrote to memory of 2944 2724 Ippdgc32.exe 31 PID 2724 wrote to memory of 2944 2724 Ippdgc32.exe 31 PID 2724 wrote to memory of 2944 2724 Ippdgc32.exe 31 PID 2724 wrote to memory of 2944 2724 Ippdgc32.exe 31 PID 2944 wrote to memory of 676 2944 Jpigma32.exe 32 PID 2944 wrote to memory of 676 2944 Jpigma32.exe 32 PID 2944 wrote to memory of 676 2944 Jpigma32.exe 32 PID 2944 wrote to memory of 676 2944 Jpigma32.exe 32 PID 676 wrote to memory of 1056 676 Kdpfadlm.exe 33 PID 676 wrote to memory of 1056 676 Kdpfadlm.exe 33 PID 676 wrote to memory of 1056 676 Kdpfadlm.exe 33 PID 676 wrote to memory of 1056 676 Kdpfadlm.exe 33 PID 1056 wrote to memory of 524 1056 Lldmleam.exe 34 PID 1056 wrote to memory of 524 1056 Lldmleam.exe 34 PID 1056 wrote to memory of 524 1056 Lldmleam.exe 34 PID 1056 wrote to memory of 524 1056 Lldmleam.exe 34 PID 524 wrote to memory of 2632 524 Njfjnpgp.exe 35 PID 524 wrote to memory of 2632 524 Njfjnpgp.exe 35 PID 524 wrote to memory of 2632 524 Njfjnpgp.exe 35 PID 524 wrote to memory of 2632 524 Njfjnpgp.exe 35 PID 2632 wrote to memory of 2348 2632 Aomnhd32.exe 36 PID 2632 wrote to memory of 2348 2632 Aomnhd32.exe 36 PID 2632 wrote to memory of 2348 2632 Aomnhd32.exe 36 PID 2632 wrote to memory of 2348 2632 Aomnhd32.exe 36 PID 2348 wrote to memory of 1292 2348 Cgoelh32.exe 37 PID 2348 wrote to memory of 1292 2348 Cgoelh32.exe 37 PID 2348 wrote to memory of 1292 2348 Cgoelh32.exe 37 PID 2348 wrote to memory of 1292 2348 Cgoelh32.exe 37 PID 1292 wrote to memory of 1304 1292 Dbaice32.exe 38 PID 1292 wrote to memory of 1304 1292 Dbaice32.exe 38 PID 1292 wrote to memory of 1304 1292 Dbaice32.exe 38 PID 1292 wrote to memory of 1304 1292 Dbaice32.exe 38 PID 1304 wrote to memory of 1644 1304 Ibipmiek.exe 39 PID 1304 wrote to memory of 1644 1304 Ibipmiek.exe 39 PID 1304 wrote to memory of 1644 1304 Ibipmiek.exe 39 PID 1304 wrote to memory of 1644 1304 Ibipmiek.exe 39 PID 1644 wrote to memory of 2272 1644 Jfdhmk32.exe 40 PID 1644 wrote to memory of 2272 1644 Jfdhmk32.exe 40 PID 1644 wrote to memory of 2272 1644 Jfdhmk32.exe 40 PID 1644 wrote to memory of 2272 1644 Jfdhmk32.exe 40 PID 2272 wrote to memory of 2536 2272 Khadpa32.exe 42 PID 2272 wrote to memory of 2536 2272 Khadpa32.exe 42 PID 2272 wrote to memory of 2536 2272 Khadpa32.exe 42 PID 2272 wrote to memory of 2536 2272 Khadpa32.exe 42 PID 2536 wrote to memory of 2892 2536 Ljigih32.exe 43 PID 2536 wrote to memory of 2892 2536 Ljigih32.exe 43 PID 2536 wrote to memory of 2892 2536 Ljigih32.exe 43 PID 2536 wrote to memory of 2892 2536 Ljigih32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1595f751a2a23185cfd78f911031fc1_JC.exe"C:\Users\Admin\AppData\Local\Temp\e1595f751a2a23185cfd78f911031fc1_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Iakino32.exeC:\Windows\system32\Iakino32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe35⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe37⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe45⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe49⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe53⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe54⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Pgcnnh32.exeC:\Windows\system32\Pgcnnh32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe56⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe60⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe61⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe64⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe66⤵PID:2836
-
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe67⤵PID:2372
-
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe68⤵PID:1960
-
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe70⤵PID:916
-
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe72⤵PID:1308
-
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe73⤵PID:2876
-
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe74⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe76⤵PID:2348
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe77⤵PID:2612
-
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe82⤵PID:1296
-
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe83⤵PID:1804
-
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe84⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe86⤵PID:2732
-
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe87⤵PID:2596
-
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe88⤵PID:1656
-
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe89⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe92⤵PID:2464
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe93⤵PID:2140
-
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe95⤵PID:2768
-
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe96⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe97⤵PID:680
-
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe98⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe99⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe100⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe101⤵PID:836
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe102⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe103⤵PID:2296
-
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe104⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe106⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Lghgocek.exeC:\Windows\system32\Lghgocek.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe108⤵PID:2548
-
C:\Windows\SysWOW64\Mhpigk32.exeC:\Windows\system32\Mhpigk32.exe109⤵
- Drops file in System32 directory
PID:648 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe110⤵PID:2824
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe111⤵PID:1628
-
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe113⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe114⤵PID:2368
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe115⤵
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe116⤵PID:856
-
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe117⤵PID:1732
-
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe118⤵PID:2528
-
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe119⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe121⤵
- Modifies registry class
PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-