Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
Resource
win10v2004-20240226-en
General
-
Target
907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
-
Size
320KB
-
MD5
86f2c4d723e39f6252ad86678f630068
-
SHA1
61435ae885c8fd657e709baeed475acfa9f7f2fe
-
SHA256
907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196
-
SHA512
27e79f370742bc3fdd82abcddfdd2c7b9afe291507a288b00289520d62b3a391da280eed44fc1495ba82f3daaa918cce2921ff3c63d15006d306e5cf70e43c1d
-
SSDEEP
6144:T2kcxNQjwXrCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSqHB8oF8KdBT:TL0FHRFbe5qfF8KfT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejdiffp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlfbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfaocal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejdiffp.exe -
Executes dropped EXE 11 IoCs
pid Process 2600 Pjldghjm.exe 2572 Pokieo32.exe 2648 Pmccjbaf.exe 2880 Qbbhgi32.exe 2400 Anlfbi32.exe 2660 Afkdakjb.exe 2004 Acpdko32.exe 1100 Bajomhbl.exe 2716 Bejdiffp.exe 996 Cpfaocal.exe 2000 Ceegmj32.exe -
Loads dropped DLL 26 IoCs
pid Process 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 2600 Pjldghjm.exe 2600 Pjldghjm.exe 2572 Pokieo32.exe 2572 Pokieo32.exe 2648 Pmccjbaf.exe 2648 Pmccjbaf.exe 2880 Qbbhgi32.exe 2880 Qbbhgi32.exe 2400 Anlfbi32.exe 2400 Anlfbi32.exe 2660 Afkdakjb.exe 2660 Afkdakjb.exe 2004 Acpdko32.exe 2004 Acpdko32.exe 1100 Bajomhbl.exe 1100 Bajomhbl.exe 2716 Bejdiffp.exe 2716 Bejdiffp.exe 996 Cpfaocal.exe 996 Cpfaocal.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Ceegmj32.exe Cpfaocal.exe File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe Cpfaocal.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Anlfbi32.exe File created C:\Windows\SysWOW64\Aoogfhfp.dll Cpfaocal.exe File created C:\Windows\SysWOW64\Pmccjbaf.exe Pokieo32.exe File created C:\Windows\SysWOW64\Oodajl32.dll Pokieo32.exe File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe Pmccjbaf.exe File created C:\Windows\SysWOW64\Cpfaocal.exe Bejdiffp.exe File created C:\Windows\SysWOW64\Dqcngnae.dll Bejdiffp.exe File created C:\Windows\SysWOW64\Lnhbfpnj.dll 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe File created C:\Windows\SysWOW64\Pokieo32.exe Pjldghjm.exe File created C:\Windows\SysWOW64\Qbbhgi32.exe Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe Pokieo32.exe File created C:\Windows\SysWOW64\Bajomhbl.exe Acpdko32.exe File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe Bajomhbl.exe File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe Bejdiffp.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe File created C:\Windows\SysWOW64\Anlfbi32.exe Qbbhgi32.exe File created C:\Windows\SysWOW64\Afkdakjb.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Ecjdib32.dll Afkdakjb.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Bajomhbl.exe File created C:\Windows\SysWOW64\Pjldghjm.exe 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe File opened for modification C:\Windows\SysWOW64\Pokieo32.exe Pjldghjm.exe File created C:\Windows\SysWOW64\Gcnmkd32.dll Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Anlfbi32.exe Qbbhgi32.exe File created C:\Windows\SysWOW64\Odmoin32.dll Qbbhgi32.exe File created C:\Windows\SysWOW64\Acpdko32.exe Afkdakjb.exe File opened for modification C:\Windows\SysWOW64\Acpdko32.exe Afkdakjb.exe File created C:\Windows\SysWOW64\Bejdiffp.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Hmomkh32.dll Pjldghjm.exe File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe Acpdko32.exe File created C:\Windows\SysWOW64\Fhbhji32.dll Acpdko32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2136 2000 WerFault.exe 38 -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" Anlfbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkdakjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfaocal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbhgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" Cpfaocal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll" Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjldghjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmccjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfaocal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2600 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 28 PID 2208 wrote to memory of 2600 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 28 PID 2208 wrote to memory of 2600 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 28 PID 2208 wrote to memory of 2600 2208 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe 28 PID 2600 wrote to memory of 2572 2600 Pjldghjm.exe 29 PID 2600 wrote to memory of 2572 2600 Pjldghjm.exe 29 PID 2600 wrote to memory of 2572 2600 Pjldghjm.exe 29 PID 2600 wrote to memory of 2572 2600 Pjldghjm.exe 29 PID 2572 wrote to memory of 2648 2572 Pokieo32.exe 30 PID 2572 wrote to memory of 2648 2572 Pokieo32.exe 30 PID 2572 wrote to memory of 2648 2572 Pokieo32.exe 30 PID 2572 wrote to memory of 2648 2572 Pokieo32.exe 30 PID 2648 wrote to memory of 2880 2648 Pmccjbaf.exe 31 PID 2648 wrote to memory of 2880 2648 Pmccjbaf.exe 31 PID 2648 wrote to memory of 2880 2648 Pmccjbaf.exe 31 PID 2648 wrote to memory of 2880 2648 Pmccjbaf.exe 31 PID 2880 wrote to memory of 2400 2880 Qbbhgi32.exe 32 PID 2880 wrote to memory of 2400 2880 Qbbhgi32.exe 32 PID 2880 wrote to memory of 2400 2880 Qbbhgi32.exe 32 PID 2880 wrote to memory of 2400 2880 Qbbhgi32.exe 32 PID 2400 wrote to memory of 2660 2400 Anlfbi32.exe 33 PID 2400 wrote to memory of 2660 2400 Anlfbi32.exe 33 PID 2400 wrote to memory of 2660 2400 Anlfbi32.exe 33 PID 2400 wrote to memory of 2660 2400 Anlfbi32.exe 33 PID 2660 wrote to memory of 2004 2660 Afkdakjb.exe 34 PID 2660 wrote to memory of 2004 2660 Afkdakjb.exe 34 PID 2660 wrote to memory of 2004 2660 Afkdakjb.exe 34 PID 2660 wrote to memory of 2004 2660 Afkdakjb.exe 34 PID 2004 wrote to memory of 1100 2004 Acpdko32.exe 35 PID 2004 wrote to memory of 1100 2004 Acpdko32.exe 35 PID 2004 wrote to memory of 1100 2004 Acpdko32.exe 35 PID 2004 wrote to memory of 1100 2004 Acpdko32.exe 35 PID 1100 wrote to memory of 2716 1100 Bajomhbl.exe 36 PID 1100 wrote to memory of 2716 1100 Bajomhbl.exe 36 PID 1100 wrote to memory of 2716 1100 Bajomhbl.exe 36 PID 1100 wrote to memory of 2716 1100 Bajomhbl.exe 36 PID 2716 wrote to memory of 996 2716 Bejdiffp.exe 37 PID 2716 wrote to memory of 996 2716 Bejdiffp.exe 37 PID 2716 wrote to memory of 996 2716 Bejdiffp.exe 37 PID 2716 wrote to memory of 996 2716 Bejdiffp.exe 37 PID 996 wrote to memory of 2000 996 Cpfaocal.exe 38 PID 996 wrote to memory of 2000 996 Cpfaocal.exe 38 PID 996 wrote to memory of 2000 996 Cpfaocal.exe 38 PID 996 wrote to memory of 2000 996 Cpfaocal.exe 38 PID 2000 wrote to memory of 2136 2000 Ceegmj32.exe 39 PID 2000 wrote to memory of 2136 2000 Ceegmj32.exe 39 PID 2000 wrote to memory of 2136 2000 Ceegmj32.exe 39 PID 2000 wrote to memory of 2136 2000 Ceegmj32.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Ceegmj32.exeC:\Windows\system32\Ceegmj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 14013⤵
- Loads dropped DLL
- Program crash
PID:2136
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5f3976d5c4f460179b57a313ed566617b
SHA167bbdd18995677c10554340c89242a07806aaf12
SHA256a6b52d93fbcf3a174e032acb5989724ef82866670d286e749203b3014f5fa82d
SHA5126e0c4f8914b2fbbfa8647c58feb675d2c024749bf605ca2e19da5eb1ed94dcb7eb4d0e8df64e14e7bb3cf95af7e30e657b9e70a5ba14ae1592846e2a136882c8
-
Filesize
320KB
MD5c8f60926fb4908d72a2023a16fb8fae3
SHA1ee79365d21266e6ff5d18ee7ffa6db5140782057
SHA256dc08c4266f7f15f97018f94bb9e6f2bd9d665d48c4127468589449f439186660
SHA5124edcd4917fd7222e882793bfb1cfd1e8ed5e7877e9e28060fbcd35b50a66e61743e7125db1d5844955cf432bed4f15e0c468812970d0036f420e1320f4aaa042
-
Filesize
320KB
MD593cddfca1cdb99e02a919d7c4c1852df
SHA142736ad6a8fce023f09bde411b74b40c6f7f81a3
SHA25691d7a5f95119e9796024d39e3d38727e0834f8129787db987f90b3e7310d0fe4
SHA5126e3ad04ae740fc5fe91d0b1ad9fd5beeddc1d1824ad312e98515d920e0634487fa328d477dd93cd0de6fbfd97552ee4f8d6fdf06aea3d2d9bae1afbce0cdd51c
-
Filesize
320KB
MD5352435c3c5ba2ef4a9d726ff8f86e631
SHA1e1262a23d34bf98f725e2021482dba5f7b8df217
SHA256284352735787c37aa5b0d64ebba5af667528f2cce249b422f0e079daee9d155d
SHA51268e6ef7daaa23594957a7c08c3d6fe76551a09dbc81065427b5a2cb1bb8f910a71a796708382f281c98b11f3789eb9fb3823d30244c25032b52b1f9166d0f7ff
-
Filesize
320KB
MD543f1dbfe3258b6ce60fb1a0b015e8bcd
SHA1c61b3432b5b01ff8f46852e2ad99c0885f15856d
SHA256c60f37e390afcb7b3f4d1b8d7252d56bfc84940db3871c880eba93a7f533b8c6
SHA5123ef354ec93d449abfe6899e7bb9c5a0900b91b4c00e614865ee6b655d8da7b8e7e5064299d26fe5418d9e583dfca0d16fe1e94576eff5f860a7b063e0cad07e7
-
Filesize
320KB
MD5f2c4beeb67a7aa9febbacac6615778c0
SHA1fe5f832f0ae501bd409a80b593bc08c6525f0664
SHA2564b16b8852417a9416ace2f1107fdf89d49a265eef9c1199bfefa6e3e3c1b87b3
SHA51290136a1b92d1b5fecc6dd82a8828176add2ea7ecf2752ad94032a5ac9f57e9d47a031cef31e97a4c271702cce432094fd31e46673fd213f922c9d5628ec4b26b
-
Filesize
320KB
MD57a35d09e13e2550e9730b4ecf91f2142
SHA1bee36c6b41240123b9de4806b75f137bf0f98fc8
SHA25676a6805d15c2e288135055f78936b44157ca6112e212ece050256bb1bcaf69df
SHA512dcd2cf56bf5866991491cfdc0aed518e0a9b055666a1b1940f87100de710d898610c2d7a6188ce5f4419605e2a70ed383a4847e9882de2e7ebae6ab2cf89a231
-
Filesize
320KB
MD5d11956fae14bf97afbe3b59ec91c4436
SHA1ae35699fb1ae11013e0cdf23817c134669e670bb
SHA256770c799dd6e76c4b58cbe689a8179cb3521d88bdd0ba6ab620a1adf554aef61c
SHA512b16a0d4bb1e79f478df0d0f242d7433f4cc9fd700160e946676b28d413c4623e2a63f05eb86ad12deaf857a17b7c9922bccc7d7f088cd29f4265989e50ccabad
-
Filesize
320KB
MD5f9b6dcaf6485c05f8a012365a9f03042
SHA186b933b2dbdda0b5194bf655c65310be90ad6c9d
SHA25600cdc5e8777103b5ca3d6cca00ab4a514dca87fe1d56ae1d767c6cf92e734cb3
SHA5126372b794feae45083125c593ddaee254b1e5d2871eb362a542728ea10fe6a3a831d70c614c58893bfb38ce6ada9929b1e87dbc41e221d897acbbdb38fbca4b71
-
Filesize
320KB
MD515b9cb7a3b46c80a2c593a1421cdf0e1
SHA11c86bae559d2f1ed3be0b962925fb3c29e61ba6f
SHA2561ca126b84f0826bc517be76abea4adbb2e11e2038831cbb5fe69a7c7aaee303f
SHA51272552e714e7aa38beb09c5583a15e1ca670d8f089f2de0a14a60fd393d3b169f20341c763514c983da89ad21a8503e7512a503c99429c503e91bbd87b48d8f4e
-
Filesize
320KB
MD536bbc888aa3f3ff5d817c7f10608b5c1
SHA163da3af6aa47e01578e0a1818c7571191dc06da3
SHA2566db7b790cde4697556fe3b7469e39b02fd9c8bcf607c66c5ae4ef6b3810eff01
SHA5126d71ddbf5432385db97a70bb1bc9e964e0757ac35f11a70a9fe7019fc01ad2b4904a575ebcdb74b0fd3c337d8b351f5d01381b1532114b3767a122d5c0a256bd