Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 19:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7387452138711ca7765fffd9c33f5069.exe
Resource
win7-20240319-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
7387452138711ca7765fffd9c33f5069.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7387452138711ca7765fffd9c33f5069.exe
-
Size
80KB
-
MD5
7387452138711ca7765fffd9c33f5069
-
SHA1
56fc741397f6aacc0302695eef44b0498fd1dfd8
-
SHA256
b118f93ed809a89c0c077e19cec388fdea528f8750dc8c681926bd2bb6a6b8fc
-
SHA512
00e45ceb3a16c6b8d82d67c828fd1aebb46e47f7eed8e0cdb0112e38c0cf237b99646e54d294872096489333e5cdd0669329d3e614b63d078c22f2f83994280a
-
SSDEEP
1536:TZsGAJjbUJtzTSvoyqdxWd6JxlOzzDfWqdMVrlEFtyb7IYOOqw4Tv:TZsGUAHWd6J7OzzTWqAhELy1MTTv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7387452138711ca7765fffd9c33f5069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daejhjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqmpni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqcfnhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejehgkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgncfcaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eckpkamb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhnof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbfkpfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 7387452138711ca7765fffd9c33f5069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnnha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khiccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejehgkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippbnjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlong32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbbjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conkepdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhldeho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqacic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfpoeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbocjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcdcgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqgoiokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djclbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqomci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbbdfik.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Gpcmpijk.exe 3056 Gpejeihi.exe 2748 Gfobbc32.exe 2684 Ghqnjk32.exe 2704 Hedocp32.exe 2384 Hlngpjlj.exe 2920 Homclekn.exe 2288 Hdildlie.exe 2772 Hkcdafqb.exe 1880 Heihnoph.exe 2580 Hmdmcanc.exe 2608 Hhjapjmi.exe 1580 Igonafba.exe 1372 Iimjmbae.exe 2176 Illgimph.exe 2852 Iipgcaob.exe 1972 Iompkh32.exe 1984 Ichllgfb.exe 1056 Iheddndj.exe 1576 Ipllekdl.exe 1760 Ieidmbcc.exe 836 Ikfmfi32.exe 2088 Iapebchh.exe 856 Ikhjki32.exe 1844 Jfnnha32.exe 2976 Jhljdm32.exe 1356 Jofbag32.exe 1600 Jqgoiokm.exe 2660 Jkmcfhkc.exe 844 Jdehon32.exe 2484 Jkoplhip.exe 2428 Jqlhdo32.exe 2408 Jfiale32.exe 2412 Jqnejn32.exe 2500 Jghmfhmb.exe 2912 Kiijnq32.exe 2316 Kqqboncb.exe 692 Kkjcplpa.exe 2600 Kbdklf32.exe 1544 Kebgia32.exe 2924 Kmjojo32.exe 2080 Kohkfj32.exe 868 Kfbcbd32.exe 1012 Kiqpop32.exe 2840 Kpjhkjde.exe 548 Kbidgeci.exe 1900 Kicmdo32.exe 1748 Knpemf32.exe 1248 Lclnemgd.exe 1756 Lnbbbffj.exe 1820 Lapnnafn.exe 1628 Lfmffhde.exe 1784 Lmgocb32.exe 2100 Lcagpl32.exe 1216 Lfpclh32.exe 2240 Linphc32.exe 2488 Lccdel32.exe 2320 Lbfdaigg.exe 2988 Ljmlbfhi.exe 312 Lcfqkl32.exe 2392 Legmbd32.exe 1476 Mmneda32.exe 2512 Mooaljkh.exe 2824 Mffimglk.exe -
Loads dropped DLL 64 IoCs
pid Process 2884 7387452138711ca7765fffd9c33f5069.exe 2884 7387452138711ca7765fffd9c33f5069.exe 2192 Gpcmpijk.exe 2192 Gpcmpijk.exe 3056 Gpejeihi.exe 3056 Gpejeihi.exe 2748 Gfobbc32.exe 2748 Gfobbc32.exe 2684 Ghqnjk32.exe 2684 Ghqnjk32.exe 2704 Hedocp32.exe 2704 Hedocp32.exe 2384 Hlngpjlj.exe 2384 Hlngpjlj.exe 2920 Homclekn.exe 2920 Homclekn.exe 2288 Hdildlie.exe 2288 Hdildlie.exe 2772 Hkcdafqb.exe 2772 Hkcdafqb.exe 1880 Heihnoph.exe 1880 Heihnoph.exe 2580 Hmdmcanc.exe 2580 Hmdmcanc.exe 2608 Hhjapjmi.exe 2608 Hhjapjmi.exe 1580 Igonafba.exe 1580 Igonafba.exe 1372 Iimjmbae.exe 1372 Iimjmbae.exe 2176 Illgimph.exe 2176 Illgimph.exe 2852 Iipgcaob.exe 2852 Iipgcaob.exe 1972 Iompkh32.exe 1972 Iompkh32.exe 1984 Ichllgfb.exe 1984 Ichllgfb.exe 1056 Iheddndj.exe 1056 Iheddndj.exe 1576 Ipllekdl.exe 1576 Ipllekdl.exe 1760 Ieidmbcc.exe 1760 Ieidmbcc.exe 836 Ikfmfi32.exe 836 Ikfmfi32.exe 2088 Iapebchh.exe 2088 Iapebchh.exe 856 Ikhjki32.exe 856 Ikhjki32.exe 1844 Jfnnha32.exe 1844 Jfnnha32.exe 2976 Jhljdm32.exe 2976 Jhljdm32.exe 1356 Jofbag32.exe 1356 Jofbag32.exe 1600 Jqgoiokm.exe 1600 Jqgoiokm.exe 2660 Jkmcfhkc.exe 2660 Jkmcfhkc.exe 844 Jdehon32.exe 844 Jdehon32.exe 2484 Jkoplhip.exe 2484 Jkoplhip.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdpoifde.dll Jkoplhip.exe File created C:\Windows\SysWOW64\Lapefgai.dll Pbkbgjcc.exe File created C:\Windows\SysWOW64\Edccch32.exe Ebefgm32.exe File opened for modification C:\Windows\SysWOW64\Jajala32.exe Jolepe32.exe File opened for modification C:\Windows\SysWOW64\Knhhaaki.exe Kgnpeg32.exe File created C:\Windows\SysWOW64\Dempblao.dll Iimjmbae.exe File created C:\Windows\SysWOW64\Ancjqghh.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Mofglh32.exe File created C:\Windows\SysWOW64\Oflcmqaa.dll Oghopm32.exe File opened for modification C:\Windows\SysWOW64\Oqacic32.exe Oopfakpa.exe File created C:\Windows\SysWOW64\Chkmkacq.exe Baadng32.exe File created C:\Windows\SysWOW64\Jjmpbopd.exe Jgncfcaa.exe File opened for modification C:\Windows\SysWOW64\Illgimph.exe Iimjmbae.exe File created C:\Windows\SysWOW64\Dkqmaqbm.dll Jqlhdo32.exe File created C:\Windows\SysWOW64\Ihmnkh32.dll Biafnecn.exe File created C:\Windows\SysWOW64\Baadng32.exe Bkglameg.exe File opened for modification C:\Windows\SysWOW64\Dcnqanhd.exe Chhldeho.exe File created C:\Windows\SysWOW64\Egdlec32.exe Ebgclm32.exe File created C:\Windows\SysWOW64\Gbjlaplk.exe Gcglec32.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Lmgocb32.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nigome32.exe File created C:\Windows\SysWOW64\Aeenochi.exe Amnfnfgg.exe File created C:\Windows\SysWOW64\Idiaii32.exe Iajemnia.exe File created C:\Windows\SysWOW64\Ddlmfm32.dll Ipbocjlg.exe File created C:\Windows\SysWOW64\Jpfhoi32.exe Jjmpbopd.exe File created C:\Windows\SysWOW64\Kqiaclhj.exe Knjegqif.exe File opened for modification C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Blaopqpo.exe Bdkgocpm.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Ebefgm32.exe Ecbfkpfk.exe File opened for modification C:\Windows\SysWOW64\Kceqjhiq.exe Knhhaaki.exe File created C:\Windows\SysWOW64\Kacgbnfl.dll Lccdel32.exe File opened for modification C:\Windows\SysWOW64\Mdacop32.exe Mbpgggol.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Ackkppma.exe Aaloddnn.exe File created C:\Windows\SysWOW64\Fqcfnhjb.exe Fnejbmko.exe File opened for modification C:\Windows\SysWOW64\Hpbbdfik.exe Hdkape32.exe File created C:\Windows\SysWOW64\Jolepe32.exe Jhamckel.exe File created C:\Windows\SysWOW64\Ichllgfb.exe Iompkh32.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jofbag32.exe File opened for modification C:\Windows\SysWOW64\Ecpjfq32.exe Ehjehh32.exe File created C:\Windows\SysWOW64\Iajemnia.exe Ihmgiiff.exe File opened for modification C:\Windows\SysWOW64\Gpcmpijk.exe 7387452138711ca7765fffd9c33f5069.exe File created C:\Windows\SysWOW64\Kmfoak32.dll Kmjojo32.exe File created C:\Windows\SysWOW64\Apalea32.exe Amcpie32.exe File created C:\Windows\SysWOW64\Candgk32.exe Cophko32.exe File created C:\Windows\SysWOW64\Jkmcfhkc.exe Jqgoiokm.exe File created C:\Windows\SysWOW64\Jbhihkig.dll Ogkkfmml.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bdmddc32.exe File opened for modification C:\Windows\SysWOW64\Djclbl32.exe Dkpkfooh.exe File created C:\Windows\SysWOW64\Gohdlpmi.dll Elhnof32.exe File created C:\Windows\SysWOW64\Incbgnmc.exe Ikefkcmo.exe File created C:\Windows\SysWOW64\Hnifgpff.dll Kceqjhiq.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Ichllgfb.exe File created C:\Windows\SysWOW64\Hnecbc32.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Blmfea32.exe File created C:\Windows\SysWOW64\Ddajoelp.exe Dngabk32.exe File opened for modification C:\Windows\SysWOW64\Ipbocjlg.exe Incbgnmc.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kiqpop32.exe File opened for modification C:\Windows\SysWOW64\Pndpajgd.exe Pfikmh32.exe File created C:\Windows\SysWOW64\Ebgclm32.exe Enlglnci.exe File created C:\Windows\SysWOW64\Ehhako32.dll Glbqje32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjlaplk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inafbooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqalfl32.dll" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoaahnn.dll" Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaebbp32.dll" Jdkjnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 7387452138711ca7765fffd9c33f5069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnipnaf.dll" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll" Oopfakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnnnokb.dll" Gpnmjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajemnia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfemlpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmdofno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnqqgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemkm32.dll" 7387452138711ca7765fffd9c33f5069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfndckhj.dll" Dknoaoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqomci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdkape32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajemnia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpgggol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" Qkhpkoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehhmkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfejcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimkgkgm.dll" Idiaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Npojdpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcdcgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkglameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conkepdq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2192 2884 7387452138711ca7765fffd9c33f5069.exe 28 PID 2884 wrote to memory of 2192 2884 7387452138711ca7765fffd9c33f5069.exe 28 PID 2884 wrote to memory of 2192 2884 7387452138711ca7765fffd9c33f5069.exe 28 PID 2884 wrote to memory of 2192 2884 7387452138711ca7765fffd9c33f5069.exe 28 PID 2192 wrote to memory of 3056 2192 Gpcmpijk.exe 29 PID 2192 wrote to memory of 3056 2192 Gpcmpijk.exe 29 PID 2192 wrote to memory of 3056 2192 Gpcmpijk.exe 29 PID 2192 wrote to memory of 3056 2192 Gpcmpijk.exe 29 PID 3056 wrote to memory of 2748 3056 Gpejeihi.exe 30 PID 3056 wrote to memory of 2748 3056 Gpejeihi.exe 30 PID 3056 wrote to memory of 2748 3056 Gpejeihi.exe 30 PID 3056 wrote to memory of 2748 3056 Gpejeihi.exe 30 PID 2748 wrote to memory of 2684 2748 Gfobbc32.exe 31 PID 2748 wrote to memory of 2684 2748 Gfobbc32.exe 31 PID 2748 wrote to memory of 2684 2748 Gfobbc32.exe 31 PID 2748 wrote to memory of 2684 2748 Gfobbc32.exe 31 PID 2684 wrote to memory of 2704 2684 Ghqnjk32.exe 32 PID 2684 wrote to memory of 2704 2684 Ghqnjk32.exe 32 PID 2684 wrote to memory of 2704 2684 Ghqnjk32.exe 32 PID 2684 wrote to memory of 2704 2684 Ghqnjk32.exe 32 PID 2704 wrote to memory of 2384 2704 Hedocp32.exe 33 PID 2704 wrote to memory of 2384 2704 Hedocp32.exe 33 PID 2704 wrote to memory of 2384 2704 Hedocp32.exe 33 PID 2704 wrote to memory of 2384 2704 Hedocp32.exe 33 PID 2384 wrote to memory of 2920 2384 Hlngpjlj.exe 34 PID 2384 wrote to memory of 2920 2384 Hlngpjlj.exe 34 PID 2384 wrote to memory of 2920 2384 Hlngpjlj.exe 34 PID 2384 wrote to memory of 2920 2384 Hlngpjlj.exe 34 PID 2920 wrote to memory of 2288 2920 Homclekn.exe 35 PID 2920 wrote to memory of 2288 2920 Homclekn.exe 35 PID 2920 wrote to memory of 2288 2920 Homclekn.exe 35 PID 2920 wrote to memory of 2288 2920 Homclekn.exe 35 PID 2288 wrote to memory of 2772 2288 Hdildlie.exe 36 PID 2288 wrote to memory of 2772 2288 Hdildlie.exe 36 PID 2288 wrote to memory of 2772 2288 Hdildlie.exe 36 PID 2288 wrote to memory of 2772 2288 Hdildlie.exe 36 PID 2772 wrote to memory of 1880 2772 Hkcdafqb.exe 37 PID 2772 wrote to memory of 1880 2772 Hkcdafqb.exe 37 PID 2772 wrote to memory of 1880 2772 Hkcdafqb.exe 37 PID 2772 wrote to memory of 1880 2772 Hkcdafqb.exe 37 PID 1880 wrote to memory of 2580 1880 Heihnoph.exe 38 PID 1880 wrote to memory of 2580 1880 Heihnoph.exe 38 PID 1880 wrote to memory of 2580 1880 Heihnoph.exe 38 PID 1880 wrote to memory of 2580 1880 Heihnoph.exe 38 PID 2580 wrote to memory of 2608 2580 Hmdmcanc.exe 39 PID 2580 wrote to memory of 2608 2580 Hmdmcanc.exe 39 PID 2580 wrote to memory of 2608 2580 Hmdmcanc.exe 39 PID 2580 wrote to memory of 2608 2580 Hmdmcanc.exe 39 PID 2608 wrote to memory of 1580 2608 Hhjapjmi.exe 40 PID 2608 wrote to memory of 1580 2608 Hhjapjmi.exe 40 PID 2608 wrote to memory of 1580 2608 Hhjapjmi.exe 40 PID 2608 wrote to memory of 1580 2608 Hhjapjmi.exe 40 PID 1580 wrote to memory of 1372 1580 Igonafba.exe 41 PID 1580 wrote to memory of 1372 1580 Igonafba.exe 41 PID 1580 wrote to memory of 1372 1580 Igonafba.exe 41 PID 1580 wrote to memory of 1372 1580 Igonafba.exe 41 PID 1372 wrote to memory of 2176 1372 Iimjmbae.exe 42 PID 1372 wrote to memory of 2176 1372 Iimjmbae.exe 42 PID 1372 wrote to memory of 2176 1372 Iimjmbae.exe 42 PID 1372 wrote to memory of 2176 1372 Iimjmbae.exe 42 PID 2176 wrote to memory of 2852 2176 Illgimph.exe 43 PID 2176 wrote to memory of 2852 2176 Illgimph.exe 43 PID 2176 wrote to memory of 2852 2176 Illgimph.exe 43 PID 2176 wrote to memory of 2852 2176 Illgimph.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\7387452138711ca7765fffd9c33f5069.exe"C:\Users\Admin\AppData\Local\Temp\7387452138711ca7765fffd9c33f5069.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe38⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe39⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe44⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe46⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe47⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe48⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe49⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe50⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe52⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe56⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe57⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe59⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe61⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe63⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe64⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe65⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe66⤵PID:596
-
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe67⤵PID:1700
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe69⤵PID:1792
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe70⤵PID:1104
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe72⤵PID:2844
-
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe73⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe75⤵PID:1348
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe76⤵PID:632
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe77⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe78⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe79⤵PID:640
-
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe80⤵PID:2248
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe81⤵PID:1552
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe82⤵PID:568
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe84⤵PID:2644
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe86⤵PID:2396
-
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe87⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe88⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe89⤵
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe90⤵PID:2452
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe91⤵PID:1896
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe92⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe95⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe96⤵PID:1636
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe97⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe98⤵PID:832
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe99⤵PID:1768
-
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe100⤵PID:2236
-
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe102⤵PID:1332
-
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Picnndmb.exeC:\Windows\system32\Picnndmb.exe104⤵PID:2968
-
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe105⤵PID:2540
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe106⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe107⤵PID:2104
-
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe108⤵PID:2360
-
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe111⤵PID:2340
-
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe113⤵PID:524
-
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe114⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe117⤵PID:964
-
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe118⤵PID:2308
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe120⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-