Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 19:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe
-
Size
1.2MB
-
MD5
dd3b1375fb28000d198ab67e70847a8b
-
SHA1
14c2261a5664c79f6464b159cdc910c91cdf7c48
-
SHA256
213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34
-
SHA512
5d8ebf942404dfe0ab105ba3c817b966562fc8d03d7fbe2c959ad96024c31eab503602d83fc9b2c52dccb295bc0db40a930317439ed6ce9fbea68cfe5eeb7ba6
-
SSDEEP
6144:xD67SvbblBxCAU9CXdPipmMH/gysNkvC8vA+XTv7FYUwMOFusQ+kJ3StWbHPdBn5:FJluCXwpnsKvNA+XTvZHWuEo3oWbvrec
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpkmehol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdidmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbkaoalg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfando32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbajme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcncbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbemho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgfpbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meffjjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edjlgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfkabpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chblqlcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Panehkaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggbmbfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pglacbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomphm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gindjqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqcmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npiiafpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ailqfooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhklha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjbba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppkmjlca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memlki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcjeakfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pglacbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddhcbnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gindjqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Podbgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgpock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdfjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqinhcoc.exe -
Executes dropped EXE 64 IoCs
pid Process 2340 Palpneop.exe 2968 Qdofep32.exe 2232 Allgoa32.exe 1744 Adleoc32.exe 2188 Bapfhg32.exe 2512 Bplijcle.exe 1548 Cngcll32.exe 2380 Cchdpbog.exe 2920 Cnnimkom.exe 1044 Dphhka32.exe 2540 Deeqch32.exe 536 Epfhde32.exe 2124 Ejklan32.exe 352 Fhjoof32.exe 1432 Fbpclofe.exe 300 Gmqkml32.exe 1748 Gcmcebkc.exe 1492 Hcdifa32.exe 1936 Hecebm32.exe 1108 Hajfgnjc.exe 1988 Hkbkpcpd.exe 3016 Hbnpbm32.exe 1484 Idmlniea.exe 2948 Iqcmcj32.exe 1624 Igmepdbc.exe 1168 Ijnnao32.exe 2724 Iqhfnifq.exe 2008 Ifgklp32.exe 2636 Iifghk32.exe 2612 Jnemfa32.exe 2740 Jbphgpfg.exe 636 Jeaahk32.exe 1296 Jmlfmn32.exe 2932 Jecnnk32.exe 1820 Jmocbnop.exe 1672 Jpmooind.exe 776 Kamlhl32.exe 2164 Kbpefc32.exe 2112 Kmficl32.exe 2288 Khojcj32.exe 828 Koibpd32.exe 2524 Khagijcd.exe 1648 Lbgkfbbj.exe 1572 Lonlkcho.exe 1888 Lehdhn32.exe 2280 Laodmoep.exe 1776 Ldmaijdc.exe 880 Lpdankjg.exe 1592 Lkifkdjm.exe 2744 Lmhbgpia.exe 2908 Lcdjpfgh.exe 2736 Mgbcfdmo.exe 1064 Miapbpmb.exe 2372 Monhjgkj.exe 1080 Maldfbjn.exe 2016 Maoalb32.exe 2816 Mdmmhn32.exe 1464 Mldeik32.exe 792 Mkibjgli.exe 2120 Macjgadf.exe 2292 Njnokdaq.exe 1828 Nknkeg32.exe 1640 Nnlhab32.exe 1036 Ndfpnl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 2340 Palpneop.exe 2340 Palpneop.exe 2968 Qdofep32.exe 2968 Qdofep32.exe 2232 Allgoa32.exe 2232 Allgoa32.exe 1744 Adleoc32.exe 1744 Adleoc32.exe 2188 Bapfhg32.exe 2188 Bapfhg32.exe 2512 Bplijcle.exe 2512 Bplijcle.exe 1548 Cngcll32.exe 1548 Cngcll32.exe 2380 Cchdpbog.exe 2380 Cchdpbog.exe 2920 Cnnimkom.exe 2920 Cnnimkom.exe 1044 Dphhka32.exe 1044 Dphhka32.exe 2540 Deeqch32.exe 2540 Deeqch32.exe 536 Epfhde32.exe 536 Epfhde32.exe 2124 Ejklan32.exe 2124 Ejklan32.exe 352 Fhjoof32.exe 352 Fhjoof32.exe 1432 Fbpclofe.exe 1432 Fbpclofe.exe 300 Gmqkml32.exe 300 Gmqkml32.exe 1748 Gcmcebkc.exe 1748 Gcmcebkc.exe 1492 Hcdifa32.exe 1492 Hcdifa32.exe 1936 Hecebm32.exe 1936 Hecebm32.exe 1108 Hajfgnjc.exe 1108 Hajfgnjc.exe 1988 Hkbkpcpd.exe 1988 Hkbkpcpd.exe 3016 Hbnpbm32.exe 3016 Hbnpbm32.exe 1484 Idmlniea.exe 1484 Idmlniea.exe 2948 Iqcmcj32.exe 2948 Iqcmcj32.exe 1624 Igmepdbc.exe 1624 Igmepdbc.exe 1168 Ijnnao32.exe 1168 Ijnnao32.exe 2724 Iqhfnifq.exe 2724 Iqhfnifq.exe 2008 Ifgklp32.exe 2008 Ifgklp32.exe 2636 Iifghk32.exe 2636 Iifghk32.exe 2612 Jnemfa32.exe 2612 Jnemfa32.exe 2740 Jbphgpfg.exe 2740 Jbphgpfg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lggbmbfc.exe Lamjph32.exe File opened for modification C:\Windows\SysWOW64\Ieppjclf.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Gnldgh32.dll Ipfkabpg.exe File created C:\Windows\SysWOW64\Kjhopjqi.exe Kbqgolpf.exe File created C:\Windows\SysWOW64\Dqinhcoc.exe Dkjhjm32.exe File opened for modification C:\Windows\SysWOW64\Mfebdm32.exe Meffjjln.exe File created C:\Windows\SysWOW64\Efmlfk32.dll Ajcldpkd.exe File opened for modification C:\Windows\SysWOW64\Chblqlcj.exe Cmikpngk.exe File opened for modification C:\Windows\SysWOW64\Cnnimkom.exe Cchdpbog.exe File opened for modification C:\Windows\SysWOW64\Mheeif32.exe Malmllfb.exe File created C:\Windows\SysWOW64\Peqhgmdd.exe Pmecbkgj.exe File created C:\Windows\SysWOW64\Pmpiei32.dll Lggbmbfc.exe File created C:\Windows\SysWOW64\Bnekcm32.exe Bcoffd32.exe File created C:\Windows\SysWOW64\Hajfgnjc.exe Hecebm32.exe File created C:\Windows\SysWOW64\Pmecbkgj.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Hahljg32.exe Hpfoboml.exe File created C:\Windows\SysWOW64\Joapmk32.dll Jpqgkpcl.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Ffjljmla.exe File created C:\Windows\SysWOW64\Cklkcgfb.dll Aglmbfdk.exe File created C:\Windows\SysWOW64\Ddpbfl32.exe Dnfjiali.exe File opened for modification C:\Windows\SysWOW64\Afpchl32.exe Acbglq32.exe File created C:\Windows\SysWOW64\Iaobkf32.exe Haleefoe.exe File created C:\Windows\SysWOW64\Olcnedka.dll Oknjmb32.exe File created C:\Windows\SysWOW64\Abinjdad.exe Ankedf32.exe File created C:\Windows\SysWOW64\Ikcpoa32.dll Mfebdm32.exe File opened for modification C:\Windows\SysWOW64\Pdigkk32.exe Pcgkcccn.exe File created C:\Windows\SysWOW64\Epnmae32.dll Iabhdefo.exe File opened for modification C:\Windows\SysWOW64\Cmlqimph.exe Cfbhlb32.exe File opened for modification C:\Windows\SysWOW64\Ldmaijdc.exe Laodmoep.exe File created C:\Windows\SysWOW64\Jddqgdii.exe Jhmpbc32.exe File created C:\Windows\SysWOW64\Ppfgdd32.dll Pofomolo.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lpdankjg.exe File opened for modification C:\Windows\SysWOW64\Fihalb32.exe Ffiepg32.exe File opened for modification C:\Windows\SysWOW64\Geinjapb.exe Gplebjbk.exe File created C:\Windows\SysWOW64\Lolijfnc.dll 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe File opened for modification C:\Windows\SysWOW64\Fhngkm32.exe Ffpkob32.exe File opened for modification C:\Windows\SysWOW64\Acpjga32.exe Qcmnaaji.exe File created C:\Windows\SysWOW64\Iqcmcj32.exe Idmlniea.exe File created C:\Windows\SysWOW64\Gpjilj32.exe Gmlmpo32.exe File created C:\Windows\SysWOW64\Kcacil32.dll Cjhckg32.exe File created C:\Windows\SysWOW64\Kicqkb32.dll Kdjceb32.exe File opened for modification C:\Windows\SysWOW64\Aakhkj32.exe Aidpjm32.exe File opened for modification C:\Windows\SysWOW64\Lnfmhj32.exe Lgmekpmn.exe File created C:\Windows\SysWOW64\Dngdefco.dll Qgiplffm.exe File created C:\Windows\SysWOW64\Jjgmammj.dll Dajiok32.exe File opened for modification C:\Windows\SysWOW64\Mddibb32.exe Mjlejl32.exe File created C:\Windows\SysWOW64\Gcnemg32.dll Ndiomdde.exe File created C:\Windows\SysWOW64\Pamlel32.exe Oggghc32.exe File created C:\Windows\SysWOW64\Ljkiicbg.dll Bakdjn32.exe File created C:\Windows\SysWOW64\Omgfdhbq.exe Odoakckp.exe File created C:\Windows\SysWOW64\Kapaaj32.exe Kghmhegc.exe File created C:\Windows\SysWOW64\Fmhljo32.dll Edjlgq32.exe File opened for modification C:\Windows\SysWOW64\Igeddb32.exe Idghhf32.exe File created C:\Windows\SysWOW64\Jbhhkn32.exe Jbfkeo32.exe File opened for modification C:\Windows\SysWOW64\Lamjph32.exe Lgdfgbhf.exe File created C:\Windows\SysWOW64\Cempgn32.dll Efhenccl.exe File created C:\Windows\SysWOW64\Deeqch32.exe Dphhka32.exe File opened for modification C:\Windows\SysWOW64\Fbpclofe.exe Fhjoof32.exe File created C:\Windows\SysWOW64\Lqeipj32.dll Jjkfqlpf.exe File opened for modification C:\Windows\SysWOW64\Blobmm32.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Gfdhck32.exe Ghbhhnhk.exe File opened for modification C:\Windows\SysWOW64\Jnbkodci.exe Jghcbjll.exe File created C:\Windows\SysWOW64\Pddiabfi.dll Mmpcdfem.exe File created C:\Windows\SysWOW64\Kggedf32.dll Jmocbnop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5712 5640 WerFault.exe 579 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll" Jhmpbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kioiffcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbndm32.dll" Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahokg32.dll" Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfgdd32.dll" Pofomolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncqodedk.dll" Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdbjl32.dll" Jfhmehji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglbcaph.dll" Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobnd32.dll" Jdidmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmbap32.dll" Kapaaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfbhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkap32.dll" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeaahk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kghmhegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfnkji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akphfbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oknjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcjeakfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgnhhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igffmkno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocfiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oafedmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnbgj32.dll" Fjhdpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkjpb32.dll" Neblqoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipfkabpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hadhjaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfaljjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpldngk.dll" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddiabfi.dll" Mmpcdfem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcjpbbk.dll" Bemmenhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifakkod.dll" Dooqceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdkmafl.dll" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haenec32.dll" Gpoibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kheofahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbogaqb.dll" Lhklha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pamlel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmefoa32.dll" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einkkn32.dll" Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlhijgh.dll" Jpmooind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpgnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpjjl32.dll" Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpafgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iabhdefo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2340 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 30 PID 2784 wrote to memory of 2340 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 30 PID 2784 wrote to memory of 2340 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 30 PID 2784 wrote to memory of 2340 2784 213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe 30 PID 2340 wrote to memory of 2968 2340 Palpneop.exe 31 PID 2340 wrote to memory of 2968 2340 Palpneop.exe 31 PID 2340 wrote to memory of 2968 2340 Palpneop.exe 31 PID 2340 wrote to memory of 2968 2340 Palpneop.exe 31 PID 2968 wrote to memory of 2232 2968 Qdofep32.exe 32 PID 2968 wrote to memory of 2232 2968 Qdofep32.exe 32 PID 2968 wrote to memory of 2232 2968 Qdofep32.exe 32 PID 2968 wrote to memory of 2232 2968 Qdofep32.exe 32 PID 2232 wrote to memory of 1744 2232 Allgoa32.exe 33 PID 2232 wrote to memory of 1744 2232 Allgoa32.exe 33 PID 2232 wrote to memory of 1744 2232 Allgoa32.exe 33 PID 2232 wrote to memory of 1744 2232 Allgoa32.exe 33 PID 1744 wrote to memory of 2188 1744 Adleoc32.exe 34 PID 1744 wrote to memory of 2188 1744 Adleoc32.exe 34 PID 1744 wrote to memory of 2188 1744 Adleoc32.exe 34 PID 1744 wrote to memory of 2188 1744 Adleoc32.exe 34 PID 2188 wrote to memory of 2512 2188 Bapfhg32.exe 35 PID 2188 wrote to memory of 2512 2188 Bapfhg32.exe 35 PID 2188 wrote to memory of 2512 2188 Bapfhg32.exe 35 PID 2188 wrote to memory of 2512 2188 Bapfhg32.exe 35 PID 2512 wrote to memory of 1548 2512 Bplijcle.exe 36 PID 2512 wrote to memory of 1548 2512 Bplijcle.exe 36 PID 2512 wrote to memory of 1548 2512 Bplijcle.exe 36 PID 2512 wrote to memory of 1548 2512 Bplijcle.exe 36 PID 1548 wrote to memory of 2380 1548 Cngcll32.exe 37 PID 1548 wrote to memory of 2380 1548 Cngcll32.exe 37 PID 1548 wrote to memory of 2380 1548 Cngcll32.exe 37 PID 1548 wrote to memory of 2380 1548 Cngcll32.exe 37 PID 2380 wrote to memory of 2920 2380 Cchdpbog.exe 38 PID 2380 wrote to memory of 2920 2380 Cchdpbog.exe 38 PID 2380 wrote to memory of 2920 2380 Cchdpbog.exe 38 PID 2380 wrote to memory of 2920 2380 Cchdpbog.exe 38 PID 2920 wrote to memory of 1044 2920 Cnnimkom.exe 39 PID 2920 wrote to memory of 1044 2920 Cnnimkom.exe 39 PID 2920 wrote to memory of 1044 2920 Cnnimkom.exe 39 PID 2920 wrote to memory of 1044 2920 Cnnimkom.exe 39 PID 1044 wrote to memory of 2540 1044 Dphhka32.exe 40 PID 1044 wrote to memory of 2540 1044 Dphhka32.exe 40 PID 1044 wrote to memory of 2540 1044 Dphhka32.exe 40 PID 1044 wrote to memory of 2540 1044 Dphhka32.exe 40 PID 2540 wrote to memory of 536 2540 Deeqch32.exe 41 PID 2540 wrote to memory of 536 2540 Deeqch32.exe 41 PID 2540 wrote to memory of 536 2540 Deeqch32.exe 41 PID 2540 wrote to memory of 536 2540 Deeqch32.exe 41 PID 536 wrote to memory of 2124 536 Epfhde32.exe 42 PID 536 wrote to memory of 2124 536 Epfhde32.exe 42 PID 536 wrote to memory of 2124 536 Epfhde32.exe 42 PID 536 wrote to memory of 2124 536 Epfhde32.exe 42 PID 2124 wrote to memory of 352 2124 Ejklan32.exe 43 PID 2124 wrote to memory of 352 2124 Ejklan32.exe 43 PID 2124 wrote to memory of 352 2124 Ejklan32.exe 43 PID 2124 wrote to memory of 352 2124 Ejklan32.exe 43 PID 352 wrote to memory of 1432 352 Fhjoof32.exe 44 PID 352 wrote to memory of 1432 352 Fhjoof32.exe 44 PID 352 wrote to memory of 1432 352 Fhjoof32.exe 44 PID 352 wrote to memory of 1432 352 Fhjoof32.exe 44 PID 1432 wrote to memory of 300 1432 Fbpclofe.exe 45 PID 1432 wrote to memory of 300 1432 Fbpclofe.exe 45 PID 1432 wrote to memory of 300 1432 Fbpclofe.exe 45 PID 1432 wrote to memory of 300 1432 Fbpclofe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe"C:\Users\Admin\AppData\Local\Temp\213606402290c5f32f413066e08d7ab0376d503006148bd835150ed74efa1a34.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe34⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe38⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe41⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe42⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe43⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe45⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe46⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe48⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe51⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe54⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe56⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe57⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe59⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe60⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe62⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe63⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe64⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe68⤵PID:1000
-
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe70⤵PID:2756
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe71⤵PID:2916
-
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe73⤵
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe74⤵PID:2020
-
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe76⤵PID:2884
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe78⤵PID:1832
-
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe79⤵PID:340
-
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe80⤵PID:2348
-
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe81⤵PID:1872
-
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe82⤵PID:2452
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe83⤵PID:2236
-
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe85⤵PID:2836
-
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe86⤵PID:2848
-
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe88⤵PID:1964
-
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe90⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe91⤵PID:1144
-
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe92⤵PID:3004
-
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe93⤵PID:2000
-
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe94⤵PID:820
-
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe95⤵PID:2052
-
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe96⤵PID:2068
-
C:\Windows\SysWOW64\Bemkle32.exeC:\Windows\system32\Bemkle32.exe97⤵PID:1920
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe98⤵PID:852
-
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe99⤵PID:1488
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe101⤵PID:3036
-
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe102⤵PID:344
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe103⤵PID:1912
-
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe104⤵PID:1116
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe105⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe106⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe107⤵PID:1052
-
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe110⤵PID:1824
-
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe111⤵PID:1644
-
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe113⤵PID:2224
-
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe114⤵PID:2316
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe115⤵PID:1068
-
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe116⤵PID:2828
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe117⤵PID:2172
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe118⤵PID:2892
-
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe119⤵PID:568
-
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe120⤵
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-