Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe
-
Size
55KB
-
MD5
3331e1eab1f62616feed8ce0a2610988
-
SHA1
fecab330c51d0a9dfb31606f463b602c05dd1577
-
SHA256
cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78
-
SHA512
cd8f9a3999eae8b16fb4ec9a0972674e708fce5ed9e894e332041ee23551020af6559ff1f09dbc117f81acb2aca700486acfd713a80151efc8db76136b5a17de
-
SSDEEP
768:kRWYuTpksqxb2OO1n1VI+V0LzspLsoDJFtIXxMyR3PY5L14EHc3li+N5sHmpa8tR:cuCsgyno+7siIhMLX83c8imp9N2L+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljbil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifecen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqenfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jompim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgiffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdhonoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iognjojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cekkaanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicfpkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aliejq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmqip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklicjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggifmgia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbibfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpafanf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpppoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqnjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmpmcaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdhmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhaaefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljljenoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapcaocc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmdjjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikinjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boadlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbmnchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclfigao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joajdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abqlpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmaed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjdjghf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbmlbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llagegfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgojdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnboonmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acldpojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhlaaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlomnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfekbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocpjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ianambhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcppbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknlmggc.exe -
Executes dropped EXE 64 IoCs
pid Process 3064 Geqnho32.exe 2176 Gljfeimi.exe 2004 Geckno32.exe 2456 Gokpgd32.exe 2960 Giaddm32.exe 2904 Gbihmcqp.exe 2840 Hdjedk32.exe 2648 Hopibdfd.exe 2404 Hdonpjbi.exe 936 Hngbhp32.exe 2088 Hincna32.exe 1712 Hddgkj32.exe 2692 Hjqpcq32.exe 1124 Icidlf32.exe 2200 Ihfmdm32.exe 1036 Ianambhc.exe 2080 Ilcfjkgj.exe 676 Icnngeof.exe 1664 Ihjfolmn.exe 1076 Ihmcelkk.exe 1512 Jbgdcapi.exe 2436 Jciaki32.exe 2992 Jmaedolh.exe 2132 Jcknqicd.exe 2952 Jmcbio32.exe 3020 Jgiffg32.exe 2744 Jmfoon32.exe 2348 Jfnchd32.exe 2708 Jkklpk32.exe 1248 Kfqpmc32.exe 2624 Kkmhej32.exe 2616 Kfcmcckn.exe 2788 Kpkali32.exe 2488 Kicednho.exe 1688 Kjeblf32.exe 688 Kejfio32.exe 1132 Kgibeklf.exe 2316 Kcpcjl32.exe 1792 Lneghd32.exe 2700 Lhnlqjha.exe 236 Liohhbno.exe 1476 Lfbibfmi.exe 612 Lpkmkl32.exe 2124 Lmondpbc.exe 1724 Lopjlh32.exe 2320 Lfgbmf32.exe 2520 Lppgfkpd.exe 2260 Memonbnl.exe 2968 Mlfgkleh.exe 2716 Macpcccp.exe 2540 Mhmhpm32.exe 1264 Mmjqhd32.exe 1300 Mddidnqa.exe 2304 Mknaahhn.exe 1740 Mahinb32.exe 2928 Mhbakmgg.exe 1748 Mmojcceo.exe 2268 Mclbkjcf.exe 2128 Miekhd32.exe 2572 Nppceo32.exe 2824 Ngikaijm.exe 2812 Nmccnc32.exe 2636 Npbpjn32.exe 1532 Neohbe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 3064 Geqnho32.exe 3064 Geqnho32.exe 2176 Gljfeimi.exe 2176 Gljfeimi.exe 2004 Geckno32.exe 2004 Geckno32.exe 2456 Gokpgd32.exe 2456 Gokpgd32.exe 2960 Giaddm32.exe 2960 Giaddm32.exe 2904 Gbihmcqp.exe 2904 Gbihmcqp.exe 2840 Hdjedk32.exe 2840 Hdjedk32.exe 2648 Hopibdfd.exe 2648 Hopibdfd.exe 2404 Hdonpjbi.exe 2404 Hdonpjbi.exe 936 Hngbhp32.exe 936 Hngbhp32.exe 2088 Hincna32.exe 2088 Hincna32.exe 1712 Hddgkj32.exe 1712 Hddgkj32.exe 2692 Hjqpcq32.exe 2692 Hjqpcq32.exe 1124 Icidlf32.exe 1124 Icidlf32.exe 2200 Ihfmdm32.exe 2200 Ihfmdm32.exe 1036 Ianambhc.exe 1036 Ianambhc.exe 2080 Ilcfjkgj.exe 2080 Ilcfjkgj.exe 676 Icnngeof.exe 676 Icnngeof.exe 1664 Ihjfolmn.exe 1664 Ihjfolmn.exe 1076 Ihmcelkk.exe 1076 Ihmcelkk.exe 1512 Jbgdcapi.exe 1512 Jbgdcapi.exe 2436 Jciaki32.exe 2436 Jciaki32.exe 2992 Jmaedolh.exe 2992 Jmaedolh.exe 2132 Jcknqicd.exe 2132 Jcknqicd.exe 2952 Jmcbio32.exe 2952 Jmcbio32.exe 3020 Jgiffg32.exe 3020 Jgiffg32.exe 2744 Jmfoon32.exe 2744 Jmfoon32.exe 2348 Jfnchd32.exe 2348 Jfnchd32.exe 2708 Jkklpk32.exe 2708 Jkklpk32.exe 1248 Kfqpmc32.exe 1248 Kfqpmc32.exe 2624 Kkmhej32.exe 2624 Kkmhej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Poplqm32.exe Pifcdbhi.exe File created C:\Windows\SysWOW64\Pimlpcke.dll Dnkggjpj.exe File created C:\Windows\SysWOW64\Enjcfm32.exe Ehnknfdn.exe File created C:\Windows\SysWOW64\Jookedhp.exe Jhebij32.exe File created C:\Windows\SysWOW64\Aqnjml32.exe Ajcbpbkn.exe File created C:\Windows\SysWOW64\Klimjkaf.dll Qecejnco.exe File created C:\Windows\SysWOW64\Cgpnlgak.exe Bngicb32.exe File created C:\Windows\SysWOW64\Jhabfbal.dll Hfjglppd.exe File opened for modification C:\Windows\SysWOW64\Mpcmojia.exe Mmepboin.exe File created C:\Windows\SysWOW64\Ldgkid32.dll Madbll32.exe File created C:\Windows\SysWOW64\Chigmlml.exe Cekkaanh.exe File opened for modification C:\Windows\SysWOW64\Dekgpdqc.exe Dcmkciap.exe File created C:\Windows\SysWOW64\Ppmjkhma.exe Pkpacaoj.exe File created C:\Windows\SysWOW64\Hcbogk32.exe Hcpbalaa.exe File created C:\Windows\SysWOW64\Camepc32.dll Gokpgd32.exe File created C:\Windows\SysWOW64\Blhhag32.dll Pafacd32.exe File opened for modification C:\Windows\SysWOW64\Minnmomo.exe Mfpaqdnk.exe File created C:\Windows\SysWOW64\Ceqlff32.exe Cdooongp.exe File opened for modification C:\Windows\SysWOW64\Diqabd32.exe Dcgiejje.exe File opened for modification C:\Windows\SysWOW64\Kjmnfk32.exe Kbefen32.exe File opened for modification C:\Windows\SysWOW64\Ndnncf32.exe Nmdfglhm.exe File created C:\Windows\SysWOW64\Nkqlodpk.exe Nhbpbi32.exe File created C:\Windows\SysWOW64\Cojejcno.dll Icgibkki.exe File opened for modification C:\Windows\SysWOW64\Nmccnc32.exe Ngikaijm.exe File created C:\Windows\SysWOW64\Bilhdgoo.dll Bbbckh32.exe File opened for modification C:\Windows\SysWOW64\Fcinia32.exe Fqjbme32.exe File created C:\Windows\SysWOW64\Jciikigk.dll Macpcccp.exe File created C:\Windows\SysWOW64\Fhcaokcc.dll Kceijg32.exe File created C:\Windows\SysWOW64\Mbmhnekp.dll Mipjbokm.exe File created C:\Windows\SysWOW64\Gplgmodq.exe Gnkkeg32.exe File opened for modification C:\Windows\SysWOW64\Fhmblljb.exe Foencfda.exe File created C:\Windows\SysWOW64\Icgibkki.exe Immqeq32.exe File opened for modification C:\Windows\SysWOW64\Memonbnl.exe Lppgfkpd.exe File created C:\Windows\SysWOW64\Acldpojj.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Idcodh32.dll Bknani32.exe File created C:\Windows\SysWOW64\Cnpbgjma.dll Hgconl32.exe File created C:\Windows\SysWOW64\Bbpffhnb.exe Blfnin32.exe File opened for modification C:\Windows\SysWOW64\Qnlobhne.exe Qgbfen32.exe File created C:\Windows\SysWOW64\Aqpgblqh.exe Ajfoea32.exe File opened for modification C:\Windows\SysWOW64\Lnipilbb.exe Lhlgaedj.exe File created C:\Windows\SysWOW64\Bjcgdojn.exe Bqjcli32.exe File created C:\Windows\SysWOW64\Bhdpjaga.exe Bakgmgpe.exe File created C:\Windows\SysWOW64\Kcdeqiac.dll Dkelhemb.exe File created C:\Windows\SysWOW64\Ihmcelkk.exe Ihjfolmn.exe File opened for modification C:\Windows\SysWOW64\Miekhd32.exe Mclbkjcf.exe File opened for modification C:\Windows\SysWOW64\Liqnclia.exe Llmnjg32.exe File created C:\Windows\SysWOW64\Mmepboin.exe Lfkhed32.exe File created C:\Windows\SysWOW64\Glgiaghd.dll Fjbfek32.exe File opened for modification C:\Windows\SysWOW64\Ihfmdm32.exe Icidlf32.exe File created C:\Windows\SysWOW64\Cigkbm32.dll Ilcfjkgj.exe File created C:\Windows\SysWOW64\Bebnlb32.dll Ommfibdg.exe File opened for modification C:\Windows\SysWOW64\Icidlf32.exe Hjqpcq32.exe File created C:\Windows\SysWOW64\Lpkmkl32.exe Lfbibfmi.exe File created C:\Windows\SysWOW64\Ghgfppka.dll Pkiikm32.exe File created C:\Windows\SysWOW64\Jbgdcapi.exe Ihmcelkk.exe File created C:\Windows\SysWOW64\Lpqamg32.dll Eqklhh32.exe File opened for modification C:\Windows\SysWOW64\Ogjjie32.exe Oehmamnn.exe File created C:\Windows\SysWOW64\Hocgoilb.dll Occgce32.exe File created C:\Windows\SysWOW64\Cpafhpaj.exe Ckdnpicb.exe File opened for modification C:\Windows\SysWOW64\Hjlekm32.exe Hdbmnchk.exe File created C:\Windows\SysWOW64\Ajijco32.dll Emeejpjc.exe File opened for modification C:\Windows\SysWOW64\Gfobndnj.exe Gcpfbhof.exe File created C:\Windows\SysWOW64\Fdbcdc32.dll Immqeq32.exe File opened for modification C:\Windows\SysWOW64\Dehdpnok.exe Dlppgihj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6276 2116 WerFault.exe 746 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiilgl32.dll" Nnboonmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmpmcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhmblljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaipg32.dll" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqlff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehlqao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palffa32.dll" Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamdmnhm.dll" Iidajaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldlnabb.dll" Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcjphoj.dll" Pokkkgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkhfnea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibngfe32.dll" Dbaflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqojpqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbflfomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jompim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manhdpha.dll" Ieglfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckifcl32.dll" Aqapek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkiikm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ielllj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmdfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehdpnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haadlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehcfq32.dll" Dehdpnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlaqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooiodm32.dll" Ihkihe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclbhkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdcgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclni32.dll" Ocbekmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjhfpoj.dll" Bholco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmicnhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdmhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghgbeni.dll" Ecaeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkkgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddclhk32.dll" Dpggnfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llagegfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihefjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcejjpfg.dll" Ohdmhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppknhnn.dll" Pkgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblfcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kicednho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbadcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfekbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjeedio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmlcbafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbakfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiffbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bholco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oooeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqmmja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoaigpm.dll" Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlolh32.dll" Jbgdcapi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3064 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 29 PID 2056 wrote to memory of 3064 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 29 PID 2056 wrote to memory of 3064 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 29 PID 2056 wrote to memory of 3064 2056 cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe 29 PID 3064 wrote to memory of 2176 3064 Geqnho32.exe 30 PID 3064 wrote to memory of 2176 3064 Geqnho32.exe 30 PID 3064 wrote to memory of 2176 3064 Geqnho32.exe 30 PID 3064 wrote to memory of 2176 3064 Geqnho32.exe 30 PID 2176 wrote to memory of 2004 2176 Gljfeimi.exe 31 PID 2176 wrote to memory of 2004 2176 Gljfeimi.exe 31 PID 2176 wrote to memory of 2004 2176 Gljfeimi.exe 31 PID 2176 wrote to memory of 2004 2176 Gljfeimi.exe 31 PID 2004 wrote to memory of 2456 2004 Geckno32.exe 32 PID 2004 wrote to memory of 2456 2004 Geckno32.exe 32 PID 2004 wrote to memory of 2456 2004 Geckno32.exe 32 PID 2004 wrote to memory of 2456 2004 Geckno32.exe 32 PID 2456 wrote to memory of 2960 2456 Gokpgd32.exe 33 PID 2456 wrote to memory of 2960 2456 Gokpgd32.exe 33 PID 2456 wrote to memory of 2960 2456 Gokpgd32.exe 33 PID 2456 wrote to memory of 2960 2456 Gokpgd32.exe 33 PID 2960 wrote to memory of 2904 2960 Giaddm32.exe 34 PID 2960 wrote to memory of 2904 2960 Giaddm32.exe 34 PID 2960 wrote to memory of 2904 2960 Giaddm32.exe 34 PID 2960 wrote to memory of 2904 2960 Giaddm32.exe 34 PID 2904 wrote to memory of 2840 2904 Gbihmcqp.exe 35 PID 2904 wrote to memory of 2840 2904 Gbihmcqp.exe 35 PID 2904 wrote to memory of 2840 2904 Gbihmcqp.exe 35 PID 2904 wrote to memory of 2840 2904 Gbihmcqp.exe 35 PID 2840 wrote to memory of 2648 2840 Hdjedk32.exe 36 PID 2840 wrote to memory of 2648 2840 Hdjedk32.exe 36 PID 2840 wrote to memory of 2648 2840 Hdjedk32.exe 36 PID 2840 wrote to memory of 2648 2840 Hdjedk32.exe 36 PID 2648 wrote to memory of 2404 2648 Hopibdfd.exe 37 PID 2648 wrote to memory of 2404 2648 Hopibdfd.exe 37 PID 2648 wrote to memory of 2404 2648 Hopibdfd.exe 37 PID 2648 wrote to memory of 2404 2648 Hopibdfd.exe 37 PID 2404 wrote to memory of 936 2404 Hdonpjbi.exe 38 PID 2404 wrote to memory of 936 2404 Hdonpjbi.exe 38 PID 2404 wrote to memory of 936 2404 Hdonpjbi.exe 38 PID 2404 wrote to memory of 936 2404 Hdonpjbi.exe 38 PID 936 wrote to memory of 2088 936 Hngbhp32.exe 39 PID 936 wrote to memory of 2088 936 Hngbhp32.exe 39 PID 936 wrote to memory of 2088 936 Hngbhp32.exe 39 PID 936 wrote to memory of 2088 936 Hngbhp32.exe 39 PID 2088 wrote to memory of 1712 2088 Hincna32.exe 40 PID 2088 wrote to memory of 1712 2088 Hincna32.exe 40 PID 2088 wrote to memory of 1712 2088 Hincna32.exe 40 PID 2088 wrote to memory of 1712 2088 Hincna32.exe 40 PID 1712 wrote to memory of 2692 1712 Hddgkj32.exe 41 PID 1712 wrote to memory of 2692 1712 Hddgkj32.exe 41 PID 1712 wrote to memory of 2692 1712 Hddgkj32.exe 41 PID 1712 wrote to memory of 2692 1712 Hddgkj32.exe 41 PID 2692 wrote to memory of 1124 2692 Hjqpcq32.exe 42 PID 2692 wrote to memory of 1124 2692 Hjqpcq32.exe 42 PID 2692 wrote to memory of 1124 2692 Hjqpcq32.exe 42 PID 2692 wrote to memory of 1124 2692 Hjqpcq32.exe 42 PID 1124 wrote to memory of 2200 1124 Icidlf32.exe 43 PID 1124 wrote to memory of 2200 1124 Icidlf32.exe 43 PID 1124 wrote to memory of 2200 1124 Icidlf32.exe 43 PID 1124 wrote to memory of 2200 1124 Icidlf32.exe 43 PID 2200 wrote to memory of 1036 2200 Ihfmdm32.exe 44 PID 2200 wrote to memory of 1036 2200 Ihfmdm32.exe 44 PID 2200 wrote to memory of 1036 2200 Ihfmdm32.exe 44 PID 2200 wrote to memory of 1036 2200 Ihfmdm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe"C:\Users\Admin\AppData\Local\Temp\cb357aef99e853c41fa70492a4f1da5a2e73b23decd5d8a80530278d98b92c78.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gljfeimi.exeC:\Windows\system32\Gljfeimi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Geckno32.exeC:\Windows\system32\Geckno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Gbihmcqp.exeC:\Windows\system32\Gbihmcqp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Jfnchd32.exeC:\Windows\system32\Jfnchd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe34⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe36⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe37⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe38⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe40⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe41⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe42⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe44⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe45⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe46⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe50⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe52⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe53⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe54⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe55⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe57⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe58⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe60⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe61⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe63⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe64⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe66⤵PID:436
-
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe67⤵PID:2372
-
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe68⤵PID:2644
-
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe69⤵PID:592
-
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe71⤵PID:3024
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe72⤵PID:2284
-
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe73⤵PID:2924
-
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe74⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe76⤵PID:1800
-
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe77⤵PID:2084
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe78⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe80⤵PID:976
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe81⤵PID:1700
-
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe82⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe83⤵PID:2836
-
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe84⤵PID:2948
-
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe85⤵PID:1320
-
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe86⤵PID:632
-
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe88⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe89⤵PID:1292
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe91⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe92⤵PID:964
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe93⤵PID:2092
-
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe94⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe96⤵PID:1172
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe97⤵PID:1260
-
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe98⤵PID:1832
-
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe100⤵PID:1628
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe101⤵PID:2756
-
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe102⤵PID:2956
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe103⤵PID:2516
-
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe104⤵PID:1752
-
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe105⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe106⤵PID:868
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe108⤵PID:2196
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe110⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe111⤵PID:2484
-
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe112⤵PID:2280
-
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe113⤵PID:2308
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe114⤵PID:1732
-
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe115⤵PID:2768
-
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe117⤵PID:2600
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe118⤵PID:2876
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe119⤵PID:1604
-
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe120⤵PID:2848
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe121⤵PID:1600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-