Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 18:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe
-
Size
99KB
-
MD5
f0bb797061674d2623a29eee23a3cb72
-
SHA1
370be2d569a6bba603fe4fff45622f925541d0ab
-
SHA256
0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952
-
SHA512
df461ca0ecf091c635e9423ae9f6bdd1b482d6e1e98069eff280d0388b524b4e629be99fed78e2a3d3f1a97b34b3d68752208a6e942e094425983af25c7222c9
-
SSDEEP
1536:lpxt4PO8tpDD5gSbcC48ZxUOH9xymlzNRRQyUkRvwtycORTRQ6mRQQRRQjGmZrhB:L4Dp5igUIvNReyjpwoTRBmDRGGurhUI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmoaoikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcdkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqpiopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lphlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkqmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcndag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbiempj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgdpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmpjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjhkpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklmoccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdooij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpihnbmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcgik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmehdpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooeolkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opekenmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oebdndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okolfkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfceeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jonqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcekkkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikhce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljfdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekppjmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joqdfghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omhhma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ollljo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cappnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmlkhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijmkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alknnodh.exe -
Executes dropped EXE 64 IoCs
pid Process 1652 Bgmolb32.exe 2376 Biolckgf.exe 2092 Bmjhdi32.exe 2864 Bpkqfdmp.exe 2828 Behinlkh.exe 2728 Bmoaoikj.exe 1696 Cnpnga32.exe 2516 Ciebdj32.exe 2604 Cobjmq32.exe 1712 Chkoef32.exe 2952 Cbpcbo32.exe 2636 Ceoooj32.exe 1840 Ckkhga32.exe 2840 Cmjdcm32.exe 2196 Cfbhlb32.exe 2128 Cdfief32.exe 560 Dicann32.exe 2624 Dpmjjhmi.exe 1920 Ddhekfeb.exe 2028 Dalfdjdl.exe 1892 Ddkbqfcp.exe 1184 Dkekmp32.exe 1964 Dmcgik32.exe 2324 Ddmofeam.exe 1968 Dcpoab32.exe 2768 Dmecokhm.exe 2796 Dogpfc32.exe 3020 Dgnhhq32.exe 2664 Eeceim32.exe 2740 Ekpmad32.exe 2676 Ecgeba32.exe 1156 Eeeanm32.exe 1640 Edkopifk.exe 2724 Egikle32.exe 2732 Epaodjlo.exe 2384 Ehhgfgla.exe 1852 Epdljjjm.exe 900 Ecbhfeip.exe 2764 Fjlqcppm.exe 2360 Fqfipj32.exe 2148 Fcdele32.exe 692 Ffcahq32.exe 1860 Fjomhonj.exe 1784 Flmidkmn.exe 276 Fokfqflb.exe 636 Ffenmp32.exe 2492 Fhcjilcb.exe 856 Fmofjj32.exe 1496 Fonbff32.exe 2580 Ffhkcpal.exe 2880 Fhfgokap.exe 2876 Fmacpj32.exe 2784 Fopole32.exe 2132 Fbnkha32.exe 2536 Fihcdkom.exe 1476 Fmdpejgf.exe 2204 Foblaefj.exe 3004 Fbqhnqen.exe 3024 Gkimff32.exe 1980 Gbcecpck.exe 940 Geaaolbo.exe 1700 Ggpmkgab.exe 532 Gjnigb32.exe 996 Gqhadmhc.exe -
Loads dropped DLL 64 IoCs
pid Process 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 1652 Bgmolb32.exe 1652 Bgmolb32.exe 2376 Biolckgf.exe 2376 Biolckgf.exe 2092 Bmjhdi32.exe 2092 Bmjhdi32.exe 2864 Bpkqfdmp.exe 2864 Bpkqfdmp.exe 2828 Behinlkh.exe 2828 Behinlkh.exe 2728 Bmoaoikj.exe 2728 Bmoaoikj.exe 1696 Cnpnga32.exe 1696 Cnpnga32.exe 2516 Ciebdj32.exe 2516 Ciebdj32.exe 2604 Cobjmq32.exe 2604 Cobjmq32.exe 1712 Chkoef32.exe 1712 Chkoef32.exe 2952 Cbpcbo32.exe 2952 Cbpcbo32.exe 2636 Ceoooj32.exe 2636 Ceoooj32.exe 1840 Ckkhga32.exe 1840 Ckkhga32.exe 2840 Cmjdcm32.exe 2840 Cmjdcm32.exe 2196 Cfbhlb32.exe 2196 Cfbhlb32.exe 2128 Cdfief32.exe 2128 Cdfief32.exe 560 Dicann32.exe 560 Dicann32.exe 2624 Dpmjjhmi.exe 2624 Dpmjjhmi.exe 1920 Ddhekfeb.exe 1920 Ddhekfeb.exe 2028 Dalfdjdl.exe 2028 Dalfdjdl.exe 1892 Ddkbqfcp.exe 1892 Ddkbqfcp.exe 1184 Dkekmp32.exe 1184 Dkekmp32.exe 1964 Dmcgik32.exe 1964 Dmcgik32.exe 2324 Ddmofeam.exe 2324 Ddmofeam.exe 1968 Dcpoab32.exe 1968 Dcpoab32.exe 2768 Dmecokhm.exe 2768 Dmecokhm.exe 2796 Dogpfc32.exe 2796 Dogpfc32.exe 3020 Dgnhhq32.exe 3020 Dgnhhq32.exe 2664 Eeceim32.exe 2664 Eeceim32.exe 2740 Ekpmad32.exe 2740 Ekpmad32.exe 2676 Ecgeba32.exe 2676 Ecgeba32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Djqcki32.exe Dfegjknm.exe File created C:\Windows\SysWOW64\Efkjha32.dll Emfbgg32.exe File created C:\Windows\SysWOW64\Gfhikl32.exe Ggeiooea.exe File created C:\Windows\SysWOW64\Lajhba32.dll Bgqeea32.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Oiniaboi.exe File opened for modification C:\Windows\SysWOW64\Opkndldc.exe Omlahqeo.exe File opened for modification C:\Windows\SysWOW64\Poinkg32.exe Pgbejj32.exe File created C:\Windows\SysWOW64\Acplpjpj.exe Apapcnaf.exe File created C:\Windows\SysWOW64\Lnmcge32.exe Lkngkj32.exe File created C:\Windows\SysWOW64\Eonhpk32.exe Elpldp32.exe File created C:\Windows\SysWOW64\Dhkjod32.dll Jlpmndba.exe File opened for modification C:\Windows\SysWOW64\Jifkmh32.exe Jaoblk32.exe File created C:\Windows\SysWOW64\Jhnbklji.exe Jeofnpke.exe File created C:\Windows\SysWOW64\Pihlhagn.exe Paqdgcfl.exe File opened for modification C:\Windows\SysWOW64\Bjjakg32.exe Bgkeol32.exe File created C:\Windows\SysWOW64\Ephcll32.dll Ggbljogc.exe File opened for modification C:\Windows\SysWOW64\Ijmdql32.exe Ifahpnfl.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Abjcleqm.exe File opened for modification C:\Windows\SysWOW64\Fialggcl.exe Fgcpkldh.exe File opened for modification C:\Windows\SysWOW64\Gdfmccfm.exe Gqkqbe32.exe File opened for modification C:\Windows\SysWOW64\Cfbhlb32.exe Cmjdcm32.exe File created C:\Windows\SysWOW64\Phhcnnel.dll Ekofgnna.exe File created C:\Windows\SysWOW64\Mfonfdla.dll Kdlbckee.exe File created C:\Windows\SysWOW64\Jkbkei32.dll Nfbmlckg.exe File opened for modification C:\Windows\SysWOW64\Oaaghp32.exe Ojgokflc.exe File opened for modification C:\Windows\SysWOW64\Iceiibef.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Lflklaoc.exe Lobbpg32.exe File created C:\Windows\SysWOW64\Nmjicn32.exe Nfppfcmj.exe File created C:\Windows\SysWOW64\Bmhmgbif.exe Bjjakg32.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Plheil32.exe File opened for modification C:\Windows\SysWOW64\Cjngej32.exe Cgpjin32.exe File opened for modification C:\Windows\SysWOW64\Ndnplk32.exe Nqbdllld.exe File created C:\Windows\SysWOW64\Jipjeglf.dll Ojlife32.exe File created C:\Windows\SysWOW64\Jjhgdqef.exe Jhikhefb.exe File created C:\Windows\SysWOW64\Mnfhfmhc.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Kalgdehn.dll Dicann32.exe File opened for modification C:\Windows\SysWOW64\Gednek32.exe Gqhadmhc.exe File created C:\Windows\SysWOW64\Hiofdmkq.exe Hecjco32.exe File created C:\Windows\SysWOW64\Lohnpfim.dll Cfmhfm32.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Nalnmahf.exe File opened for modification C:\Windows\SysWOW64\Omlahqeo.exe Oiqegb32.exe File created C:\Windows\SysWOW64\Gpfmejbd.dll Cneiki32.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Gkgbioee.exe File created C:\Windows\SysWOW64\Eeeanm32.exe Ecgeba32.exe File created C:\Windows\SysWOW64\Bgdbgi32.dll Ecgeba32.exe File opened for modification C:\Windows\SysWOW64\Ffcahq32.exe Fcdele32.exe File opened for modification C:\Windows\SysWOW64\Fbqhnqen.exe Foblaefj.exe File created C:\Windows\SysWOW64\Jdpidm32.exe Jaamhb32.exe File created C:\Windows\SysWOW64\Kikpgk32.exe Kadhen32.exe File created C:\Windows\SysWOW64\Peknbgmo.dll Omoehf32.exe File created C:\Windows\SysWOW64\Mfjccdpc.dll Nbbhpegc.exe File created C:\Windows\SysWOW64\Ajoaoj32.dll Nnkekfkd.exe File opened for modification C:\Windows\SysWOW64\Pdamhocm.exe Pbppqf32.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jaaoakmc.exe File created C:\Windows\SysWOW64\Hmdnme32.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Cmolej32.dll Jdbhcfjd.exe File created C:\Windows\SysWOW64\Bfjnbnfd.dll Kpbiempj.exe File created C:\Windows\SysWOW64\Afkkmm32.dll Ohbmppia.exe File opened for modification C:\Windows\SysWOW64\Bbapgknp.exe Bkghjq32.exe File created C:\Windows\SysWOW64\Iigehk32.exe Ieligmho.exe File created C:\Windows\SysWOW64\Ggppdpif.exe Gdbchd32.exe File created C:\Windows\SysWOW64\Faconabh.dll Hgobpd32.exe File created C:\Windows\SysWOW64\Nnpbpemn.dll Opkndldc.exe File created C:\Windows\SysWOW64\Cbcbag32.exe Cjljpjjk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10064 10028 WerFault.exe 1014 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emfbgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiihgc32.dll" Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeecd32.dll" Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddmofeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqfipj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gckgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nifjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpobfea.dll" Lnaokn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcnmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jalmcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajlabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkckf32.dll" Anngkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iklbhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkaf32.dll" Jiclnpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpbhhnh.dll" Ijmdql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hngngo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnnbqeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qicoleno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcogbp32.dll" Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfjcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqfooonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heqfdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgqeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdofdoec.dll" Hlnbqijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heojjm32.dll" Bnqcaffa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgpklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Damhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifahpnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmcgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhnfnajf.dll" Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlnjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemjdi32.dll" Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Almjcobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfelj32.dll" Nhljpmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngnoa32.dll" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doaapm32.dll" Hfdpaqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomink32.dll" Iaipmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcicilmi.dll" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpbpemn.dll" Opkndldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdpidm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bikhce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedcbj32.dll" Bbhfgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlcceboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cealdmqc.dll" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncgaman.dll" Pfgcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epdljjjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hecjco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknbgnog.dll" Lolpah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dibjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajoebigm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1652 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 30 PID 2024 wrote to memory of 1652 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 30 PID 2024 wrote to memory of 1652 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 30 PID 2024 wrote to memory of 1652 2024 0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe 30 PID 1652 wrote to memory of 2376 1652 Bgmolb32.exe 31 PID 1652 wrote to memory of 2376 1652 Bgmolb32.exe 31 PID 1652 wrote to memory of 2376 1652 Bgmolb32.exe 31 PID 1652 wrote to memory of 2376 1652 Bgmolb32.exe 31 PID 2376 wrote to memory of 2092 2376 Biolckgf.exe 32 PID 2376 wrote to memory of 2092 2376 Biolckgf.exe 32 PID 2376 wrote to memory of 2092 2376 Biolckgf.exe 32 PID 2376 wrote to memory of 2092 2376 Biolckgf.exe 32 PID 2092 wrote to memory of 2864 2092 Bmjhdi32.exe 33 PID 2092 wrote to memory of 2864 2092 Bmjhdi32.exe 33 PID 2092 wrote to memory of 2864 2092 Bmjhdi32.exe 33 PID 2092 wrote to memory of 2864 2092 Bmjhdi32.exe 33 PID 2864 wrote to memory of 2828 2864 Bpkqfdmp.exe 34 PID 2864 wrote to memory of 2828 2864 Bpkqfdmp.exe 34 PID 2864 wrote to memory of 2828 2864 Bpkqfdmp.exe 34 PID 2864 wrote to memory of 2828 2864 Bpkqfdmp.exe 34 PID 2828 wrote to memory of 2728 2828 Behinlkh.exe 35 PID 2828 wrote to memory of 2728 2828 Behinlkh.exe 35 PID 2828 wrote to memory of 2728 2828 Behinlkh.exe 35 PID 2828 wrote to memory of 2728 2828 Behinlkh.exe 35 PID 2728 wrote to memory of 1696 2728 Bmoaoikj.exe 36 PID 2728 wrote to memory of 1696 2728 Bmoaoikj.exe 36 PID 2728 wrote to memory of 1696 2728 Bmoaoikj.exe 36 PID 2728 wrote to memory of 1696 2728 Bmoaoikj.exe 36 PID 1696 wrote to memory of 2516 1696 Cnpnga32.exe 37 PID 1696 wrote to memory of 2516 1696 Cnpnga32.exe 37 PID 1696 wrote to memory of 2516 1696 Cnpnga32.exe 37 PID 1696 wrote to memory of 2516 1696 Cnpnga32.exe 37 PID 2516 wrote to memory of 2604 2516 Ciebdj32.exe 38 PID 2516 wrote to memory of 2604 2516 Ciebdj32.exe 38 PID 2516 wrote to memory of 2604 2516 Ciebdj32.exe 38 PID 2516 wrote to memory of 2604 2516 Ciebdj32.exe 38 PID 2604 wrote to memory of 1712 2604 Cobjmq32.exe 39 PID 2604 wrote to memory of 1712 2604 Cobjmq32.exe 39 PID 2604 wrote to memory of 1712 2604 Cobjmq32.exe 39 PID 2604 wrote to memory of 1712 2604 Cobjmq32.exe 39 PID 1712 wrote to memory of 2952 1712 Chkoef32.exe 40 PID 1712 wrote to memory of 2952 1712 Chkoef32.exe 40 PID 1712 wrote to memory of 2952 1712 Chkoef32.exe 40 PID 1712 wrote to memory of 2952 1712 Chkoef32.exe 40 PID 2952 wrote to memory of 2636 2952 Cbpcbo32.exe 41 PID 2952 wrote to memory of 2636 2952 Cbpcbo32.exe 41 PID 2952 wrote to memory of 2636 2952 Cbpcbo32.exe 41 PID 2952 wrote to memory of 2636 2952 Cbpcbo32.exe 41 PID 2636 wrote to memory of 1840 2636 Ceoooj32.exe 42 PID 2636 wrote to memory of 1840 2636 Ceoooj32.exe 42 PID 2636 wrote to memory of 1840 2636 Ceoooj32.exe 42 PID 2636 wrote to memory of 1840 2636 Ceoooj32.exe 42 PID 1840 wrote to memory of 2840 1840 Ckkhga32.exe 43 PID 1840 wrote to memory of 2840 1840 Ckkhga32.exe 43 PID 1840 wrote to memory of 2840 1840 Ckkhga32.exe 43 PID 1840 wrote to memory of 2840 1840 Ckkhga32.exe 43 PID 2840 wrote to memory of 2196 2840 Cmjdcm32.exe 44 PID 2840 wrote to memory of 2196 2840 Cmjdcm32.exe 44 PID 2840 wrote to memory of 2196 2840 Cmjdcm32.exe 44 PID 2840 wrote to memory of 2196 2840 Cmjdcm32.exe 44 PID 2196 wrote to memory of 2128 2196 Cfbhlb32.exe 45 PID 2196 wrote to memory of 2128 2196 Cfbhlb32.exe 45 PID 2196 wrote to memory of 2128 2196 Cfbhlb32.exe 45 PID 2196 wrote to memory of 2128 2196 Cfbhlb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe"C:\Users\Admin\AppData\Local\Temp\0727a1b671f038809473aecce563d4f9ac837388e558f7de427627c935d44952.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Chkoef32.exeC:\Windows\system32\Chkoef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Dicann32.exeC:\Windows\system32\Dicann32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Dogpfc32.exeC:\Windows\system32\Dogpfc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Eeceim32.exeC:\Windows\system32\Eeceim32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe33⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe34⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Egikle32.exeC:\Windows\system32\Egikle32.exe35⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Epaodjlo.exeC:\Windows\system32\Epaodjlo.exe36⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe37⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe39⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe40⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe43⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe45⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe46⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe47⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Fhcjilcb.exeC:\Windows\system32\Fhcjilcb.exe48⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe49⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe50⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe51⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe53⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe54⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe55⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe57⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Geaaolbo.exeC:\Windows\system32\Geaaolbo.exe62⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe63⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe64⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe66⤵PID:1380
-
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe67⤵PID:2244
-
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe68⤵PID:2340
-
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe69⤵PID:2272
-
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe71⤵PID:2576
-
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe72⤵PID:1668
-
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe73⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe74⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe75⤵PID:2528
-
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe77⤵PID:2988
-
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe78⤵PID:2980
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe79⤵PID:3056
-
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe80⤵PID:1212
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe81⤵PID:2120
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe82⤵PID:1040
-
C:\Windows\SysWOW64\Hpgakh32.exeC:\Windows\system32\Hpgakh32.exe83⤵PID:924
-
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe84⤵PID:2608
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe86⤵PID:2596
-
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe87⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe88⤵PID:1488
-
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe89⤵PID:2820
-
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe90⤵PID:2844
-
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe91⤵PID:2928
-
C:\Windows\SysWOW64\Hbjgbbpn.exeC:\Windows\system32\Hbjgbbpn.exe92⤵PID:2068
-
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe93⤵PID:2572
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe94⤵PID:876
-
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe95⤵PID:684
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe96⤵PID:2096
-
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe97⤵PID:2388
-
C:\Windows\SysWOW64\Ihilqi32.exeC:\Windows\system32\Ihilqi32.exe98⤵PID:2140
-
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe99⤵PID:1780
-
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe100⤵PID:1472
-
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe101⤵PID:1628
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe102⤵PID:404
-
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe105⤵PID:2600
-
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe106⤵PID:2920
-
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe107⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe108⤵PID:820
-
C:\Windows\SysWOW64\Imkndofe.exeC:\Windows\system32\Imkndofe.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe110⤵PID:2168
-
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe111⤵PID:2084
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe112⤵PID:1848
-
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe113⤵PID:2448
-
C:\Windows\SysWOW64\Ipkgejcf.exeC:\Windows\system32\Ipkgejcf.exe114⤵PID:1448
-
C:\Windows\SysWOW64\Jbjcaf32.exeC:\Windows\system32\Jbjcaf32.exe115⤵PID:2968
-
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe116⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe117⤵PID:2260
-
C:\Windows\SysWOW64\Joqdfghn.exeC:\Windows\system32\Joqdfghn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe119⤵PID:2760
-
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe120⤵PID:2056
-
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe121⤵
- Modifies registry class
PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-