Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 04:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a870f09ba7fa765b75539f766af4b40N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
4a870f09ba7fa765b75539f766af4b40N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
4a870f09ba7fa765b75539f766af4b40N.exe
-
Size
890KB
-
MD5
4a870f09ba7fa765b75539f766af4b40
-
SHA1
7d6b660048c515e4d8705667789221be31b37ed5
-
SHA256
4161004da5b336a5971dd1c46224a0d2f504b60764a6b55dbf600812b3bc5e96
-
SHA512
012b8866db9708279b120733b373472605e400c6827f7aa79299a63e299ae8b015c34fb9e6d6169a6045641515fd76115c38a3b05e8778b91f04797e7a57d03f
-
SSDEEP
6144:UDxdsVBOFPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKj:ie/Ng1/Nmr/Ng1/Nblt01PBNkEG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkphmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdpcnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edenlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elafbcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjocja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcnoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchbcmlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpegka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpedghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koifob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alicahno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgmhngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inaliedk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaahmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adqbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehilgikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaedhoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjclfmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqlff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbchfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaejfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiolfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfmclold.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coejfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkkkod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmikkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolcdahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblhep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oijbkpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohlnkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigmeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4a870f09ba7fa765b75539f766af4b40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidppaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobfgcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babpgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdlcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppihdha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcihdo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2320 Lodoefed.exe 2176 Mjeffc32.exe 2836 Nloedjin.exe 1700 Oiqegb32.exe 2296 Paemac32.exe 2624 Qgdbpi32.exe 2408 Bhfhnofg.exe 2336 Bnemlf32.exe 2980 Cbcbag32.exe 3012 Dcihdo32.exe 992 Eoqeekme.exe 2496 Fpfkhbon.exe 2324 Gklkdn32.exe 2464 Glpdbfek.exe 2584 Hjfbaj32.exe 2200 Hjhofj32.exe 1516 Jaaoakmc.exe 2160 Jhndcd32.exe 1380 Kpiihgoh.exe 1532 Kmmiaknb.exe 2304 Kppohf32.exe 936 Khkdmh32.exe 3056 Lkoidcaj.exe 1952 Lhbjmg32.exe 2124 Ldlghhde.exe 2696 Mnfhfmhc.exe 1776 Mookod32.exe 2400 Mhgpgjoj.exe 2720 Nkjeod32.exe 2808 Nfcfob32.exe 2864 Ofklpa32.exe 2728 Onfadc32.exe 964 Onkjocjd.exe 2596 Ompgqonl.exe 568 Pmdalo32.exe 2672 Pmgnan32.exe 3040 Pfaopc32.exe 1800 Qlqdmj32.exe 2652 Adqbml32.exe 2380 Apgcbmha.exe 2108 Apllml32.exe 860 Bjdqfajl.exe 2284 Bdbkaoce.exe 660 Bdehgnqc.exe 2508 Cqlhlo32.exe 1296 Cqneaodd.exe 636 Cqcomn32.exe 1264 Cohlnkeg.exe 2552 Dmllgo32.exe 1680 Dnpedghl.exe 1080 Dapnfb32.exe 2804 Dmgokcja.exe 2764 Dfpcdh32.exe 2896 Efbpihoo.exe 2636 Ebhani32.exe 1840 Eiefqc32.exe 2736 Fokaoh32.exe 832 Fdjfmolo.exe 1316 Gdmcbojl.exe 2796 Glhhgahg.exe 2956 Gngdadoj.exe 1644 Gllabp32.exe 2352 Gcifdj32.exe 2240 Hancef32.exe -
Loads dropped DLL 64 IoCs
pid Process 2064 4a870f09ba7fa765b75539f766af4b40N.exe 2064 4a870f09ba7fa765b75539f766af4b40N.exe 2320 Lodoefed.exe 2320 Lodoefed.exe 2176 Mjeffc32.exe 2176 Mjeffc32.exe 2836 Nloedjin.exe 2836 Nloedjin.exe 1700 Oiqegb32.exe 1700 Oiqegb32.exe 2296 Paemac32.exe 2296 Paemac32.exe 2624 Qgdbpi32.exe 2624 Qgdbpi32.exe 2408 Bhfhnofg.exe 2408 Bhfhnofg.exe 2336 Bnemlf32.exe 2336 Bnemlf32.exe 2980 Cbcbag32.exe 2980 Cbcbag32.exe 3012 Dcihdo32.exe 3012 Dcihdo32.exe 992 Eoqeekme.exe 992 Eoqeekme.exe 2496 Fpfkhbon.exe 2496 Fpfkhbon.exe 2324 Gklkdn32.exe 2324 Gklkdn32.exe 2464 Glpdbfek.exe 2464 Glpdbfek.exe 2584 Hjfbaj32.exe 2584 Hjfbaj32.exe 2200 Hjhofj32.exe 2200 Hjhofj32.exe 1516 Jaaoakmc.exe 1516 Jaaoakmc.exe 2160 Jhndcd32.exe 2160 Jhndcd32.exe 1380 Kpiihgoh.exe 1380 Kpiihgoh.exe 1532 Kmmiaknb.exe 1532 Kmmiaknb.exe 2304 Kppohf32.exe 2304 Kppohf32.exe 936 Khkdmh32.exe 936 Khkdmh32.exe 3056 Lkoidcaj.exe 3056 Lkoidcaj.exe 1952 Lhbjmg32.exe 1952 Lhbjmg32.exe 2124 Ldlghhde.exe 2124 Ldlghhde.exe 2696 Mnfhfmhc.exe 2696 Mnfhfmhc.exe 1776 Mookod32.exe 1776 Mookod32.exe 2400 Mhgpgjoj.exe 2400 Mhgpgjoj.exe 2720 Nkjeod32.exe 2720 Nkjeod32.exe 2808 Nfcfob32.exe 2808 Nfcfob32.exe 2864 Ofklpa32.exe 2864 Ofklpa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qnkdeagl.exe Padcqp32.exe File created C:\Windows\SysWOW64\Idabbpgj.exe Ibafhmph.exe File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Klocba32.exe Kmjfae32.exe File opened for modification C:\Windows\SysWOW64\Hifdjcif.exe Gdgoll32.exe File created C:\Windows\SysWOW64\Bafeoijd.dll Mpegka32.exe File opened for modification C:\Windows\SysWOW64\Hancef32.exe Gcifdj32.exe File opened for modification C:\Windows\SysWOW64\Dmllgo32.exe Cohlnkeg.exe File created C:\Windows\SysWOW64\Hhdflg32.dll Imaglc32.exe File created C:\Windows\SysWOW64\Ikmjnnah.exe Iofiimkd.exe File created C:\Windows\SysWOW64\Nhfpbaoe.dll Kjalch32.exe File created C:\Windows\SysWOW64\Fhmcllgo.dll Aeljmq32.exe File opened for modification C:\Windows\SysWOW64\Glpdbfek.exe Gklkdn32.exe File opened for modification C:\Windows\SysWOW64\Hohfmi32.exe Hemeod32.exe File created C:\Windows\SysWOW64\Lpblnklm.dll Odpljf32.exe File created C:\Windows\SysWOW64\Ojojmfed.exe Ooiepnen.exe File created C:\Windows\SysWOW64\Egglnnil.dll Fpnekc32.exe File opened for modification C:\Windows\SysWOW64\Gnlbpman.exe Gbeakllj.exe File created C:\Windows\SysWOW64\Djfooa32.exe Dqmkflcd.exe File opened for modification C:\Windows\SysWOW64\Ijhmnf32.exe Inaliedk.exe File created C:\Windows\SysWOW64\Mpjqfpke.exe Mebpchmb.exe File created C:\Windows\SysWOW64\Fpdjaeei.exe Epopff32.exe File opened for modification C:\Windows\SysWOW64\Jjgbbc32.exe Jbgdcapi.exe File created C:\Windows\SysWOW64\Kbefen32.exe Jjjaak32.exe File created C:\Windows\SysWOW64\Iobkgo32.dll Mcghcgfb.exe File opened for modification C:\Windows\SysWOW64\Hinolcbf.exe Haggkf32.exe File created C:\Windows\SysWOW64\Ckhkbc32.dll Khkdmh32.exe File created C:\Windows\SysWOW64\Immkokcl.dll Lpiqel32.exe File opened for modification C:\Windows\SysWOW64\Jfffmo32.exe Jhbfcj32.exe File created C:\Windows\SysWOW64\Nabegpbp.exe Niednn32.exe File created C:\Windows\SysWOW64\Acfpilmp.exe Agoodkgk.exe File created C:\Windows\SysWOW64\Jnlkkkod.exe Jaejfj32.exe File opened for modification C:\Windows\SysWOW64\Ageedflj.exe Qnkdeagl.exe File opened for modification C:\Windows\SysWOW64\Hemeod32.exe Hifdjcif.exe File created C:\Windows\SysWOW64\Fokaoh32.exe Eiefqc32.exe File opened for modification C:\Windows\SysWOW64\Alicahno.exe Abnbccia.exe File opened for modification C:\Windows\SysWOW64\Jigmeagl.exe Jidppaio.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hlamfh32.exe File created C:\Windows\SysWOW64\Oafmnb32.dll Degage32.exe File created C:\Windows\SysWOW64\Ffaqla32.dll Olklmk32.exe File opened for modification C:\Windows\SysWOW64\Lfnkejeg.exe Kfiajj32.exe File created C:\Windows\SysWOW64\Dapnfb32.exe Dnpedghl.exe File created C:\Windows\SysWOW64\Hgcojpej.dll Dapnfb32.exe File opened for modification C:\Windows\SysWOW64\Blmikkle.exe Bjlpjp32.exe File created C:\Windows\SysWOW64\Onjimepm.dll Mddidnqa.exe File created C:\Windows\SysWOW64\Cdnicemo.exe Cpldjajo.exe File created C:\Windows\SysWOW64\Eqpfchka.exe Eclejclg.exe File created C:\Windows\SysWOW64\Lbffga32.exe Lkjadh32.exe File created C:\Windows\SysWOW64\Fpfkhbon.exe Eoqeekme.exe File opened for modification C:\Windows\SysWOW64\Gmlokdgp.exe Gnfajgbg.exe File created C:\Windows\SysWOW64\Jfffmo32.exe Jhbfcj32.exe File created C:\Windows\SysWOW64\Hkkaik32.exe Hngppgae.exe File created C:\Windows\SysWOW64\Eincmega.dll Bpbokj32.exe File created C:\Windows\SysWOW64\Pindlm32.dll Acfpilmp.exe File created C:\Windows\SysWOW64\Hinolcbf.exe Haggkf32.exe File created C:\Windows\SysWOW64\Adqbml32.exe Qlqdmj32.exe File created C:\Windows\SysWOW64\Pfjhlh32.dll Gdgoll32.exe File created C:\Windows\SysWOW64\Odiogj32.dll Ejbhno32.exe File opened for modification C:\Windows\SysWOW64\Kgffpk32.exe Kkpekjie.exe File opened for modification C:\Windows\SysWOW64\Lobgah32.exe Lmondpbc.exe File opened for modification C:\Windows\SysWOW64\Ghndjd32.exe Gjjcqpbj.exe File created C:\Windows\SysWOW64\Coidpiac.exe Baecgdbj.exe File created C:\Windows\SysWOW64\Meonlkcm.exe Memagk32.exe File opened for modification C:\Windows\SysWOW64\Dqmkflcd.exe Dcijmhdj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1720 2916 WerFault.exe 467 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mckpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgppdp32.dll" Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paqoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiihcmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbjmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggcan32.dll" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difcpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjiffd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdnqckh.dll" Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmlkl32.dll" Ehilgikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epopff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkagpjl.dll" Ngiiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palndj32.dll" Cplkehnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkmfbbe.dll" Ilolol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomai32.dll" Fnleqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoqeekme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbllfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafeoijd.dll" Mpegka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcghcgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahkggfo.dll" Bjcnoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokabf32.dll" Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Looahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlcnkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chahin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Degage32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oooeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmqgqif.dll" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cablfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdenj32.dll" Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkladpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahibj32.dll" Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlikco32.dll" Afgmldhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pinchq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhino32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmcbojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbhno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpehnhq.dll" Jdlcnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkmjj32.dll" Fkflii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjalch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaeni32.dll" Mebpchmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nogodcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkigbef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2320 2064 4a870f09ba7fa765b75539f766af4b40N.exe 29 PID 2064 wrote to memory of 2320 2064 4a870f09ba7fa765b75539f766af4b40N.exe 29 PID 2064 wrote to memory of 2320 2064 4a870f09ba7fa765b75539f766af4b40N.exe 29 PID 2064 wrote to memory of 2320 2064 4a870f09ba7fa765b75539f766af4b40N.exe 29 PID 2320 wrote to memory of 2176 2320 Lodoefed.exe 30 PID 2320 wrote to memory of 2176 2320 Lodoefed.exe 30 PID 2320 wrote to memory of 2176 2320 Lodoefed.exe 30 PID 2320 wrote to memory of 2176 2320 Lodoefed.exe 30 PID 2176 wrote to memory of 2836 2176 Mjeffc32.exe 31 PID 2176 wrote to memory of 2836 2176 Mjeffc32.exe 31 PID 2176 wrote to memory of 2836 2176 Mjeffc32.exe 31 PID 2176 wrote to memory of 2836 2176 Mjeffc32.exe 31 PID 2836 wrote to memory of 1700 2836 Nloedjin.exe 32 PID 2836 wrote to memory of 1700 2836 Nloedjin.exe 32 PID 2836 wrote to memory of 1700 2836 Nloedjin.exe 32 PID 2836 wrote to memory of 1700 2836 Nloedjin.exe 32 PID 1700 wrote to memory of 2296 1700 Oiqegb32.exe 33 PID 1700 wrote to memory of 2296 1700 Oiqegb32.exe 33 PID 1700 wrote to memory of 2296 1700 Oiqegb32.exe 33 PID 1700 wrote to memory of 2296 1700 Oiqegb32.exe 33 PID 2296 wrote to memory of 2624 2296 Paemac32.exe 34 PID 2296 wrote to memory of 2624 2296 Paemac32.exe 34 PID 2296 wrote to memory of 2624 2296 Paemac32.exe 34 PID 2296 wrote to memory of 2624 2296 Paemac32.exe 34 PID 2624 wrote to memory of 2408 2624 Qgdbpi32.exe 35 PID 2624 wrote to memory of 2408 2624 Qgdbpi32.exe 35 PID 2624 wrote to memory of 2408 2624 Qgdbpi32.exe 35 PID 2624 wrote to memory of 2408 2624 Qgdbpi32.exe 35 PID 2408 wrote to memory of 2336 2408 Bhfhnofg.exe 36 PID 2408 wrote to memory of 2336 2408 Bhfhnofg.exe 36 PID 2408 wrote to memory of 2336 2408 Bhfhnofg.exe 36 PID 2408 wrote to memory of 2336 2408 Bhfhnofg.exe 36 PID 2336 wrote to memory of 2980 2336 Bnemlf32.exe 37 PID 2336 wrote to memory of 2980 2336 Bnemlf32.exe 37 PID 2336 wrote to memory of 2980 2336 Bnemlf32.exe 37 PID 2336 wrote to memory of 2980 2336 Bnemlf32.exe 37 PID 2980 wrote to memory of 3012 2980 Cbcbag32.exe 38 PID 2980 wrote to memory of 3012 2980 Cbcbag32.exe 38 PID 2980 wrote to memory of 3012 2980 Cbcbag32.exe 38 PID 2980 wrote to memory of 3012 2980 Cbcbag32.exe 38 PID 3012 wrote to memory of 992 3012 Dcihdo32.exe 39 PID 3012 wrote to memory of 992 3012 Dcihdo32.exe 39 PID 3012 wrote to memory of 992 3012 Dcihdo32.exe 39 PID 3012 wrote to memory of 992 3012 Dcihdo32.exe 39 PID 992 wrote to memory of 2496 992 Eoqeekme.exe 40 PID 992 wrote to memory of 2496 992 Eoqeekme.exe 40 PID 992 wrote to memory of 2496 992 Eoqeekme.exe 40 PID 992 wrote to memory of 2496 992 Eoqeekme.exe 40 PID 2496 wrote to memory of 2324 2496 Fpfkhbon.exe 41 PID 2496 wrote to memory of 2324 2496 Fpfkhbon.exe 41 PID 2496 wrote to memory of 2324 2496 Fpfkhbon.exe 41 PID 2496 wrote to memory of 2324 2496 Fpfkhbon.exe 41 PID 2324 wrote to memory of 2464 2324 Gklkdn32.exe 42 PID 2324 wrote to memory of 2464 2324 Gklkdn32.exe 42 PID 2324 wrote to memory of 2464 2324 Gklkdn32.exe 42 PID 2324 wrote to memory of 2464 2324 Gklkdn32.exe 42 PID 2464 wrote to memory of 2584 2464 Glpdbfek.exe 43 PID 2464 wrote to memory of 2584 2464 Glpdbfek.exe 43 PID 2464 wrote to memory of 2584 2464 Glpdbfek.exe 43 PID 2464 wrote to memory of 2584 2464 Glpdbfek.exe 43 PID 2584 wrote to memory of 2200 2584 Hjfbaj32.exe 44 PID 2584 wrote to memory of 2200 2584 Hjfbaj32.exe 44 PID 2584 wrote to memory of 2200 2584 Hjfbaj32.exe 44 PID 2584 wrote to memory of 2200 2584 Hjfbaj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a870f09ba7fa765b75539f766af4b40N.exe"C:\Users\Admin\AppData\Local\Temp\4a870f09ba7fa765b75539f766af4b40N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Cbcbag32.exeC:\Windows\system32\Cbcbag32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ldlghhde.exeC:\Windows\system32\Ldlghhde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe33⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe34⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe35⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe36⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe37⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe41⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe43⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe44⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe45⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe46⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe47⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe48⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe50⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe53⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe59⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe62⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe63⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe66⤵
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe67⤵PID:592
-
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe69⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe70⤵PID:2004
-
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe71⤵PID:2520
-
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe72⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Ikmjnnah.exeC:\Windows\system32\Ikmjnnah.exe73⤵PID:2884
-
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe74⤵PID:2768
-
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe76⤵PID:2664
-
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe77⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe78⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe79⤵PID:2484
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe81⤵
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe82⤵PID:2396
-
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe83⤵PID:2128
-
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe84⤵PID:2480
-
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe85⤵PID:1684
-
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe86⤵PID:1708
-
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe87⤵PID:2100
-
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe88⤵PID:2340
-
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe89⤵PID:2076
-
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe90⤵PID:2412
-
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe91⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe92⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe93⤵PID:2748
-
C:\Windows\SysWOW64\Nhookh32.exeC:\Windows\system32\Nhookh32.exe94⤵PID:2376
-
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe96⤵PID:2192
-
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe97⤵PID:1284
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe99⤵PID:1988
-
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe100⤵PID:3036
-
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe101⤵PID:944
-
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe102⤵PID:896
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe104⤵
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe106⤵PID:2580
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe107⤵PID:2936
-
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe108⤵PID:2928
-
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe110⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe114⤵PID:1792
-
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe115⤵PID:1368
-
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe116⤵PID:1628
-
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe117⤵PID:912
-
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe118⤵PID:2660
-
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe119⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe120⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe121⤵
- Drops file in System32 directory
PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-