Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/10/2022, 22:46
Static task
static1
Behavioral task
behavioral1
Sample
0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe
-
Size
98KB
-
MD5
0ad2e80a73b9010ccb0f5bff56f7f170
-
SHA1
c48f459b4145ed98b5a0327e9c6cb031ad186e0a
-
SHA256
0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f
-
SHA512
35afc9ea860139f8f51a32d925fdb0a7fe35d30f2dd02d6f8e4f0e5a35c32c873fd00e2d3709e3f348a236733ea6cfcd2f68fce91bfdb5c712b27490332baf60
-
SSDEEP
1536:WX+gYl+YrNyyjRaseP855hSOStqE1QZ+:dgZuAyjRascOMqE1o+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omlcpicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjihglge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmjke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhfpjqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffjfkfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjqeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioeqmqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgbfhph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoghea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpqkghf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmjke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqcime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmaipk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeqgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmnglef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojjkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpbgcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlnfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iagfkinl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmnhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgmakah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaocaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfoapc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jloeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilihgiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbknhmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnafe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihgiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdppgql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojaijnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdogphhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamadaqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diknhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhahhnoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcanifcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgaaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blohhbie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepofcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noikib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkgdlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgfdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcifnja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afceja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmdoek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcdhoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fghbhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiebimlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albhoodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdeaqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhmdlci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhnnq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2020 Bqhbbp32.exe 944 Idgenajb.exe 1500 Jlfcmc32.exe 960 Jgenipka.exe 1752 Jggjop32.exe 1808 Klfplf32.exe 1756 Kknicb32.exe 1856 Lffjfkfl.exe 1476 Lgiccbjh.exe 1356 Lnehel32.exe 1724 Mifpfi32.exe 1664 Mneddpbm.exe 332 Mbcmjn32.exe 1532 Nmahfk32.exe 364 Nihhklfa.exe 1584 Nflidpek.exe 316 Obcjiako.exe 436 Ohpbahif.exe 1040 Obefoaim.exe 1812 Oipolkpi.exe 1256 Ojqkcc32.exe 1524 Oefoql32.exe 1988 Ofjhndji.exe 1016 Ohiehgal.exe 108 Paaiql32.exe 1604 Peflpo32.exe 616 Pcjlicgb.exe 1980 Piddfn32.exe 1656 Qekekodc.exe 1636 Ajogjaep.exe 1912 Acjhhgjn.exe 1768 Aqniak32.exe 756 Ajfmjqoh.exe 1156 Ababoclc.exe 1448 Bhkjkm32.exe 1704 Bkjfgh32.exe 956 Bcanifcf.exe 680 Bklcmhaa.exe 1692 Bbfkjb32.exe 676 Bgcdbi32.exe 1748 Beiaamcl.exe 952 Ceknfm32.exe 1680 Clnlak32.exe 796 Cidiqona.exe 472 Dapneall.exe 1208 Dbojod32.exe 1652 Ddepal32.exe 1640 Epnnll32.exe 536 Efhfifpf.exe 1324 Eifbeb32.exe 320 Elgkgm32.exe 1800 Eadcod32.exe 800 Eljhlmjh.exe 1544 Ebcpig32.exe 892 Eojanhgi.exe 1036 Fedikb32.exe 816 Fghbhj32.exe 1936 Fgjomj32.exe 1924 Fngdpc32.exe 1424 Gffboeoo.exe 284 Gbmcdfdc.exe 1972 Gdlopacg.exe 1548 Gkhdbk32.exe 1516 Hgaaml32.exe -
Loads dropped DLL 64 IoCs
pid Process 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 2020 Bqhbbp32.exe 2020 Bqhbbp32.exe 944 Idgenajb.exe 944 Idgenajb.exe 1500 Jlfcmc32.exe 1500 Jlfcmc32.exe 960 Jgenipka.exe 960 Jgenipka.exe 1752 Jggjop32.exe 1752 Jggjop32.exe 1808 Klfplf32.exe 1808 Klfplf32.exe 1756 Kknicb32.exe 1756 Kknicb32.exe 1856 Lffjfkfl.exe 1856 Lffjfkfl.exe 1476 Lgiccbjh.exe 1476 Lgiccbjh.exe 1356 Lnehel32.exe 1356 Lnehel32.exe 1724 Mifpfi32.exe 1724 Mifpfi32.exe 1664 Mneddpbm.exe 1664 Mneddpbm.exe 332 Mbcmjn32.exe 332 Mbcmjn32.exe 1532 Nmahfk32.exe 1532 Nmahfk32.exe 364 Nihhklfa.exe 364 Nihhklfa.exe 1584 Nflidpek.exe 1584 Nflidpek.exe 316 Obcjiako.exe 316 Obcjiako.exe 436 Ohpbahif.exe 436 Ohpbahif.exe 1040 Obefoaim.exe 1040 Obefoaim.exe 1812 Oipolkpi.exe 1812 Oipolkpi.exe 1256 Ojqkcc32.exe 1256 Ojqkcc32.exe 1524 Oefoql32.exe 1524 Oefoql32.exe 1988 Ofjhndji.exe 1988 Ofjhndji.exe 1016 Ohiehgal.exe 1016 Ohiehgal.exe 1588 Pgaoocca.exe 1588 Pgaoocca.exe 1604 Peflpo32.exe 1604 Peflpo32.exe 616 Pcjlicgb.exe 616 Pcjlicgb.exe 1980 Piddfn32.exe 1980 Piddfn32.exe 1656 Qekekodc.exe 1656 Qekekodc.exe 1636 Ajogjaep.exe 1636 Ajogjaep.exe 1912 Acjhhgjn.exe 1912 Acjhhgjn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Clnlak32.exe Ceknfm32.exe File created C:\Windows\SysWOW64\Cbgmdoek.exe Cjpebadi.exe File created C:\Windows\SysWOW64\Akacejfd.dll Dfilbl32.exe File created C:\Windows\SysWOW64\Jkjijpei.dll Cgeheo32.exe File created C:\Windows\SysWOW64\Fkfnoe32.dll Cgpojool.exe File created C:\Windows\SysWOW64\Kghipggl.dll Cdoonn32.exe File opened for modification C:\Windows\SysWOW64\Keaobf32.exe Kmjfqi32.exe File opened for modification C:\Windows\SysWOW64\Nilcpl32.exe Ndpjhe32.exe File created C:\Windows\SysWOW64\Hlgjhfgm.dll Pgaoocca.exe File created C:\Windows\SysWOW64\Cmjgihgf.dll Ajfmjqoh.exe File opened for modification C:\Windows\SysWOW64\Bpcdec32.exe Bhlldfkd.exe File opened for modification C:\Windows\SysWOW64\Kmjdhqmg.exe Kngdlc32.exe File opened for modification C:\Windows\SysWOW64\Ebpkpidb.exe Eqooha32.exe File created C:\Windows\SysWOW64\Cmdmhc32.dll Hlfhhp32.exe File opened for modification C:\Windows\SysWOW64\Aiaafl32.exe Afceja32.exe File created C:\Windows\SysWOW64\Peflpo32.exe Pgaoocca.exe File created C:\Windows\SysWOW64\Ofepcp32.dll Hodblbin.exe File created C:\Windows\SysWOW64\Dbcbqlcp.exe Dodfdpdl.exe File created C:\Windows\SysWOW64\Ccofko32.dll Gkcffn32.exe File opened for modification C:\Windows\SysWOW64\Qqmjlk32.exe Qmankmaq.exe File opened for modification C:\Windows\SysWOW64\Klkkpn32.exe Kimodc32.exe File created C:\Windows\SysWOW64\Ahlpkf32.dll Klnhfngp.exe File opened for modification C:\Windows\SysWOW64\Qflmqinj.exe Qdmqdnog.exe File created C:\Windows\SysWOW64\Jkbgiobj.exe Ihckmccf.exe File created C:\Windows\SysWOW64\Pgddgamn.exe Paglokng.exe File created C:\Windows\SysWOW64\Lhibfnho.exe Lpbjdahl.exe File created C:\Windows\SysWOW64\Bgelfk32.exe Bondenhi.exe File created C:\Windows\SysWOW64\Gpenkn32.dll Gmoelj32.exe File created C:\Windows\SysWOW64\Joolkp32.dll Mgdolp32.exe File created C:\Windows\SysWOW64\Bbggig32.dll Mcafbpli.exe File created C:\Windows\SysWOW64\Ffnpdkmd.exe Fcodhonq.exe File created C:\Windows\SysWOW64\Nlmlbgpo.exe Neccemhb.exe File opened for modification C:\Windows\SysWOW64\Ilihgiec.exe Infhll32.exe File created C:\Windows\SysWOW64\Limnlo32.exe Lfoapc32.exe File created C:\Windows\SysWOW64\Kjeejp32.dll Obfkqbge.exe File created C:\Windows\SysWOW64\Pfmjee32.exe Ojdljd32.exe File created C:\Windows\SysWOW64\Dlojcl32.dll Hcbbmg32.exe File created C:\Windows\SysWOW64\Alglfa32.exe Qdpddd32.exe File created C:\Windows\SysWOW64\Denjgllj.dll Pimicahp.exe File created C:\Windows\SysWOW64\Eadomfnk.exe Ekejpp32.exe File created C:\Windows\SysWOW64\Ndflbofp.dll Cmbjkdie.exe File created C:\Windows\SysWOW64\Mfmonf32.exe Mnfgmh32.exe File opened for modification C:\Windows\SysWOW64\Mpapingl.exe Malbha32.exe File created C:\Windows\SysWOW64\Ingnfbpg.dll Dnlpklga.exe File opened for modification C:\Windows\SysWOW64\Mhegbk32.exe Mibggnpi.exe File created C:\Windows\SysWOW64\Opbekhcj.dll Ofjhndji.exe File created C:\Windows\SysWOW64\Egacec32.dll Ccijkg32.exe File created C:\Windows\SysWOW64\Licabaai.exe Lfdefebe.exe File created C:\Windows\SysWOW64\Ddqhbaoh.exe Dngpeg32.exe File created C:\Windows\SysWOW64\Bkjfgh32.exe Bhkjkm32.exe File opened for modification C:\Windows\SysWOW64\Ophcfddi.exe Omjgji32.exe File opened for modification C:\Windows\SysWOW64\Implpphg.exe Iidpoq32.exe File opened for modification C:\Windows\SysWOW64\Pfcnmk32.exe Pdeaqp32.exe File opened for modification C:\Windows\SysWOW64\Lgiccbjh.exe Lffjfkfl.exe File created C:\Windows\SysWOW64\Efhfifpf.exe Epnnll32.exe File created C:\Windows\SysWOW64\Dlpfdcli.dll Mfhecfni.exe File created C:\Windows\SysWOW64\Ikeojaag.exe Hamjal32.exe File created C:\Windows\SysWOW64\Lckfkmod.dll Ojfggk32.exe File created C:\Windows\SysWOW64\Qebnje32.dll Llanompm.exe File created C:\Windows\SysWOW64\Dmnbgdao.dll Gpnahe32.exe File created C:\Windows\SysWOW64\Eichdjai.dll Mmaipk32.exe File created C:\Windows\SysWOW64\Feenlcmn.exe Fbgaph32.exe File created C:\Windows\SysWOW64\Qhhbpijk.dll Jncqkjpk.exe File created C:\Windows\SysWOW64\Bgcdbi32.exe Bbfkjb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3208 3196 WerFault.exe 841 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begcba32.dll" Habohnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhcn32.dll" Klfkkhil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdoonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbojod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbilcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolaem32.dll" Gelncmbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbebjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcodhonq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhnbjhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfgmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcldj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommfha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohafpqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoapf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdoiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bilbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncailkg.dll" Doofok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehlena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcaqnoln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bachjlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedgjdop.dll" Meclhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidcmjio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmboibn.dll" Dkhaqbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfhbfkf.dll" Heipei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbkmalj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkafbhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldgggjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcoff32.dll" Kfplkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhpnabe.dll" Pcjlicgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahodeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bglipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjeappej.dll" Dfooaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qipnfgho.dll" Dngpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldnailb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnagglch.dll" Jlgefljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpphnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqikjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijonoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffboeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikmfjbp.dll" Ophcfddi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolknncg.dll" Jhnfkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojlmffne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enaifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okooihne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcahk32.dll" Ebpkpidb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgiccbjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qekekodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjngjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjnhe32.dll" Labnijbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjimqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhgad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjdddpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahjkn32.dll" Mbcmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaehp32.dll" Acjhhgjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhkkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbgcabo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khelll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgaobmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnnjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbmpcml.dll" Ofejagag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2020 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 27 PID 1672 wrote to memory of 2020 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 27 PID 1672 wrote to memory of 2020 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 27 PID 1672 wrote to memory of 2020 1672 0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe 27 PID 2020 wrote to memory of 944 2020 Bqhbbp32.exe 28 PID 2020 wrote to memory of 944 2020 Bqhbbp32.exe 28 PID 2020 wrote to memory of 944 2020 Bqhbbp32.exe 28 PID 2020 wrote to memory of 944 2020 Bqhbbp32.exe 28 PID 944 wrote to memory of 1500 944 Idgenajb.exe 29 PID 944 wrote to memory of 1500 944 Idgenajb.exe 29 PID 944 wrote to memory of 1500 944 Idgenajb.exe 29 PID 944 wrote to memory of 1500 944 Idgenajb.exe 29 PID 1500 wrote to memory of 960 1500 Jlfcmc32.exe 30 PID 1500 wrote to memory of 960 1500 Jlfcmc32.exe 30 PID 1500 wrote to memory of 960 1500 Jlfcmc32.exe 30 PID 1500 wrote to memory of 960 1500 Jlfcmc32.exe 30 PID 960 wrote to memory of 1752 960 Jgenipka.exe 31 PID 960 wrote to memory of 1752 960 Jgenipka.exe 31 PID 960 wrote to memory of 1752 960 Jgenipka.exe 31 PID 960 wrote to memory of 1752 960 Jgenipka.exe 31 PID 1752 wrote to memory of 1808 1752 Jggjop32.exe 32 PID 1752 wrote to memory of 1808 1752 Jggjop32.exe 32 PID 1752 wrote to memory of 1808 1752 Jggjop32.exe 32 PID 1752 wrote to memory of 1808 1752 Jggjop32.exe 32 PID 1808 wrote to memory of 1756 1808 Klfplf32.exe 33 PID 1808 wrote to memory of 1756 1808 Klfplf32.exe 33 PID 1808 wrote to memory of 1756 1808 Klfplf32.exe 33 PID 1808 wrote to memory of 1756 1808 Klfplf32.exe 33 PID 1756 wrote to memory of 1856 1756 Kknicb32.exe 34 PID 1756 wrote to memory of 1856 1756 Kknicb32.exe 34 PID 1756 wrote to memory of 1856 1756 Kknicb32.exe 34 PID 1756 wrote to memory of 1856 1756 Kknicb32.exe 34 PID 1856 wrote to memory of 1476 1856 Lffjfkfl.exe 35 PID 1856 wrote to memory of 1476 1856 Lffjfkfl.exe 35 PID 1856 wrote to memory of 1476 1856 Lffjfkfl.exe 35 PID 1856 wrote to memory of 1476 1856 Lffjfkfl.exe 35 PID 1476 wrote to memory of 1356 1476 Lgiccbjh.exe 36 PID 1476 wrote to memory of 1356 1476 Lgiccbjh.exe 36 PID 1476 wrote to memory of 1356 1476 Lgiccbjh.exe 36 PID 1476 wrote to memory of 1356 1476 Lgiccbjh.exe 36 PID 1356 wrote to memory of 1724 1356 Lnehel32.exe 37 PID 1356 wrote to memory of 1724 1356 Lnehel32.exe 37 PID 1356 wrote to memory of 1724 1356 Lnehel32.exe 37 PID 1356 wrote to memory of 1724 1356 Lnehel32.exe 37 PID 1724 wrote to memory of 1664 1724 Mifpfi32.exe 38 PID 1724 wrote to memory of 1664 1724 Mifpfi32.exe 38 PID 1724 wrote to memory of 1664 1724 Mifpfi32.exe 38 PID 1724 wrote to memory of 1664 1724 Mifpfi32.exe 38 PID 1664 wrote to memory of 332 1664 Mneddpbm.exe 39 PID 1664 wrote to memory of 332 1664 Mneddpbm.exe 39 PID 1664 wrote to memory of 332 1664 Mneddpbm.exe 39 PID 1664 wrote to memory of 332 1664 Mneddpbm.exe 39 PID 332 wrote to memory of 1532 332 Mbcmjn32.exe 40 PID 332 wrote to memory of 1532 332 Mbcmjn32.exe 40 PID 332 wrote to memory of 1532 332 Mbcmjn32.exe 40 PID 332 wrote to memory of 1532 332 Mbcmjn32.exe 40 PID 1532 wrote to memory of 364 1532 Nmahfk32.exe 41 PID 1532 wrote to memory of 364 1532 Nmahfk32.exe 41 PID 1532 wrote to memory of 364 1532 Nmahfk32.exe 41 PID 1532 wrote to memory of 364 1532 Nmahfk32.exe 41 PID 364 wrote to memory of 1584 364 Nihhklfa.exe 42 PID 364 wrote to memory of 1584 364 Nihhklfa.exe 42 PID 364 wrote to memory of 1584 364 Nihhklfa.exe 42 PID 364 wrote to memory of 1584 364 Nihhklfa.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe"C:\Users\Admin\AppData\Local\Temp\0bfa13354b7275c2a59bca21abe6468d44f42c5a9cd576ff567ac4148401de0f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Bqhbbp32.exeC:\Windows\system32\Bqhbbp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Idgenajb.exeC:\Windows\system32\Idgenajb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Jlfcmc32.exeC:\Windows\system32\Jlfcmc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Jgenipka.exeC:\Windows\system32\Jgenipka.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Jggjop32.exeC:\Windows\system32\Jggjop32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Klfplf32.exeC:\Windows\system32\Klfplf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Kknicb32.exeC:\Windows\system32\Kknicb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Lffjfkfl.exeC:\Windows\system32\Lffjfkfl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Lgiccbjh.exeC:\Windows\system32\Lgiccbjh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Lnehel32.exeC:\Windows\system32\Lnehel32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Mifpfi32.exeC:\Windows\system32\Mifpfi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mneddpbm.exeC:\Windows\system32\Mneddpbm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mbcmjn32.exeC:\Windows\system32\Mbcmjn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Nmahfk32.exeC:\Windows\system32\Nmahfk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Nihhklfa.exeC:\Windows\system32\Nihhklfa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Nflidpek.exeC:\Windows\system32\Nflidpek.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Obcjiako.exeC:\Windows\system32\Obcjiako.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Ohpbahif.exeC:\Windows\system32\Ohpbahif.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Obefoaim.exeC:\Windows\system32\Obefoaim.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Oipolkpi.exeC:\Windows\system32\Oipolkpi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ojqkcc32.exeC:\Windows\system32\Ojqkcc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Oefoql32.exeC:\Windows\system32\Oefoql32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Ofjhndji.exeC:\Windows\system32\Ofjhndji.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Ohiehgal.exeC:\Windows\system32\Ohiehgal.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Paaiql32.exeC:\Windows\system32\Paaiql32.exe26⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Pgaoocca.exeC:\Windows\system32\Pgaoocca.exe27⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Peflpo32.exeC:\Windows\system32\Peflpo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Pcjlicgb.exeC:\Windows\system32\Pcjlicgb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Piddfn32.exeC:\Windows\system32\Piddfn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Qekekodc.exeC:\Windows\system32\Qekekodc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Ajogjaep.exeC:\Windows\system32\Ajogjaep.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Acjhhgjn.exeC:\Windows\system32\Acjhhgjn.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Aqniak32.exeC:\Windows\system32\Aqniak32.exe34⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ajfmjqoh.exeC:\Windows\system32\Ajfmjqoh.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Ababoclc.exeC:\Windows\system32\Ababoclc.exe36⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Bhkjkm32.exeC:\Windows\system32\Bhkjkm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Bkjfgh32.exeC:\Windows\system32\Bkjfgh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bcanifcf.exeC:\Windows\system32\Bcanifcf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Bklcmhaa.exeC:\Windows\system32\Bklcmhaa.exe40⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Bbfkjb32.exeC:\Windows\system32\Bbfkjb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Bgcdbi32.exeC:\Windows\system32\Bgcdbi32.exe42⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Beiaamcl.exeC:\Windows\system32\Beiaamcl.exe43⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ceknfm32.exeC:\Windows\system32\Ceknfm32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Clnlak32.exeC:\Windows\system32\Clnlak32.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cidiqona.exeC:\Windows\system32\Cidiqona.exe46⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Dapneall.exeC:\Windows\system32\Dapneall.exe47⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Dbojod32.exeC:\Windows\system32\Dbojod32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ddepal32.exeC:\Windows\system32\Ddepal32.exe49⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Epnnll32.exeC:\Windows\system32\Epnnll32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Efhfifpf.exeC:\Windows\system32\Efhfifpf.exe51⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Eifbeb32.exeC:\Windows\system32\Eifbeb32.exe52⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Elgkgm32.exeC:\Windows\system32\Elgkgm32.exe53⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Eadcod32.exeC:\Windows\system32\Eadcod32.exe54⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Eljhlmjh.exeC:\Windows\system32\Eljhlmjh.exe55⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ebcpig32.exeC:\Windows\system32\Ebcpig32.exe56⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Eojanhgi.exeC:\Windows\system32\Eojanhgi.exe57⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Fedikb32.exeC:\Windows\system32\Fedikb32.exe58⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Fghbhj32.exeC:\Windows\system32\Fghbhj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Fgjomj32.exeC:\Windows\system32\Fgjomj32.exe60⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Fngdpc32.exeC:\Windows\system32\Fngdpc32.exe61⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gffboeoo.exeC:\Windows\system32\Gffboeoo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Gbmcdfdc.exeC:\Windows\system32\Gbmcdfdc.exe63⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Gdlopacg.exeC:\Windows\system32\Gdlopacg.exe64⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gkhdbk32.exeC:\Windows\system32\Gkhdbk32.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hgaaml32.exeC:\Windows\system32\Hgaaml32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hqlbka32.exeC:\Windows\system32\Hqlbka32.exe67⤵PID:984
-
C:\Windows\SysWOW64\Henhed32.exeC:\Windows\system32\Henhed32.exe68⤵PID:240
-
C:\Windows\SysWOW64\Ijojhkna.exeC:\Windows\system32\Ijojhkna.exe69⤵PID:1608
-
C:\Windows\SysWOW64\Ichnap32.exeC:\Windows\system32\Ichnap32.exe70⤵PID:1192
-
C:\Windows\SysWOW64\Iegkkc32.exeC:\Windows\system32\Iegkkc32.exe71⤵PID:1092
-
C:\Windows\SysWOW64\Iheggo32.exeC:\Windows\system32\Iheggo32.exe72⤵PID:1100
-
C:\Windows\SysWOW64\Ijdccj32.exeC:\Windows\system32\Ijdccj32.exe73⤵PID:864
-
C:\Windows\SysWOW64\Jjfpij32.exeC:\Windows\system32\Jjfpij32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Jmelee32.exeC:\Windows\system32\Jmelee32.exe75⤵PID:1088
-
C:\Windows\SysWOW64\Jdodao32.exeC:\Windows\system32\Jdodao32.exe76⤵PID:1464
-
C:\Windows\SysWOW64\Jilmjf32.exeC:\Windows\system32\Jilmjf32.exe77⤵PID:596
-
C:\Windows\SysWOW64\Jbdaclcb.exeC:\Windows\system32\Jbdaclcb.exe78⤵PID:1728
-
C:\Windows\SysWOW64\Jmifpdch.exeC:\Windows\system32\Jmifpdch.exe79⤵PID:1492
-
C:\Windows\SysWOW64\Jbfnhkao.exeC:\Windows\system32\Jbfnhkao.exe80⤵PID:2044
-
C:\Windows\SysWOW64\Kpjkqc32.exeC:\Windows\system32\Kpjkqc32.exe81⤵PID:1272
-
C:\Windows\SysWOW64\Lcmqhnnc.exeC:\Windows\system32\Lcmqhnnc.exe82⤵PID:2016
-
C:\Windows\SysWOW64\Lcpmnm32.exeC:\Windows\system32\Lcpmnm32.exe83⤵PID:2052
-
C:\Windows\SysWOW64\Labnijbk.exeC:\Windows\system32\Labnijbk.exe84⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ladjojqh.exeC:\Windows\system32\Ladjojqh.exe85⤵PID:2068
-
C:\Windows\SysWOW64\Lbggdi32.exeC:\Windows\system32\Lbggdi32.exe86⤵PID:2076
-
C:\Windows\SysWOW64\Mgdolp32.exeC:\Windows\system32\Mgdolp32.exe87⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Mdhpfd32.exeC:\Windows\system32\Mdhpfd32.exe88⤵PID:2092
-
C:\Windows\SysWOW64\Mkahbo32.exeC:\Windows\system32\Mkahbo32.exe89⤵PID:2100
-
C:\Windows\SysWOW64\Mmeapfgo.exeC:\Windows\system32\Mmeapfgo.exe90⤵PID:2108
-
C:\Windows\SysWOW64\Mfnfil32.exeC:\Windows\system32\Mfnfil32.exe91⤵PID:2116
-
C:\Windows\SysWOW64\Mcafbpli.exeC:\Windows\system32\Mcafbpli.exe92⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Mfpbnllm.exeC:\Windows\system32\Mfpbnllm.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Nbkmnlmk.exeC:\Windows\system32\Nbkmnlmk.exe94⤵PID:2252
-
C:\Windows\SysWOW64\Naqiohbc.exeC:\Windows\system32\Naqiohbc.exe95⤵PID:2260
-
C:\Windows\SysWOW64\Ncofkdag.exeC:\Windows\system32\Ncofkdag.exe96⤵PID:2268
-
C:\Windows\SysWOW64\Njinhn32.exeC:\Windows\system32\Njinhn32.exe97⤵PID:2276
-
C:\Windows\SysWOW64\Nndjimqm.exeC:\Windows\system32\Nndjimqm.exe98⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Neobeg32.exeC:\Windows\system32\Neobeg32.exe99⤵PID:2292
-
C:\Windows\SysWOW64\Ogmoab32.exeC:\Windows\system32\Ogmoab32.exe100⤵PID:2300
-
C:\Windows\SysWOW64\Ojkknn32.exeC:\Windows\system32\Ojkknn32.exe101⤵PID:2308
-
C:\Windows\SysWOW64\Omjgji32.exeC:\Windows\system32\Omjgji32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Ophcfddi.exeC:\Windows\system32\Ophcfddi.exe103⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Omlcpicb.exeC:\Windows\system32\Omlcpicb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Ofdhhn32.exeC:\Windows\system32\Ofdhhn32.exe105⤵PID:2340
-
C:\Windows\SysWOW64\Olaqqe32.exeC:\Windows\system32\Olaqqe32.exe106⤵PID:2348
-
C:\Windows\SysWOW64\Ofgennhp.exeC:\Windows\system32\Ofgennhp.exe107⤵PID:2356
-
C:\Windows\SysWOW64\Oieajigd.exeC:\Windows\system32\Oieajigd.exe108⤵PID:2364
-
C:\Windows\SysWOW64\Olfjldde.exeC:\Windows\system32\Olfjldde.exe109⤵PID:2372
-
C:\Windows\SysWOW64\Podfhpch.exeC:\Windows\system32\Podfhpch.exe110⤵PID:2380
-
C:\Windows\SysWOW64\Penodjke.exeC:\Windows\system32\Penodjke.exe111⤵PID:2388
-
C:\Windows\SysWOW64\Pijjei32.exeC:\Windows\system32\Pijjei32.exe112⤵PID:2396
-
C:\Windows\SysWOW64\Plhgad32.exeC:\Windows\system32\Plhgad32.exe113⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Pogcmp32.exeC:\Windows\system32\Pogcmp32.exe114⤵PID:2412
-
C:\Windows\SysWOW64\Paeoik32.exeC:\Windows\system32\Paeoik32.exe115⤵PID:2420
-
C:\Windows\SysWOW64\Phogfehf.exeC:\Windows\system32\Phogfehf.exe116⤵PID:2428
-
C:\Windows\SysWOW64\Paglokng.exeC:\Windows\system32\Paglokng.exe117⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Pgddgamn.exeC:\Windows\system32\Pgddgamn.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Ppmipg32.exeC:\Windows\system32\Ppmipg32.exe119⤵PID:2452
-
C:\Windows\SysWOW64\Pggamakl.exeC:\Windows\system32\Pggamakl.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Pmqiik32.exeC:\Windows\system32\Pmqiik32.exe121⤵PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-