Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe
Resource
win10v2004-20240226-en
General
-
Target
90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe
-
Size
123KB
-
MD5
1036e33d3ece59e33f67c14f9782faca
-
SHA1
5f95ed44543b6c68939d9a302e282392065bcc6f
-
SHA256
90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358
-
SHA512
abade8c479f4f4f531b0712f2cd9528c0ce3611a55bc3552b8b8e1b23253dd6fd3820e359712d31a26889b48e48388f1a632acac43e6b6a374a587b4cf88d87d
-
SSDEEP
3072:XMLIOC+ir8nrZUfH4RZNOKWY9YGKURYSa9rR85DEn5k7r8:XMLjnrGPqaGKU4rQD85k/8
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolhan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Madapkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmfkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfgdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Limfed32.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Kpcpbb32.exe 2148 Kjhdokbo.exe 2644 Kpemgbqf.exe 2680 Kbcicmpj.exe 2468 Kinaqg32.exe 2440 Kphimanc.exe 2932 Kfaajlfp.exe 1624 Kipnfged.exe 2776 Komfnnck.exe 312 Kegnkh32.exe 1848 Khekgc32.exe 2224 Klqfhbbe.exe 2200 Kanopipl.exe 1316 Lhggmchi.exe 2388 Loapim32.exe 2672 Lmdpejfq.exe 784 Ldnhad32.exe 1496 Lodlom32.exe 572 Labhkh32.exe 2412 Ldqegd32.exe 1152 Lgoacojo.exe 1768 Limmokib.exe 1268 Lpgele32.exe 760 Lkmjin32.exe 2036 Lmkfei32.exe 1188 Lpjbad32.exe 1604 Ldenbcge.exe 1748 Ldenbcge.exe 2316 Lefkjkmc.exe 2664 Llqcfe32.exe 2668 Mcjkcplm.exe 2092 Mgfgdn32.exe 2472 Mlcple32.exe 2352 Mpolmdkg.exe 1968 Mcmhiojk.exe 2752 Mekdekin.exe 2780 Mhjpaf32.exe 2764 Mlelaeqk.exe 472 Mochnppo.exe 2336 Mabejlob.exe 1680 Menakj32.exe 1784 Mhlmgf32.exe 2268 Mlgigdoh.exe 2096 Mofecpnl.exe 668 Madapkmp.exe 1036 Mhnjle32.exe 588 Mgajhbkg.exe 288 Mohbip32.exe 2988 Mnkbdlbd.exe 1616 Mdejaf32.exe 916 Mkobnqan.exe 892 Njbcim32.exe 2032 Naikkk32.exe 2180 Ndgggf32.exe 2924 Ngfcca32.exe 2596 Nkaocp32.exe 2360 Njdpomfe.exe 2460 Npnhlg32.exe 2488 Ndjdlffl.exe 1628 Ncmdhb32.exe 1612 Nfkpdn32.exe 2192 Nnbhek32.exe 2328 Nleiqhcg.exe 1928 Ncoamb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 2712 Kpcpbb32.exe 2712 Kpcpbb32.exe 2148 Kjhdokbo.exe 2148 Kjhdokbo.exe 2644 Kpemgbqf.exe 2644 Kpemgbqf.exe 2680 Kbcicmpj.exe 2680 Kbcicmpj.exe 2468 Kinaqg32.exe 2468 Kinaqg32.exe 2440 Kphimanc.exe 2440 Kphimanc.exe 2932 Kfaajlfp.exe 2932 Kfaajlfp.exe 1624 Kipnfged.exe 1624 Kipnfged.exe 2776 Komfnnck.exe 2776 Komfnnck.exe 312 Kegnkh32.exe 312 Kegnkh32.exe 1848 Khekgc32.exe 1848 Khekgc32.exe 2224 Klqfhbbe.exe 2224 Klqfhbbe.exe 2200 Kanopipl.exe 2200 Kanopipl.exe 1316 Lhggmchi.exe 1316 Lhggmchi.exe 2388 Loapim32.exe 2388 Loapim32.exe 2672 Lmdpejfq.exe 2672 Lmdpejfq.exe 784 Ldnhad32.exe 784 Ldnhad32.exe 1496 Lodlom32.exe 1496 Lodlom32.exe 572 Labhkh32.exe 572 Labhkh32.exe 2412 Ldqegd32.exe 2412 Ldqegd32.exe 1152 Lgoacojo.exe 1152 Lgoacojo.exe 1768 Limmokib.exe 1768 Limmokib.exe 1268 Lpgele32.exe 1268 Lpgele32.exe 760 Lkmjin32.exe 760 Lkmjin32.exe 2036 Lmkfei32.exe 2036 Lmkfei32.exe 1188 Lpjbad32.exe 1188 Lpjbad32.exe 1604 Ldenbcge.exe 1604 Ldenbcge.exe 1748 Ldenbcge.exe 1748 Ldenbcge.exe 2316 Lefkjkmc.exe 2316 Lefkjkmc.exe 2664 Llqcfe32.exe 2664 Llqcfe32.exe 2668 Mcjkcplm.exe 2668 Mcjkcplm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Paejki32.exe Ofpfnqjp.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Oqideepg.exe File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File created C:\Windows\SysWOW64\Icmlam32.exe Iqopea32.exe File created C:\Windows\SysWOW64\Gfadgaio.dll Mgimmm32.exe File created C:\Windows\SysWOW64\Jkiabffn.dll Ldenbcge.exe File created C:\Windows\SysWOW64\Icaooali.dll Menakj32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ajphib32.exe File created C:\Windows\SysWOW64\Nclpan32.dll Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Ndgggf32.exe Naikkk32.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mbpnanch.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Chpmpg32.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kafbec32.exe File created C:\Windows\SysWOW64\Mfcngp32.dll Naikkk32.exe File created C:\Windows\SysWOW64\Jaqlckoi.dll Ccfhhffh.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nialog32.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cahail32.exe File created C:\Windows\SysWOW64\Cjdfmo32.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Ldnhad32.exe Lmdpejfq.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Beehencq.exe Baildokg.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Ekelld32.exe File created C:\Windows\SysWOW64\Kcehqcli.dll Ldqegd32.exe File opened for modification C:\Windows\SysWOW64\Mlcple32.exe Mgfgdn32.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nlphkb32.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Lpjbad32.exe Lmkfei32.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Lpgele32.exe Limmokib.exe File created C:\Windows\SysWOW64\Nplhpb32.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lbcnhjnj.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Poaljn32.dll Oicpfh32.exe File created C:\Windows\SysWOW64\Fkgecelp.dll Ihankokm.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pmanoifd.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dcadac32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Cckace32.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Emcbkn32.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dkqbaecc.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Mdkqqa32.exe Mppepcfg.exe File opened for modification C:\Windows\SysWOW64\Kjhdokbo.exe Kpcpbb32.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Npdjje32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Cphlljge.exe Cnippoha.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6320 6296 WerFault.exe 601 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgpjanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Ppamme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngfcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bbokmqie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ocajbekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll" Pcnbablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pclfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghhgkf.dll" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll" Bhcdaibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcehqcli.dll" Ldqegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pqkmjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplhpb32.dll" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mohbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoneabg.dll" Bommnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pogclp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2712 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 28 PID 2060 wrote to memory of 2712 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 28 PID 2060 wrote to memory of 2712 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 28 PID 2060 wrote to memory of 2712 2060 90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe 28 PID 2712 wrote to memory of 2148 2712 Kpcpbb32.exe 29 PID 2712 wrote to memory of 2148 2712 Kpcpbb32.exe 29 PID 2712 wrote to memory of 2148 2712 Kpcpbb32.exe 29 PID 2712 wrote to memory of 2148 2712 Kpcpbb32.exe 29 PID 2148 wrote to memory of 2644 2148 Kjhdokbo.exe 30 PID 2148 wrote to memory of 2644 2148 Kjhdokbo.exe 30 PID 2148 wrote to memory of 2644 2148 Kjhdokbo.exe 30 PID 2148 wrote to memory of 2644 2148 Kjhdokbo.exe 30 PID 2644 wrote to memory of 2680 2644 Kpemgbqf.exe 31 PID 2644 wrote to memory of 2680 2644 Kpemgbqf.exe 31 PID 2644 wrote to memory of 2680 2644 Kpemgbqf.exe 31 PID 2644 wrote to memory of 2680 2644 Kpemgbqf.exe 31 PID 2680 wrote to memory of 2468 2680 Kbcicmpj.exe 32 PID 2680 wrote to memory of 2468 2680 Kbcicmpj.exe 32 PID 2680 wrote to memory of 2468 2680 Kbcicmpj.exe 32 PID 2680 wrote to memory of 2468 2680 Kbcicmpj.exe 32 PID 2468 wrote to memory of 2440 2468 Kinaqg32.exe 33 PID 2468 wrote to memory of 2440 2468 Kinaqg32.exe 33 PID 2468 wrote to memory of 2440 2468 Kinaqg32.exe 33 PID 2468 wrote to memory of 2440 2468 Kinaqg32.exe 33 PID 2440 wrote to memory of 2932 2440 Kphimanc.exe 34 PID 2440 wrote to memory of 2932 2440 Kphimanc.exe 34 PID 2440 wrote to memory of 2932 2440 Kphimanc.exe 34 PID 2440 wrote to memory of 2932 2440 Kphimanc.exe 34 PID 2932 wrote to memory of 1624 2932 Kfaajlfp.exe 35 PID 2932 wrote to memory of 1624 2932 Kfaajlfp.exe 35 PID 2932 wrote to memory of 1624 2932 Kfaajlfp.exe 35 PID 2932 wrote to memory of 1624 2932 Kfaajlfp.exe 35 PID 1624 wrote to memory of 2776 1624 Kipnfged.exe 36 PID 1624 wrote to memory of 2776 1624 Kipnfged.exe 36 PID 1624 wrote to memory of 2776 1624 Kipnfged.exe 36 PID 1624 wrote to memory of 2776 1624 Kipnfged.exe 36 PID 2776 wrote to memory of 312 2776 Komfnnck.exe 37 PID 2776 wrote to memory of 312 2776 Komfnnck.exe 37 PID 2776 wrote to memory of 312 2776 Komfnnck.exe 37 PID 2776 wrote to memory of 312 2776 Komfnnck.exe 37 PID 312 wrote to memory of 1848 312 Kegnkh32.exe 38 PID 312 wrote to memory of 1848 312 Kegnkh32.exe 38 PID 312 wrote to memory of 1848 312 Kegnkh32.exe 38 PID 312 wrote to memory of 1848 312 Kegnkh32.exe 38 PID 1848 wrote to memory of 2224 1848 Khekgc32.exe 39 PID 1848 wrote to memory of 2224 1848 Khekgc32.exe 39 PID 1848 wrote to memory of 2224 1848 Khekgc32.exe 39 PID 1848 wrote to memory of 2224 1848 Khekgc32.exe 39 PID 2224 wrote to memory of 2200 2224 Klqfhbbe.exe 40 PID 2224 wrote to memory of 2200 2224 Klqfhbbe.exe 40 PID 2224 wrote to memory of 2200 2224 Klqfhbbe.exe 40 PID 2224 wrote to memory of 2200 2224 Klqfhbbe.exe 40 PID 2200 wrote to memory of 1316 2200 Kanopipl.exe 41 PID 2200 wrote to memory of 1316 2200 Kanopipl.exe 41 PID 2200 wrote to memory of 1316 2200 Kanopipl.exe 41 PID 2200 wrote to memory of 1316 2200 Kanopipl.exe 41 PID 1316 wrote to memory of 2388 1316 Lhggmchi.exe 42 PID 1316 wrote to memory of 2388 1316 Lhggmchi.exe 42 PID 1316 wrote to memory of 2388 1316 Lhggmchi.exe 42 PID 1316 wrote to memory of 2388 1316 Lhggmchi.exe 42 PID 2388 wrote to memory of 2672 2388 Loapim32.exe 43 PID 2388 wrote to memory of 2672 2388 Loapim32.exe 43 PID 2388 wrote to memory of 2672 2388 Loapim32.exe 43 PID 2388 wrote to memory of 2672 2388 Loapim32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe"C:\Users\Admin\AppData\Local\Temp\90f0f105f690bfffcbd34369f7be093c10bc0e5823a3d1750aa761c4c2e1e358.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe34⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe38⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe39⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe40⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe41⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe43⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe44⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe45⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe47⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe48⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe52⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe55⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe60⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe61⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe62⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe63⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe64⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe66⤵PID:2536
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe67⤵PID:2144
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe69⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe70⤵PID:112
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe71⤵PID:632
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe72⤵PID:2408
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe74⤵PID:1128
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe75⤵PID:1656
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe76⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe77⤵PID:1600
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe78⤵PID:1308
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe79⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe80⤵PID:2632
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe81⤵PID:2660
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe82⤵PID:2564
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe83⤵PID:2692
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe84⤵PID:2736
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe87⤵PID:2196
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe88⤵PID:1984
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe89⤵PID:1676
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe90⤵PID:348
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe91⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe92⤵PID:2420
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe93⤵
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe95⤵PID:448
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe97⤵PID:1660
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe98⤵PID:684
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe99⤵PID:1868
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe100⤵PID:2300
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe102⤵PID:2808
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe103⤵PID:2688
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe104⤵PID:2612
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe106⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe107⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe108⤵PID:1428
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe109⤵PID:1592
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe110⤵PID:1444
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe111⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe112⤵PID:1532
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe113⤵PID:2836
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe114⤵PID:564
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe117⤵PID:2376
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe118⤵PID:2620
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe119⤵PID:768
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe120⤵PID:2556
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe121⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe122⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-