Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 17:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
-
Size
483KB
-
MD5
152040190ccef1d0bb0074f6714a6965
-
SHA1
a3f1ea8ef73fd2680b06fae4670d0efaf3fdfc65
-
SHA256
709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf
-
SHA512
7f0dbf0333d0e984d0137056ae488a063dbbaa324994fe5de4c29d863d4f5c46da25a56dc99e4b416cae9076b642986d08ce22539cbe9c2e0abf502c02b0d8c3
-
SSDEEP
6144:5JzR/zZVVZU5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:vzRlVVzRFbet4OnV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjimd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhjdbcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe -
Executes dropped EXE 64 IoCs
pid Process 3052 Kedaeh32.exe 2572 Khcnad32.exe 2712 Kakbjibo.exe 2580 Kanopipl.exe 2512 Lhggmchi.exe 2536 Loapim32.exe 1672 Lhjdbcef.exe 1600 Lgoacojo.exe 2704 Limmokib.exe 768 Lmiipi32.exe 2216 Llqcfe32.exe 1976 Lplogdmj.exe 2776 Mcjkcplm.exe 2560 Midcpj32.exe 1348 Mpolmdkg.exe 2996 Maphdl32.exe 1504 Mochnppo.exe 2552 Mnieom32.exe 2184 Mdcnlglc.exe 612 Mhnjle32.exe 1796 Mpjoqhah.exe 1048 Mhqfbebj.exe 1576 Mkobnqan.exe 600 Njbcim32.exe 2228 Naikkk32.exe 2976 Ngfcca32.exe 1728 Njdpomfe.exe 2944 Nlblkhei.exe 2672 Ndjdlffl.exe 2620 Nghphaeo.exe 2500 Njgldmdc.exe 2880 Nqqdag32.exe 2460 Ngkmnacm.exe 2736 Nfmmin32.exe 812 Nhlifi32.exe 1980 Nofabc32.exe 2396 Ncancbha.exe 1716 Nfpjomgd.exe 2784 Nhnfkigh.exe 2244 Nkmbgdfl.exe 2080 Nccjhafn.exe 1804 Ofbfdmeb.exe 1120 Ohqbqhde.exe 1036 Okoomd32.exe 1792 Oojknblb.exe 1064 Obigjnkf.exe 2132 Ofdcjm32.exe 2104 Oicpfh32.exe 2916 Okalbc32.exe 1000 Oomhcbjp.exe 2928 Obkdonic.exe 2728 Oiellh32.exe 2952 Okchhc32.exe 2888 Oqqapjnk.exe 1008 Oelmai32.exe 2188 Ogjimd32.exe 2532 Ondajnme.exe 2664 Oqcnfjli.exe 1652 Ocajbekl.exe 1708 Ogmfbd32.exe 1464 Ojkboo32.exe 2268 Paejki32.exe 1956 Pphjgfqq.exe 1500 Pgobhcac.exe -
Loads dropped DLL 64 IoCs
pid Process 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 3052 Kedaeh32.exe 3052 Kedaeh32.exe 2572 Khcnad32.exe 2572 Khcnad32.exe 2712 Kakbjibo.exe 2712 Kakbjibo.exe 2580 Kanopipl.exe 2580 Kanopipl.exe 2512 Lhggmchi.exe 2512 Lhggmchi.exe 2536 Loapim32.exe 2536 Loapim32.exe 1672 Lhjdbcef.exe 1672 Lhjdbcef.exe 1600 Lgoacojo.exe 1600 Lgoacojo.exe 2704 Limmokib.exe 2704 Limmokib.exe 768 Lmiipi32.exe 768 Lmiipi32.exe 2216 Llqcfe32.exe 2216 Llqcfe32.exe 1976 Lplogdmj.exe 1976 Lplogdmj.exe 2776 Mcjkcplm.exe 2776 Mcjkcplm.exe 2560 Midcpj32.exe 2560 Midcpj32.exe 1348 Mpolmdkg.exe 1348 Mpolmdkg.exe 2996 Maphdl32.exe 2996 Maphdl32.exe 1504 Mochnppo.exe 1504 Mochnppo.exe 2552 Mnieom32.exe 2552 Mnieom32.exe 2184 Mdcnlglc.exe 2184 Mdcnlglc.exe 612 Mhnjle32.exe 612 Mhnjle32.exe 1796 Mpjoqhah.exe 1796 Mpjoqhah.exe 1048 Mhqfbebj.exe 1048 Mhqfbebj.exe 1576 Mkobnqan.exe 1576 Mkobnqan.exe 600 Njbcim32.exe 600 Njbcim32.exe 2228 Naikkk32.exe 2228 Naikkk32.exe 2976 Ngfcca32.exe 2976 Ngfcca32.exe 1728 Njdpomfe.exe 1728 Njdpomfe.exe 2944 Nlblkhei.exe 2944 Nlblkhei.exe 2672 Ndjdlffl.exe 2672 Ndjdlffl.exe 2620 Nghphaeo.exe 2620 Nghphaeo.exe 2500 Njgldmdc.exe 2500 Njgldmdc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhbjkfod.dll Ojkboo32.exe File created C:\Windows\SysWOW64\Qbbfopeg.exe Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Elmigj32.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File created C:\Windows\SysWOW64\Pcfcmd32.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Jkdalhhc.dll Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Difoda32.dll Nlblkhei.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Oqqapjnk.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Oeeonk32.dll Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Oiogaqdb.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Jbfpbmji.dll Aoffmd32.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Qdoneabg.dll Bnpmipql.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Cphlljge.exe Cnippoha.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hckcmjep.exe File created C:\Windows\SysWOW64\Obigjnkf.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe Pphjgfqq.exe File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe Pfflopdh.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Adhlaggp.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Baildokg.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Pgobhcac.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Adjigg32.exe File created C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Mkobnqan.exe Mhqfbebj.exe File created C:\Windows\SysWOW64\Fcmbeioh.dll Piblek32.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Bokphdld.exe File created C:\Windows\SysWOW64\Epaogi32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Maphdl32.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Iacnpbdl.dll Ondajnme.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Mpjoqhah.exe Mhnjle32.exe File created C:\Windows\SysWOW64\Njdpomfe.exe Ngfcca32.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Ncancbha.exe File created C:\Windows\SysWOW64\Jngohf32.dll Apomfh32.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Mhnjle32.exe Mdcnlglc.exe File opened for modification C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Bcaomf32.exe Baqbenep.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dnneja32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Klealkpf.dll Loapim32.exe File created C:\Windows\SysWOW64\Mochnppo.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Ogjimd32.exe Oelmai32.exe File created C:\Windows\SysWOW64\Ocajbekl.exe Oqcnfjli.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3352 3328 WerFault.exe 264 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdecfpj.dll" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klealkpf.dll" Loapim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofgpn32.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Pphjgfqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgai32.dll" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfekqdn.dll" Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjoqhah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgoacojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apomfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3052 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 28 PID 2948 wrote to memory of 3052 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 28 PID 2948 wrote to memory of 3052 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 28 PID 2948 wrote to memory of 3052 2948 709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe 28 PID 3052 wrote to memory of 2572 3052 Kedaeh32.exe 29 PID 3052 wrote to memory of 2572 3052 Kedaeh32.exe 29 PID 3052 wrote to memory of 2572 3052 Kedaeh32.exe 29 PID 3052 wrote to memory of 2572 3052 Kedaeh32.exe 29 PID 2572 wrote to memory of 2712 2572 Khcnad32.exe 30 PID 2572 wrote to memory of 2712 2572 Khcnad32.exe 30 PID 2572 wrote to memory of 2712 2572 Khcnad32.exe 30 PID 2572 wrote to memory of 2712 2572 Khcnad32.exe 30 PID 2712 wrote to memory of 2580 2712 Kakbjibo.exe 31 PID 2712 wrote to memory of 2580 2712 Kakbjibo.exe 31 PID 2712 wrote to memory of 2580 2712 Kakbjibo.exe 31 PID 2712 wrote to memory of 2580 2712 Kakbjibo.exe 31 PID 2580 wrote to memory of 2512 2580 Kanopipl.exe 32 PID 2580 wrote to memory of 2512 2580 Kanopipl.exe 32 PID 2580 wrote to memory of 2512 2580 Kanopipl.exe 32 PID 2580 wrote to memory of 2512 2580 Kanopipl.exe 32 PID 2512 wrote to memory of 2536 2512 Lhggmchi.exe 33 PID 2512 wrote to memory of 2536 2512 Lhggmchi.exe 33 PID 2512 wrote to memory of 2536 2512 Lhggmchi.exe 33 PID 2512 wrote to memory of 2536 2512 Lhggmchi.exe 33 PID 2536 wrote to memory of 1672 2536 Loapim32.exe 34 PID 2536 wrote to memory of 1672 2536 Loapim32.exe 34 PID 2536 wrote to memory of 1672 2536 Loapim32.exe 34 PID 2536 wrote to memory of 1672 2536 Loapim32.exe 34 PID 1672 wrote to memory of 1600 1672 Lhjdbcef.exe 35 PID 1672 wrote to memory of 1600 1672 Lhjdbcef.exe 35 PID 1672 wrote to memory of 1600 1672 Lhjdbcef.exe 35 PID 1672 wrote to memory of 1600 1672 Lhjdbcef.exe 35 PID 1600 wrote to memory of 2704 1600 Lgoacojo.exe 36 PID 1600 wrote to memory of 2704 1600 Lgoacojo.exe 36 PID 1600 wrote to memory of 2704 1600 Lgoacojo.exe 36 PID 1600 wrote to memory of 2704 1600 Lgoacojo.exe 36 PID 2704 wrote to memory of 768 2704 Limmokib.exe 37 PID 2704 wrote to memory of 768 2704 Limmokib.exe 37 PID 2704 wrote to memory of 768 2704 Limmokib.exe 37 PID 2704 wrote to memory of 768 2704 Limmokib.exe 37 PID 768 wrote to memory of 2216 768 Lmiipi32.exe 38 PID 768 wrote to memory of 2216 768 Lmiipi32.exe 38 PID 768 wrote to memory of 2216 768 Lmiipi32.exe 38 PID 768 wrote to memory of 2216 768 Lmiipi32.exe 38 PID 2216 wrote to memory of 1976 2216 Llqcfe32.exe 39 PID 2216 wrote to memory of 1976 2216 Llqcfe32.exe 39 PID 2216 wrote to memory of 1976 2216 Llqcfe32.exe 39 PID 2216 wrote to memory of 1976 2216 Llqcfe32.exe 39 PID 1976 wrote to memory of 2776 1976 Lplogdmj.exe 40 PID 1976 wrote to memory of 2776 1976 Lplogdmj.exe 40 PID 1976 wrote to memory of 2776 1976 Lplogdmj.exe 40 PID 1976 wrote to memory of 2776 1976 Lplogdmj.exe 40 PID 2776 wrote to memory of 2560 2776 Mcjkcplm.exe 41 PID 2776 wrote to memory of 2560 2776 Mcjkcplm.exe 41 PID 2776 wrote to memory of 2560 2776 Mcjkcplm.exe 41 PID 2776 wrote to memory of 2560 2776 Mcjkcplm.exe 41 PID 2560 wrote to memory of 1348 2560 Midcpj32.exe 42 PID 2560 wrote to memory of 1348 2560 Midcpj32.exe 42 PID 2560 wrote to memory of 1348 2560 Midcpj32.exe 42 PID 2560 wrote to memory of 1348 2560 Midcpj32.exe 42 PID 1348 wrote to memory of 2996 1348 Mpolmdkg.exe 43 PID 1348 wrote to memory of 2996 1348 Mpolmdkg.exe 43 PID 1348 wrote to memory of 2996 1348 Mpolmdkg.exe 43 PID 1348 wrote to memory of 2996 1348 Mpolmdkg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe"C:\Users\Admin\AppData\Local\Temp\709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe33⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe34⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe35⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe39⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe41⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe44⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe45⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe48⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe49⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe50⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe54⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe60⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe63⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe66⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe69⤵PID:1012
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe72⤵PID:2108
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe73⤵PID:880
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe77⤵PID:1812
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe78⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe79⤵PID:2428
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe80⤵PID:3044
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe82⤵PID:3064
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe84⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe85⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe86⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe87⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe89⤵PID:576
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe90⤵PID:1320
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe91⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe92⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe93⤵PID:2124
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe94⤵PID:688
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe95⤵PID:2608
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe96⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe97⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe98⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe100⤵PID:2344
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe104⤵PID:2420
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe105⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:360 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe109⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe110⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe112⤵PID:2592
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe113⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe114⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe115⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe119⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-