Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 18:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe
-
Size
128KB
-
MD5
d580a8ede929871240a687bdc0c13a47
-
SHA1
4a649832f5b5b5eedaeb430dca4babd84d674d13
-
SHA256
044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21
-
SHA512
925950c40fd5047b9bb2a6f74f5edf1e2b72b7fe532617120c10c9bab8c4772671188a1eac8b7eebbfdd7488add593871ca57ea201ae7dc5db70a4dd7f09eb73
-
SSDEEP
1536:+SqrP/fe/imhCUTCujCP2avQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZ95Q:C2hhRxCP2a2KG7UDd0pCrQIFdFtLQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjdlffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplogdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjpaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjknnbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2308 Kfaajlfp.exe 2568 Khcnad32.exe 2644 Kbhbom32.exe 2700 Kibjkgca.exe 2652 Kjcgco32.exe 2500 Kanopipl.exe 784 Lhggmchi.exe 2740 Lkfciogm.exe 1636 Laplei32.exe 1916 Lhjdbcef.exe 824 Lmgmjjdn.exe 1588 Lpeifeca.exe 648 Lgoacojo.exe 2096 Limmokib.exe 2356 Lpgele32.exe 540 Lganiohl.exe 2828 Lmkfei32.exe 1732 Ldenbcge.exe 1260 Lgdjnofi.exe 2840 Libgjj32.exe 1988 Lmnbkinf.exe 1492 Lplogdmj.exe 1888 Meigpkka.exe 2196 Mpolmdkg.exe 2332 Moalhq32.exe 1840 Mekdekin.exe 2620 Mhjpaf32.exe 2800 Mabejlob.exe 2540 Mdqafgnf.exe 2404 Mlgigdoh.exe 2372 Mkjica32.exe 2692 Mepnpj32.exe 2736 Mdcnlglc.exe 2768 Mohbip32.exe 2256 Magnek32.exe 404 Mkobnqan.exe 2448 Nnnojlpa.exe 1464 Ndgggf32.exe 2888 Njdpomfe.exe 2208 Nlblkhei.exe 268 Ndjdlffl.exe 532 Nfkpdn32.exe 1480 Nleiqhcg.exe 1156 Nfmmin32.exe 2968 Njiijlbp.exe 976 Ncancbha.exe 1560 Nbdnoo32.exe 2068 Njkfpl32.exe 2124 Nmjblg32.exe 2136 Nohnhc32.exe 2484 Nbfjdn32.exe 2504 Ofbfdmeb.exe 2548 Omloag32.exe 2392 Okoomd32.exe 2716 Obigjnkf.exe 2676 Ofdcjm32.exe 1856 Oicpfh32.exe 1860 Oomhcbjp.exe 1876 Onphoo32.exe 2852 Odjpkihg.exe 2152 Oghlgdgk.exe 1952 Ojficpfn.exe 924 Obnqem32.exe 1248 Oelmai32.exe -
Loads dropped DLL 64 IoCs
pid Process 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 2308 Kfaajlfp.exe 2308 Kfaajlfp.exe 2568 Khcnad32.exe 2568 Khcnad32.exe 2644 Kbhbom32.exe 2644 Kbhbom32.exe 2700 Kibjkgca.exe 2700 Kibjkgca.exe 2652 Kjcgco32.exe 2652 Kjcgco32.exe 2500 Kanopipl.exe 2500 Kanopipl.exe 784 Lhggmchi.exe 784 Lhggmchi.exe 2740 Lkfciogm.exe 2740 Lkfciogm.exe 1636 Laplei32.exe 1636 Laplei32.exe 1916 Lhjdbcef.exe 1916 Lhjdbcef.exe 824 Lmgmjjdn.exe 824 Lmgmjjdn.exe 1588 Lpeifeca.exe 1588 Lpeifeca.exe 648 Lgoacojo.exe 648 Lgoacojo.exe 2096 Limmokib.exe 2096 Limmokib.exe 2356 Lpgele32.exe 2356 Lpgele32.exe 540 Lganiohl.exe 540 Lganiohl.exe 2828 Lmkfei32.exe 2828 Lmkfei32.exe 1732 Ldenbcge.exe 1732 Ldenbcge.exe 1260 Lgdjnofi.exe 1260 Lgdjnofi.exe 2840 Libgjj32.exe 2840 Libgjj32.exe 1988 Lmnbkinf.exe 1988 Lmnbkinf.exe 1492 Lplogdmj.exe 1492 Lplogdmj.exe 1888 Meigpkka.exe 1888 Meigpkka.exe 2196 Mpolmdkg.exe 2196 Mpolmdkg.exe 2332 Moalhq32.exe 2332 Moalhq32.exe 1840 Mekdekin.exe 1840 Mekdekin.exe 2620 Mhjpaf32.exe 2620 Mhjpaf32.exe 2800 Mabejlob.exe 2800 Mabejlob.exe 2540 Mdqafgnf.exe 2540 Mdqafgnf.exe 2404 Mlgigdoh.exe 2404 Mlgigdoh.exe 2372 Mkjica32.exe 2372 Mkjica32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Gkddnkjk.dll Aigaon32.exe File opened for modification C:\Windows\SysWOW64\Abbbnchb.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Oockje32.dll Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Apomfh32.exe File created C:\Windows\SysWOW64\Bjmgnnib.dll Mabejlob.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Mpolmdkg.exe Meigpkka.exe File created C:\Windows\SysWOW64\Mefagn32.dll Qhmbagfa.exe File created C:\Windows\SysWOW64\Accikb32.dll Bdooajdc.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dbehoa32.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dmafennb.exe File created C:\Windows\SysWOW64\Njdpomfe.exe Ndgggf32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ihoafpmp.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Mhllhfdh.dll Mkobnqan.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ojkboo32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gpknlk32.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Henidd32.exe File opened for modification C:\Windows\SysWOW64\Lgoacojo.exe Lpeifeca.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Ojiich32.dll Oghlgdgk.exe File created C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Ailkjmpo.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Dqhhknjp.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Hkpnhgge.exe File created C:\Windows\SysWOW64\Mbjlmdgj.dll Oicpfh32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Libgjj32.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Amndem32.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Amndem32.exe File created C:\Windows\SysWOW64\Jbfpbmji.dll Aoffmd32.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Boiccdnf.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Moalhq32.exe Mpolmdkg.exe File opened for modification C:\Windows\SysWOW64\Lmnbkinf.exe Libgjj32.exe File created C:\Windows\SysWOW64\Ajphib32.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Bnbjopoi.exe Bghabf32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Kbhbom32.exe Khcnad32.exe File created C:\Windows\SysWOW64\Pjholl32.dll Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Nmjblg32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Nfkpdn32.exe Ndjdlffl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4064 3932 WerFault.exe 326 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" Dflkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgmjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbkcj32.dll" Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojimd32.dll" Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafpmhio.dll" Kibjkgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmimf32.dll" Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcehqcli.dll" Lpeifeca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghcajge.dll" Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfciogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinika32.dll" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaajlfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchpbded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfmmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2308 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 28 PID 2276 wrote to memory of 2308 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 28 PID 2276 wrote to memory of 2308 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 28 PID 2276 wrote to memory of 2308 2276 044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe 28 PID 2308 wrote to memory of 2568 2308 Kfaajlfp.exe 29 PID 2308 wrote to memory of 2568 2308 Kfaajlfp.exe 29 PID 2308 wrote to memory of 2568 2308 Kfaajlfp.exe 29 PID 2308 wrote to memory of 2568 2308 Kfaajlfp.exe 29 PID 2568 wrote to memory of 2644 2568 Khcnad32.exe 30 PID 2568 wrote to memory of 2644 2568 Khcnad32.exe 30 PID 2568 wrote to memory of 2644 2568 Khcnad32.exe 30 PID 2568 wrote to memory of 2644 2568 Khcnad32.exe 30 PID 2644 wrote to memory of 2700 2644 Kbhbom32.exe 31 PID 2644 wrote to memory of 2700 2644 Kbhbom32.exe 31 PID 2644 wrote to memory of 2700 2644 Kbhbom32.exe 31 PID 2644 wrote to memory of 2700 2644 Kbhbom32.exe 31 PID 2700 wrote to memory of 2652 2700 Kibjkgca.exe 32 PID 2700 wrote to memory of 2652 2700 Kibjkgca.exe 32 PID 2700 wrote to memory of 2652 2700 Kibjkgca.exe 32 PID 2700 wrote to memory of 2652 2700 Kibjkgca.exe 32 PID 2652 wrote to memory of 2500 2652 Kjcgco32.exe 33 PID 2652 wrote to memory of 2500 2652 Kjcgco32.exe 33 PID 2652 wrote to memory of 2500 2652 Kjcgco32.exe 33 PID 2652 wrote to memory of 2500 2652 Kjcgco32.exe 33 PID 2500 wrote to memory of 784 2500 Kanopipl.exe 34 PID 2500 wrote to memory of 784 2500 Kanopipl.exe 34 PID 2500 wrote to memory of 784 2500 Kanopipl.exe 34 PID 2500 wrote to memory of 784 2500 Kanopipl.exe 34 PID 784 wrote to memory of 2740 784 Lhggmchi.exe 35 PID 784 wrote to memory of 2740 784 Lhggmchi.exe 35 PID 784 wrote to memory of 2740 784 Lhggmchi.exe 35 PID 784 wrote to memory of 2740 784 Lhggmchi.exe 35 PID 2740 wrote to memory of 1636 2740 Lkfciogm.exe 36 PID 2740 wrote to memory of 1636 2740 Lkfciogm.exe 36 PID 2740 wrote to memory of 1636 2740 Lkfciogm.exe 36 PID 2740 wrote to memory of 1636 2740 Lkfciogm.exe 36 PID 1636 wrote to memory of 1916 1636 Laplei32.exe 37 PID 1636 wrote to memory of 1916 1636 Laplei32.exe 37 PID 1636 wrote to memory of 1916 1636 Laplei32.exe 37 PID 1636 wrote to memory of 1916 1636 Laplei32.exe 37 PID 1916 wrote to memory of 824 1916 Lhjdbcef.exe 38 PID 1916 wrote to memory of 824 1916 Lhjdbcef.exe 38 PID 1916 wrote to memory of 824 1916 Lhjdbcef.exe 38 PID 1916 wrote to memory of 824 1916 Lhjdbcef.exe 38 PID 824 wrote to memory of 1588 824 Lmgmjjdn.exe 39 PID 824 wrote to memory of 1588 824 Lmgmjjdn.exe 39 PID 824 wrote to memory of 1588 824 Lmgmjjdn.exe 39 PID 824 wrote to memory of 1588 824 Lmgmjjdn.exe 39 PID 1588 wrote to memory of 648 1588 Lpeifeca.exe 40 PID 1588 wrote to memory of 648 1588 Lpeifeca.exe 40 PID 1588 wrote to memory of 648 1588 Lpeifeca.exe 40 PID 1588 wrote to memory of 648 1588 Lpeifeca.exe 40 PID 648 wrote to memory of 2096 648 Lgoacojo.exe 41 PID 648 wrote to memory of 2096 648 Lgoacojo.exe 41 PID 648 wrote to memory of 2096 648 Lgoacojo.exe 41 PID 648 wrote to memory of 2096 648 Lgoacojo.exe 41 PID 2096 wrote to memory of 2356 2096 Limmokib.exe 42 PID 2096 wrote to memory of 2356 2096 Limmokib.exe 42 PID 2096 wrote to memory of 2356 2096 Limmokib.exe 42 PID 2096 wrote to memory of 2356 2096 Limmokib.exe 42 PID 2356 wrote to memory of 540 2356 Lpgele32.exe 43 PID 2356 wrote to memory of 540 2356 Lpgele32.exe 43 PID 2356 wrote to memory of 540 2356 Lpgele32.exe 43 PID 2356 wrote to memory of 540 2356 Lpgele32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe"C:\Users\Admin\AppData\Local\Temp\044a30fdc86e8f3b4d4716e163416d3ac74240d8dc42d59f67a564704054fb21.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe33⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe34⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe35⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe36⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe40⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe43⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe46⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe48⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe49⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe51⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe54⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe59⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe60⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe61⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe63⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe64⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe65⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe66⤵PID:1016
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe67⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:752 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe69⤵PID:1752
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe72⤵PID:2656
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe75⤵PID:2752
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe78⤵PID:1472
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe79⤵PID:2816
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe80⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe81⤵PID:2992
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe82⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe83⤵PID:1624
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe84⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe85⤵PID:3032
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe87⤵PID:2452
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe88⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe89⤵
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe92⤵PID:1468
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe93⤵PID:2236
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe94⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe96⤵PID:2000
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe97⤵PID:2040
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe98⤵PID:1716
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe99⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe101⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe102⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe103⤵PID:300
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe105⤵PID:1368
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe107⤵PID:2212
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe109⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe110⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe112⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe113⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe115⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe117⤵PID:2672
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe118⤵PID:864
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe119⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe120⤵PID:1904
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe121⤵PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-