Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 06:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe
-
Size
280KB
-
MD5
dcc3d6991d0932a427113698420757c6
-
SHA1
a13a2e6ec569c663277a7df627f55d077c9942c0
-
SHA256
f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48
-
SHA512
fe70d4f3477374623f95c19643cf078be817aed958320dc7143dc25a00eaf0b56e27d722581bd508b914f2d7e51465e9fcb977efb619254a79db451e82317fa0
-
SSDEEP
6144:8HSm1oM9c77b6+i/GOORjMmRUoooooooooooooooooooooooooy/G3:8HSm1o8c77bLi//OVLCooooooooooooy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefpnhlc.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000b0000000144e0-5.dat UPX behavioral1/files/0x0007000000014ba7-19.dat UPX behavioral1/files/0x0007000000014eb9-34.dat UPX behavioral1/files/0x00080000000153d9-47.dat UPX behavioral1/files/0x0006000000015cce-60.dat UPX behavioral1/files/0x0006000000015ce3-74.dat UPX behavioral1/files/0x0006000000015d0c-88.dat UPX behavioral1/files/0x0006000000015d44-104.dat UPX behavioral1/files/0x0006000000015e09-114.dat UPX behavioral1/files/0x0006000000015f3c-128.dat UPX behavioral1/files/0x00060000000160cc-142.dat UPX behavioral1/files/0x00060000000162c9-161.dat UPX behavioral1/files/0x000600000001654a-176.dat UPX behavioral1/files/0x0006000000016813-190.dat UPX behavioral1/files/0x0006000000016c42-217.dat UPX behavioral1/files/0x0006000000016c1d-205.dat UPX behavioral1/files/0x0006000000016cb2-225.dat UPX behavioral1/files/0x0006000000016ce4-236.dat UPX behavioral1/files/0x0006000000016cfd-248.dat UPX behavioral1/files/0x0006000000016d0e-257.dat UPX behavioral1/files/0x0006000000016d1f-265.dat UPX behavioral1/files/0x0006000000016d36-276.dat UPX behavioral1/files/0x0006000000016d9f-286.dat UPX behavioral1/files/0x0006000000016db3-298.dat UPX behavioral1/files/0x0006000000016fe8-310.dat UPX behavioral1/files/0x00060000000173e5-319.dat UPX behavioral1/files/0x00060000000175ac-331.dat UPX behavioral1/files/0x00060000000175b8-342.dat UPX behavioral1/files/0x0009000000018640-353.dat UPX behavioral1/files/0x00050000000186c1-362.dat UPX behavioral1/files/0x0005000000018700-375.dat UPX behavioral1/files/0x000500000001874c-384.dat UPX behavioral1/files/0x00050000000191eb-397.dat UPX behavioral1/files/0x0005000000019223-406.dat UPX behavioral1/files/0x0005000000019233-418.dat UPX behavioral1/files/0x0005000000019248-427.dat UPX behavioral1/files/0x0005000000019331-439.dat UPX behavioral1/files/0x000500000001935b-450.dat UPX behavioral1/files/0x00050000000193e2-460.dat UPX behavioral1/files/0x0005000000019413-471.dat UPX behavioral1/files/0x0005000000019426-482.dat UPX behavioral1/files/0x0005000000019437-492.dat UPX behavioral1/files/0x000500000001948d-505.dat UPX behavioral1/files/0x00050000000194c4-516.dat UPX behavioral1/files/0x0005000000019520-525.dat UPX behavioral1/files/0x00050000000195b2-536.dat UPX behavioral1/files/0x00050000000195eb-548.dat UPX behavioral1/files/0x00050000000195ef-557.dat UPX behavioral1/files/0x00050000000195f1-569.dat UPX behavioral1/files/0x00050000000195f5-578.dat UPX behavioral1/files/0x0005000000019607-590.dat UPX behavioral1/files/0x000500000001968d-602.dat UPX behavioral1/files/0x0005000000019961-612.dat UPX behavioral1/files/0x0005000000019c21-623.dat UPX behavioral1/files/0x0005000000019c3e-637.dat UPX behavioral1/files/0x0005000000019d2f-649.dat UPX behavioral1/files/0x0005000000019da2-659.dat UPX behavioral1/files/0x0005000000019fa5-671.dat UPX behavioral1/files/0x000500000001a06b-682.dat UPX behavioral1/files/0x000500000001a2ec-697.dat UPX behavioral1/files/0x000500000001a40c-706.dat UPX behavioral1/files/0x000500000001a410-718.dat UPX behavioral1/files/0x000500000001a416-731.dat UPX behavioral1/files/0x000500000001a476-742.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1668 Lfmdnp32.exe 2124 Lpeifeca.exe 2600 Lmiipi32.exe 2568 Lbfahp32.exe 2624 Lmkfei32.exe 2520 Lpjbad32.exe 1728 Lefkjkmc.exe 2676 Lmnbkinf.exe 2548 Mcjkcplm.exe 1988 Meigpkka.exe 1444 Moalhq32.exe 2840 Maphdl32.exe 348 Mcodno32.exe 2192 Menakj32.exe 2432 Madapkmp.exe 2172 Mepnpj32.exe 636 Mdejaf32.exe 2416 Mgcgmb32.exe 1552 Njbcim32.exe 1100 Nplkfgoe.exe 1044 Ncjgbcoi.exe 1892 Njdpomfe.exe 1164 Nlblkhei.exe 1812 Ncmdhb32.exe 2404 Njgldmdc.exe 1316 Nleiqhcg.exe 1748 Ncoamb32.exe 2580 Nhlifi32.exe 2604 Nofabc32.exe 2612 Nbdnoo32.exe 2808 Nmjblg32.exe 1840 Nkmbgdfl.exe 2460 Nbfjdn32.exe 2968 Omloag32.exe 2780 Onmkio32.exe 2036 Ofdcjm32.exe 2508 Okalbc32.exe 2788 Obkdonic.exe 1600 Oiellh32.exe 2692 Onbddoog.exe 2916 Oelmai32.exe 2180 Ojieip32.exe 1724 Oenifh32.exe 2412 Ogmfbd32.exe 2264 Ojkboo32.exe 1560 Paejki32.exe 608 Pccfge32.exe 944 Pipopl32.exe 2288 Paggai32.exe 2304 Pbiciana.exe 2064 Piblek32.exe 1036 Plahag32.exe 2712 Ppmdbe32.exe 2716 Pfflopdh.exe 2144 Piehkkcl.exe 3052 Pmqdkj32.exe 468 Ppoqge32.exe 2572 Pfiidobe.exe 2020 Pelipl32.exe 2516 Phjelg32.exe 2028 Ppamme32.exe 2700 Pabjem32.exe 2112 Pijbfj32.exe 1932 Qlhnbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 1668 Lfmdnp32.exe 1668 Lfmdnp32.exe 2124 Lpeifeca.exe 2124 Lpeifeca.exe 2600 Lmiipi32.exe 2600 Lmiipi32.exe 2568 Lbfahp32.exe 2568 Lbfahp32.exe 2624 Lmkfei32.exe 2624 Lmkfei32.exe 2520 Lpjbad32.exe 2520 Lpjbad32.exe 1728 Lefkjkmc.exe 1728 Lefkjkmc.exe 2676 Lmnbkinf.exe 2676 Lmnbkinf.exe 2548 Mcjkcplm.exe 2548 Mcjkcplm.exe 1988 Meigpkka.exe 1988 Meigpkka.exe 1444 Moalhq32.exe 1444 Moalhq32.exe 2840 Maphdl32.exe 2840 Maphdl32.exe 348 Mcodno32.exe 348 Mcodno32.exe 2192 Menakj32.exe 2192 Menakj32.exe 2432 Madapkmp.exe 2432 Madapkmp.exe 2172 Mepnpj32.exe 2172 Mepnpj32.exe 636 Mdejaf32.exe 636 Mdejaf32.exe 2416 Mgcgmb32.exe 2416 Mgcgmb32.exe 1552 Njbcim32.exe 1552 Njbcim32.exe 1100 Nplkfgoe.exe 1100 Nplkfgoe.exe 1044 Ncjgbcoi.exe 1044 Ncjgbcoi.exe 1892 Njdpomfe.exe 1892 Njdpomfe.exe 1164 Nlblkhei.exe 1164 Nlblkhei.exe 1812 Ncmdhb32.exe 1812 Ncmdhb32.exe 2404 Njgldmdc.exe 2404 Njgldmdc.exe 1316 Nleiqhcg.exe 1316 Nleiqhcg.exe 1748 Ncoamb32.exe 1748 Ncoamb32.exe 2580 Nhlifi32.exe 2580 Nhlifi32.exe 2604 Nofabc32.exe 2604 Nofabc32.exe 2612 Nbdnoo32.exe 2612 Nbdnoo32.exe 2808 Nmjblg32.exe 2808 Nmjblg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Andkhh32.dll Aigaon32.exe File created C:\Windows\SysWOW64\Egdilkbf.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File created C:\Windows\SysWOW64\Mghohc32.dll Cgejac32.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Dpbheh32.exe File created C:\Windows\SysWOW64\Nlblkhei.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Nbdnoo32.exe Nofabc32.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Fkiqoh32.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Mdmmfa32.exe Mpbaebdd.exe File created C:\Windows\SysWOW64\Lkebie32.dll Beehencq.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Hlbpenqj.dll Lmnbkinf.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Omloag32.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Ppamme32.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Aiedjneg.exe File opened for modification C:\Windows\SysWOW64\Jjjacf32.exe Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kmopod32.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Clcflkic.exe File created C:\Windows\SysWOW64\Lpbjlbfp.dll Egdilkbf.exe File created C:\Windows\SysWOW64\Ocnfbo32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Hejoiedd.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Kjjndgdk.dll Kihqkagp.exe File opened for modification C:\Windows\SysWOW64\Mdkqqa32.exe Mamddf32.exe File created C:\Windows\SysWOW64\Npdjje32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Gcmjhbal.dll Ebinic32.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Jcgogk32.exe Jokcgmee.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Madapkmp.exe Menakj32.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pccfge32.exe File created C:\Windows\SysWOW64\Dfdceg32.dll Ahakmf32.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Dfnfdcqd.dll Moiklogi.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dcadac32.exe File created C:\Windows\SysWOW64\Onmkio32.exe Omloag32.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Kngfih32.exe Kkijmm32.exe File created C:\Windows\SysWOW64\Fddcahee.dll Ogblbo32.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Lfmdnp32.exe f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Ddagfm32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Nhlifi32.exe Ncoamb32.exe File created C:\Windows\SysWOW64\Aplpai32.exe Amndem32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Kkijmm32.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Dccagcgk.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dbkknojp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5188 5168 WerFault.exe 539 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfqpfb32.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmiipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglbacld.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmiipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Madapkmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmkfei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkhh32.dll" Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgeefbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Pgbhabjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqckbobk.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqkqkdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnaocmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll" Eqpgol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihedjnpm.dll" Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjiammk.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblogakg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1668 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 28 PID 2204 wrote to memory of 1668 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 28 PID 2204 wrote to memory of 1668 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 28 PID 2204 wrote to memory of 1668 2204 f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe 28 PID 1668 wrote to memory of 2124 1668 Lfmdnp32.exe 29 PID 1668 wrote to memory of 2124 1668 Lfmdnp32.exe 29 PID 1668 wrote to memory of 2124 1668 Lfmdnp32.exe 29 PID 1668 wrote to memory of 2124 1668 Lfmdnp32.exe 29 PID 2124 wrote to memory of 2600 2124 Lpeifeca.exe 30 PID 2124 wrote to memory of 2600 2124 Lpeifeca.exe 30 PID 2124 wrote to memory of 2600 2124 Lpeifeca.exe 30 PID 2124 wrote to memory of 2600 2124 Lpeifeca.exe 30 PID 2600 wrote to memory of 2568 2600 Lmiipi32.exe 31 PID 2600 wrote to memory of 2568 2600 Lmiipi32.exe 31 PID 2600 wrote to memory of 2568 2600 Lmiipi32.exe 31 PID 2600 wrote to memory of 2568 2600 Lmiipi32.exe 31 PID 2568 wrote to memory of 2624 2568 Lbfahp32.exe 32 PID 2568 wrote to memory of 2624 2568 Lbfahp32.exe 32 PID 2568 wrote to memory of 2624 2568 Lbfahp32.exe 32 PID 2568 wrote to memory of 2624 2568 Lbfahp32.exe 32 PID 2624 wrote to memory of 2520 2624 Lmkfei32.exe 33 PID 2624 wrote to memory of 2520 2624 Lmkfei32.exe 33 PID 2624 wrote to memory of 2520 2624 Lmkfei32.exe 33 PID 2624 wrote to memory of 2520 2624 Lmkfei32.exe 33 PID 2520 wrote to memory of 1728 2520 Lpjbad32.exe 34 PID 2520 wrote to memory of 1728 2520 Lpjbad32.exe 34 PID 2520 wrote to memory of 1728 2520 Lpjbad32.exe 34 PID 2520 wrote to memory of 1728 2520 Lpjbad32.exe 34 PID 1728 wrote to memory of 2676 1728 Lefkjkmc.exe 35 PID 1728 wrote to memory of 2676 1728 Lefkjkmc.exe 35 PID 1728 wrote to memory of 2676 1728 Lefkjkmc.exe 35 PID 1728 wrote to memory of 2676 1728 Lefkjkmc.exe 35 PID 2676 wrote to memory of 2548 2676 Lmnbkinf.exe 36 PID 2676 wrote to memory of 2548 2676 Lmnbkinf.exe 36 PID 2676 wrote to memory of 2548 2676 Lmnbkinf.exe 36 PID 2676 wrote to memory of 2548 2676 Lmnbkinf.exe 36 PID 2548 wrote to memory of 1988 2548 Mcjkcplm.exe 37 PID 2548 wrote to memory of 1988 2548 Mcjkcplm.exe 37 PID 2548 wrote to memory of 1988 2548 Mcjkcplm.exe 37 PID 2548 wrote to memory of 1988 2548 Mcjkcplm.exe 37 PID 1988 wrote to memory of 1444 1988 Meigpkka.exe 38 PID 1988 wrote to memory of 1444 1988 Meigpkka.exe 38 PID 1988 wrote to memory of 1444 1988 Meigpkka.exe 38 PID 1988 wrote to memory of 1444 1988 Meigpkka.exe 38 PID 1444 wrote to memory of 2840 1444 Moalhq32.exe 39 PID 1444 wrote to memory of 2840 1444 Moalhq32.exe 39 PID 1444 wrote to memory of 2840 1444 Moalhq32.exe 39 PID 1444 wrote to memory of 2840 1444 Moalhq32.exe 39 PID 2840 wrote to memory of 348 2840 Maphdl32.exe 40 PID 2840 wrote to memory of 348 2840 Maphdl32.exe 40 PID 2840 wrote to memory of 348 2840 Maphdl32.exe 40 PID 2840 wrote to memory of 348 2840 Maphdl32.exe 40 PID 348 wrote to memory of 2192 348 Mcodno32.exe 41 PID 348 wrote to memory of 2192 348 Mcodno32.exe 41 PID 348 wrote to memory of 2192 348 Mcodno32.exe 41 PID 348 wrote to memory of 2192 348 Mcodno32.exe 41 PID 2192 wrote to memory of 2432 2192 Menakj32.exe 42 PID 2192 wrote to memory of 2432 2192 Menakj32.exe 42 PID 2192 wrote to memory of 2432 2192 Menakj32.exe 42 PID 2192 wrote to memory of 2432 2192 Menakj32.exe 42 PID 2432 wrote to memory of 2172 2432 Madapkmp.exe 43 PID 2432 wrote to memory of 2172 2432 Madapkmp.exe 43 PID 2432 wrote to memory of 2172 2432 Madapkmp.exe 43 PID 2432 wrote to memory of 2172 2432 Madapkmp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe"C:\Users\Admin\AppData\Local\Temp\f8e5b1ecb7af69d4e374d509772d1bda8a57cf53944bcc041172cccbfd3e7a48.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe33⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe34⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe36⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe37⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe38⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe39⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe41⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe42⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe43⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe45⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe46⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe47⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe49⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe50⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe51⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe52⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe53⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe55⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe57⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe58⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe59⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe60⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe61⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe63⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe64⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe65⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe66⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe67⤵PID:596
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe68⤵PID:688
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe70⤵PID:3064
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe72⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe73⤵PID:1612
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe74⤵PID:2540
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe75⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe76⤵PID:2444
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe77⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe78⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe79⤵PID:332
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe80⤵PID:1700
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe81⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe85⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe86⤵PID:1356
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe89⤵PID:1204
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe91⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe92⤵PID:2736
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe93⤵PID:2996
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe94⤵PID:816
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe96⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe98⤵PID:2428
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe99⤵PID:1144
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe100⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe101⤵PID:1960
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe102⤵PID:2928
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe103⤵PID:1752
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe105⤵PID:1744
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe107⤵PID:2484
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe108⤵PID:2868
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe109⤵PID:2496
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe110⤵PID:896
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe112⤵PID:2296
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe113⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe114⤵PID:1716
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe115⤵PID:1796
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe116⤵PID:2120
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe118⤵PID:2896
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe119⤵PID:2272
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe120⤵PID:3016
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-