Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 00:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe
-
Size
92KB
-
MD5
1cfaeeb5589d4a0132c3698479a67886
-
SHA1
a7c521a6cc173928b71b6ec47d697c3877fe6f21
-
SHA256
a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b
-
SHA512
1886c3b511db96eb0d5471ccfd1728ef2961d0a7d4a0305aec7b44f21ea902ca7e8422d9d9b142bcbf14f148a53de7dad3edbb226829f6829b4f64f8cbd6e968
-
SSDEEP
1536:S1o8gPC7uX3+XbnYMRVTu95ACGtzTjXq+66DFUABABOVLefE3:Io8ghGjYMRVTuvt2zTj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgajhbkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgbcoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmmcq32.exe -
Executes dropped EXE 64 IoCs
pid Process 1324 Lmiipi32.exe 2088 Lganiohl.exe 2728 Lipjejgp.exe 2464 Llnfaffc.exe 2688 Lpjbad32.exe 2452 Lchnnp32.exe 2968 Lgdjnofi.exe 2768 Lefkjkmc.exe 2936 Lmnbkinf.exe 2184 Lplogdmj.exe 2000 Mcjkcplm.exe 1072 Meigpkka.exe 1660 Midcpj32.exe 2284 Mlcple32.exe 2860 Moalhq32.exe 1756 Mcmhiojk.exe 1196 Mekdekin.exe 1928 Migpeiag.exe 2424 Mlelaeqk.exe 1156 Mkhmma32.exe 1608 Mochnppo.exe 1644 Mabejlob.exe 2540 Menakj32.exe 708 Mkjica32.exe 792 Mofecpnl.exe 2980 Madapkmp.exe 2640 Mepnpj32.exe 2800 Mgajhbkg.exe 2500 Mohbip32.exe 2772 Magnek32.exe 1728 Mhqfbebj.exe 2276 Mgcgmb32.exe 2508 Njbcim32.exe 2524 Naikkk32.exe 1652 Ndgggf32.exe 780 Ncjgbcoi.exe 2052 Ngfcca32.exe 804 Njdpomfe.exe 1988 Nlblkhei.exe 1348 Ndjdlffl.exe 2260 Ncmdhb32.exe 3048 Nfkpdn32.exe 2068 Nnbhek32.exe 1808 Nleiqhcg.exe 288 Nocemcbj.exe 3032 Ngkmnacm.exe 1696 Nfmmin32.exe 2628 Nhlifi32.exe 2140 Nlgefh32.exe 2892 Nofabc32.exe 2340 Nfpjomgd.exe 936 Njkfpl32.exe 1904 Nmjblg32.exe 872 Nkmbgdfl.exe 2816 Nohnhc32.exe 560 Nccjhafn.exe 1160 Okoomd32.exe 864 Onmkio32.exe 1424 Obigjnkf.exe 276 Ofdcjm32.exe 2700 Oicpfh32.exe 1828 Ogfpbeim.exe 1516 Okalbc32.exe 2572 Obkdonic.exe -
Loads dropped DLL 64 IoCs
pid Process 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 1324 Lmiipi32.exe 1324 Lmiipi32.exe 2088 Lganiohl.exe 2088 Lganiohl.exe 2728 Lipjejgp.exe 2728 Lipjejgp.exe 2464 Llnfaffc.exe 2464 Llnfaffc.exe 2688 Lpjbad32.exe 2688 Lpjbad32.exe 2452 Lchnnp32.exe 2452 Lchnnp32.exe 2968 Lgdjnofi.exe 2968 Lgdjnofi.exe 2768 Lefkjkmc.exe 2768 Lefkjkmc.exe 2936 Lmnbkinf.exe 2936 Lmnbkinf.exe 2184 Lplogdmj.exe 2184 Lplogdmj.exe 2000 Mcjkcplm.exe 2000 Mcjkcplm.exe 1072 Meigpkka.exe 1072 Meigpkka.exe 1660 Midcpj32.exe 1660 Midcpj32.exe 2284 Mlcple32.exe 2284 Mlcple32.exe 2860 Moalhq32.exe 2860 Moalhq32.exe 1756 Mcmhiojk.exe 1756 Mcmhiojk.exe 1196 Mekdekin.exe 1196 Mekdekin.exe 1928 Migpeiag.exe 1928 Migpeiag.exe 2424 Mlelaeqk.exe 2424 Mlelaeqk.exe 1156 Mkhmma32.exe 1156 Mkhmma32.exe 1608 Mochnppo.exe 1608 Mochnppo.exe 1644 Mabejlob.exe 1644 Mabejlob.exe 2540 Menakj32.exe 2540 Menakj32.exe 708 Mkjica32.exe 708 Mkjica32.exe 792 Mofecpnl.exe 792 Mofecpnl.exe 2980 Madapkmp.exe 2980 Madapkmp.exe 2640 Mepnpj32.exe 2640 Mepnpj32.exe 2800 Mgajhbkg.exe 2800 Mgajhbkg.exe 2500 Mohbip32.exe 2500 Mohbip32.exe 2772 Magnek32.exe 2772 Magnek32.exe 1728 Mhqfbebj.exe 1728 Mhqfbebj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdhhqk32.exe Beehencq.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cjbmjplb.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Dhflmk32.dll Dchali32.exe File created C:\Windows\SysWOW64\Faokjpfd.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Alqkcl32.dll Nfkpdn32.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Njdfjjia.dll Ocomlemo.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Ikbifehk.dll Beehencq.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Nocemcbj.exe Nleiqhcg.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File created C:\Windows\SysWOW64\Bnbjopoi.exe Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Hleajblp.dll Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Madapkmp.exe Mofecpnl.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Nccjhafn.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Eeempocb.exe File created C:\Windows\SysWOW64\Lipjejgp.exe Lganiohl.exe File created C:\Windows\SysWOW64\Lgdjnofi.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Idceea32.exe File created C:\Windows\SysWOW64\Ckggkg32.dll Qnigda32.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Balijo32.exe File created C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Bdhhqk32.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Cobbhfhg.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File created C:\Windows\SysWOW64\Obopfpji.dll Paejki32.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gopkmhjk.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Fiaeoang.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Okalbc32.exe Ogfpbeim.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Beehencq.exe Baildokg.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hiekid32.exe File created C:\Windows\SysWOW64\Bifdjp32.dll Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Piblek32.exe Pjpkjond.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Penfelgm.exe Pabjem32.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Inljnfkg.exe File created C:\Windows\SysWOW64\Mabejlob.exe Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Lefmambf.dll Dqjepm32.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Mcmhiojk.exe Moalhq32.exe File created C:\Windows\SysWOW64\Pkjapnke.dll Dngoibmo.exe File created C:\Windows\SysWOW64\Bhahlj32.exe Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe -
Program crash 1 IoCs
pid pid_target Process 5528 5504 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknecn32.dll" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnaid32.dll" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofgpn32.dll" Qaefjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apomfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Penfelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocemcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoffmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkpna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Cndbcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll" Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifdjp32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdgmmje.dll" Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Bpcbqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lefkjkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1324 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 28 PID 3000 wrote to memory of 1324 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 28 PID 3000 wrote to memory of 1324 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 28 PID 3000 wrote to memory of 1324 3000 a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe 28 PID 1324 wrote to memory of 2088 1324 Lmiipi32.exe 29 PID 1324 wrote to memory of 2088 1324 Lmiipi32.exe 29 PID 1324 wrote to memory of 2088 1324 Lmiipi32.exe 29 PID 1324 wrote to memory of 2088 1324 Lmiipi32.exe 29 PID 2088 wrote to memory of 2728 2088 Lganiohl.exe 30 PID 2088 wrote to memory of 2728 2088 Lganiohl.exe 30 PID 2088 wrote to memory of 2728 2088 Lganiohl.exe 30 PID 2088 wrote to memory of 2728 2088 Lganiohl.exe 30 PID 2728 wrote to memory of 2464 2728 Lipjejgp.exe 31 PID 2728 wrote to memory of 2464 2728 Lipjejgp.exe 31 PID 2728 wrote to memory of 2464 2728 Lipjejgp.exe 31 PID 2728 wrote to memory of 2464 2728 Lipjejgp.exe 31 PID 2464 wrote to memory of 2688 2464 Llnfaffc.exe 32 PID 2464 wrote to memory of 2688 2464 Llnfaffc.exe 32 PID 2464 wrote to memory of 2688 2464 Llnfaffc.exe 32 PID 2464 wrote to memory of 2688 2464 Llnfaffc.exe 32 PID 2688 wrote to memory of 2452 2688 Lpjbad32.exe 33 PID 2688 wrote to memory of 2452 2688 Lpjbad32.exe 33 PID 2688 wrote to memory of 2452 2688 Lpjbad32.exe 33 PID 2688 wrote to memory of 2452 2688 Lpjbad32.exe 33 PID 2452 wrote to memory of 2968 2452 Lchnnp32.exe 34 PID 2452 wrote to memory of 2968 2452 Lchnnp32.exe 34 PID 2452 wrote to memory of 2968 2452 Lchnnp32.exe 34 PID 2452 wrote to memory of 2968 2452 Lchnnp32.exe 34 PID 2968 wrote to memory of 2768 2968 Lgdjnofi.exe 35 PID 2968 wrote to memory of 2768 2968 Lgdjnofi.exe 35 PID 2968 wrote to memory of 2768 2968 Lgdjnofi.exe 35 PID 2968 wrote to memory of 2768 2968 Lgdjnofi.exe 35 PID 2768 wrote to memory of 2936 2768 Lefkjkmc.exe 36 PID 2768 wrote to memory of 2936 2768 Lefkjkmc.exe 36 PID 2768 wrote to memory of 2936 2768 Lefkjkmc.exe 36 PID 2768 wrote to memory of 2936 2768 Lefkjkmc.exe 36 PID 2936 wrote to memory of 2184 2936 Lmnbkinf.exe 37 PID 2936 wrote to memory of 2184 2936 Lmnbkinf.exe 37 PID 2936 wrote to memory of 2184 2936 Lmnbkinf.exe 37 PID 2936 wrote to memory of 2184 2936 Lmnbkinf.exe 37 PID 2184 wrote to memory of 2000 2184 Lplogdmj.exe 38 PID 2184 wrote to memory of 2000 2184 Lplogdmj.exe 38 PID 2184 wrote to memory of 2000 2184 Lplogdmj.exe 38 PID 2184 wrote to memory of 2000 2184 Lplogdmj.exe 38 PID 2000 wrote to memory of 1072 2000 Mcjkcplm.exe 39 PID 2000 wrote to memory of 1072 2000 Mcjkcplm.exe 39 PID 2000 wrote to memory of 1072 2000 Mcjkcplm.exe 39 PID 2000 wrote to memory of 1072 2000 Mcjkcplm.exe 39 PID 1072 wrote to memory of 1660 1072 Meigpkka.exe 40 PID 1072 wrote to memory of 1660 1072 Meigpkka.exe 40 PID 1072 wrote to memory of 1660 1072 Meigpkka.exe 40 PID 1072 wrote to memory of 1660 1072 Meigpkka.exe 40 PID 1660 wrote to memory of 2284 1660 Midcpj32.exe 41 PID 1660 wrote to memory of 2284 1660 Midcpj32.exe 41 PID 1660 wrote to memory of 2284 1660 Midcpj32.exe 41 PID 1660 wrote to memory of 2284 1660 Midcpj32.exe 41 PID 2284 wrote to memory of 2860 2284 Mlcple32.exe 42 PID 2284 wrote to memory of 2860 2284 Mlcple32.exe 42 PID 2284 wrote to memory of 2860 2284 Mlcple32.exe 42 PID 2284 wrote to memory of 2860 2284 Mlcple32.exe 42 PID 2860 wrote to memory of 1756 2860 Moalhq32.exe 43 PID 2860 wrote to memory of 1756 2860 Moalhq32.exe 43 PID 2860 wrote to memory of 1756 2860 Moalhq32.exe 43 PID 2860 wrote to memory of 1756 2860 Moalhq32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe"C:\Users\Admin\AppData\Local\Temp\a03c7b2255c1b2971d4b68c1e6727f811df111061bdded66de2d91582a55c24b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe33⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe35⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe38⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe39⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe40⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe41⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe44⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe47⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe48⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe49⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe52⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe53⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe55⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe57⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe58⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe60⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe61⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe62⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe65⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe66⤵PID:2496
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe68⤵PID:3016
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe70⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe71⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe72⤵
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe73⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe74⤵PID:1368
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe75⤵PID:1536
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe76⤵PID:2804
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe78⤵PID:2960
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe79⤵PID:2288
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe80⤵PID:1824
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe81⤵PID:1344
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe82⤵PID:2404
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe83⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe85⤵PID:2528
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe86⤵PID:888
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe88⤵PID:1788
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe89⤵
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe90⤵PID:2856
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe91⤵PID:2784
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe92⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe93⤵PID:884
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe95⤵PID:1416
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe96⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe97⤵PID:1464
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe98⤵PID:2176
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe99⤵PID:2608
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe100⤵PID:1792
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe101⤵PID:1716
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe104⤵PID:2624
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe105⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe106⤵PID:2120
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe107⤵PID:2432
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe109⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe110⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe111⤵PID:3064
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe112⤵PID:2788
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe113⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe114⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe117⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe118⤵PID:2268
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe119⤵PID:2636
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe120⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe121⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-