Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/06/2024, 01:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe
-
Size
75KB
-
MD5
2bd02f3845ab94df6f18ec8adc1c173c
-
SHA1
cfd677942fcad282bd7b7934770aaf6343753e8d
-
SHA256
bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd
-
SHA512
47ac3e2fa9af57e01c2e8593aa49f6d1381da8ae6c495d07fb3a900b3a77f0ad02ce9910a684a720d5c8d93765b9b322adba24b062cd4f21cdbacbd5da33247d
-
SSDEEP
1536:n9zIAMjsghV6kQWb1DfkvNuzkPOOk11cgCe8uvQGYQzlV:+Ztn6kRb1DfkbOOUugCe8uvQa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmonbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe -
Executes dropped EXE 64 IoCs
pid Process 2908 Lkmjin32.exe 2684 Lpjbad32.exe 2704 Lgdjnofi.exe 2752 Lmnbkinf.exe 2504 Mcjkcplm.exe 2896 Meigpkka.exe 756 Mpolmdkg.exe 1368 Mcmhiojk.exe 2748 Mekdekin.exe 1556 Mlelaeqk.exe 344 Mcodno32.exe 2332 Mdqafgnf.exe 1372 Mofecpnl.exe 2912 Madapkmp.exe 1200 Mepnpj32.exe 664 Mkmfhacp.exe 1052 Mpjoqhah.exe 2552 Mdejaf32.exe 2420 Mgcgmb32.exe 2056 Njbcim32.exe 2000 Ndgggf32.exe 904 Ncjgbcoi.exe 1300 Nnplpl32.exe 1552 Npnhlg32.exe 2316 Njgldmdc.exe 876 Nnbhek32.exe 1748 Nqqdag32.exe 2580 Ncoamb32.exe 2600 Nlgefh32.exe 2388 Nbdnoo32.exe 2956 Nohnhc32.exe 2016 Nccjhafn.exe 1964 Omloag32.exe 1488 Oojknblb.exe 1524 Obigjnkf.exe 860 Oicpfh32.exe 800 Okalbc32.exe 1864 Oiellh32.exe 276 Oiellh32.exe 620 Oqqapjnk.exe 1324 Ojieip32.exe 2204 Ondajnme.exe 1604 Ogmfbd32.exe 1544 Ofpfnqjp.exe 1312 Ongnonkb.exe 1596 Pccfge32.exe 288 Pgobhcac.exe 1700 Pipopl32.exe 924 Pmlkpjpj.exe 644 Paggai32.exe 2152 Ppjglfon.exe 1500 Pcfcmd32.exe 2720 Pfdpip32.exe 2716 Pmnhfjmg.exe 2744 Plahag32.exe 2612 Ppmdbe32.exe 2528 Pchpbded.exe 2508 Peiljl32.exe 1876 Piehkkcl.exe 1852 Pmqdkj32.exe 316 Pnbacbac.exe 760 Pbmmcq32.exe 1256 Pfiidobe.exe 2864 Pigeqkai.exe -
Loads dropped DLL 64 IoCs
pid Process 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 2908 Lkmjin32.exe 2908 Lkmjin32.exe 2684 Lpjbad32.exe 2684 Lpjbad32.exe 2704 Lgdjnofi.exe 2704 Lgdjnofi.exe 2752 Lmnbkinf.exe 2752 Lmnbkinf.exe 2504 Mcjkcplm.exe 2504 Mcjkcplm.exe 2896 Meigpkka.exe 2896 Meigpkka.exe 756 Mpolmdkg.exe 756 Mpolmdkg.exe 1368 Mcmhiojk.exe 1368 Mcmhiojk.exe 2748 Mekdekin.exe 2748 Mekdekin.exe 1556 Mlelaeqk.exe 1556 Mlelaeqk.exe 344 Mcodno32.exe 344 Mcodno32.exe 2332 Mdqafgnf.exe 2332 Mdqafgnf.exe 1372 Mofecpnl.exe 1372 Mofecpnl.exe 2912 Madapkmp.exe 2912 Madapkmp.exe 1200 Mepnpj32.exe 1200 Mepnpj32.exe 664 Mkmfhacp.exe 664 Mkmfhacp.exe 1052 Mpjoqhah.exe 1052 Mpjoqhah.exe 2552 Mdejaf32.exe 2552 Mdejaf32.exe 2420 Mgcgmb32.exe 2420 Mgcgmb32.exe 2056 Njbcim32.exe 2056 Njbcim32.exe 2000 Ndgggf32.exe 2000 Ndgggf32.exe 904 Ncjgbcoi.exe 904 Ncjgbcoi.exe 1300 Nnplpl32.exe 1300 Nnplpl32.exe 1552 Npnhlg32.exe 1552 Npnhlg32.exe 2316 Njgldmdc.exe 2316 Njgldmdc.exe 876 Nnbhek32.exe 876 Nnbhek32.exe 1748 Nqqdag32.exe 1748 Nqqdag32.exe 2580 Ncoamb32.exe 2580 Ncoamb32.exe 2600 Nlgefh32.exe 2600 Nlgefh32.exe 2388 Nbdnoo32.exe 2388 Nbdnoo32.exe 2956 Nohnhc32.exe 2956 Nohnhc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jkdalhhc.dll Boiccdnf.exe File created C:\Windows\SysWOW64\Hpqpdnop.dll Fiaeoang.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Bgknheej.exe Bdlblj32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Oiellh32.exe Okalbc32.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Epfhbign.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Ennaieib.exe Ejbfhfaj.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pabjem32.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Obneof32.dll Ncjgbcoi.exe File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Glfhll32.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Madapkmp.exe Mofecpnl.exe File opened for modification C:\Windows\SysWOW64\Qnfjna32.exe Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Qmlgonbe.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Kegiig32.dll Fdoclk32.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Lgdjnofi.exe Lpjbad32.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Cjndop32.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Lkmjin32.exe bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe File opened for modification C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File created C:\Windows\SysWOW64\Njgldmdc.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Mpefbknb.dll Baqbenep.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cbkeib32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File created C:\Windows\SysWOW64\Dnoillim.dll Eeqdep32.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nohnhc32.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Eilpeooq.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Pdmaibnf.dll Cjpqdp32.exe File created C:\Windows\SysWOW64\Madapkmp.exe Mofecpnl.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Afiecb32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File created C:\Windows\SysWOW64\Fcmbeioh.dll Pmnhfjmg.exe File created C:\Windows\SysWOW64\Cljcelan.exe Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Fehjeo32.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fnpnndgp.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3084 4044 WerFault.exe 291 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbjqa32.dll" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgcgmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhebk32.dll" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqipbka.dll" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiedkadc.dll" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pbmmcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlgefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhcdaibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgnnib.dll" Mcodno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2908 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 28 PID 1632 wrote to memory of 2908 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 28 PID 1632 wrote to memory of 2908 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 28 PID 1632 wrote to memory of 2908 1632 bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe 28 PID 2908 wrote to memory of 2684 2908 Lkmjin32.exe 29 PID 2908 wrote to memory of 2684 2908 Lkmjin32.exe 29 PID 2908 wrote to memory of 2684 2908 Lkmjin32.exe 29 PID 2908 wrote to memory of 2684 2908 Lkmjin32.exe 29 PID 2684 wrote to memory of 2704 2684 Lpjbad32.exe 30 PID 2684 wrote to memory of 2704 2684 Lpjbad32.exe 30 PID 2684 wrote to memory of 2704 2684 Lpjbad32.exe 30 PID 2684 wrote to memory of 2704 2684 Lpjbad32.exe 30 PID 2704 wrote to memory of 2752 2704 Lgdjnofi.exe 31 PID 2704 wrote to memory of 2752 2704 Lgdjnofi.exe 31 PID 2704 wrote to memory of 2752 2704 Lgdjnofi.exe 31 PID 2704 wrote to memory of 2752 2704 Lgdjnofi.exe 31 PID 2752 wrote to memory of 2504 2752 Lmnbkinf.exe 32 PID 2752 wrote to memory of 2504 2752 Lmnbkinf.exe 32 PID 2752 wrote to memory of 2504 2752 Lmnbkinf.exe 32 PID 2752 wrote to memory of 2504 2752 Lmnbkinf.exe 32 PID 2504 wrote to memory of 2896 2504 Mcjkcplm.exe 33 PID 2504 wrote to memory of 2896 2504 Mcjkcplm.exe 33 PID 2504 wrote to memory of 2896 2504 Mcjkcplm.exe 33 PID 2504 wrote to memory of 2896 2504 Mcjkcplm.exe 33 PID 2896 wrote to memory of 756 2896 Meigpkka.exe 34 PID 2896 wrote to memory of 756 2896 Meigpkka.exe 34 PID 2896 wrote to memory of 756 2896 Meigpkka.exe 34 PID 2896 wrote to memory of 756 2896 Meigpkka.exe 34 PID 756 wrote to memory of 1368 756 Mpolmdkg.exe 35 PID 756 wrote to memory of 1368 756 Mpolmdkg.exe 35 PID 756 wrote to memory of 1368 756 Mpolmdkg.exe 35 PID 756 wrote to memory of 1368 756 Mpolmdkg.exe 35 PID 1368 wrote to memory of 2748 1368 Mcmhiojk.exe 36 PID 1368 wrote to memory of 2748 1368 Mcmhiojk.exe 36 PID 1368 wrote to memory of 2748 1368 Mcmhiojk.exe 36 PID 1368 wrote to memory of 2748 1368 Mcmhiojk.exe 36 PID 2748 wrote to memory of 1556 2748 Mekdekin.exe 37 PID 2748 wrote to memory of 1556 2748 Mekdekin.exe 37 PID 2748 wrote to memory of 1556 2748 Mekdekin.exe 37 PID 2748 wrote to memory of 1556 2748 Mekdekin.exe 37 PID 1556 wrote to memory of 344 1556 Mlelaeqk.exe 38 PID 1556 wrote to memory of 344 1556 Mlelaeqk.exe 38 PID 1556 wrote to memory of 344 1556 Mlelaeqk.exe 38 PID 1556 wrote to memory of 344 1556 Mlelaeqk.exe 38 PID 344 wrote to memory of 2332 344 Mcodno32.exe 39 PID 344 wrote to memory of 2332 344 Mcodno32.exe 39 PID 344 wrote to memory of 2332 344 Mcodno32.exe 39 PID 344 wrote to memory of 2332 344 Mcodno32.exe 39 PID 2332 wrote to memory of 1372 2332 Mdqafgnf.exe 40 PID 2332 wrote to memory of 1372 2332 Mdqafgnf.exe 40 PID 2332 wrote to memory of 1372 2332 Mdqafgnf.exe 40 PID 2332 wrote to memory of 1372 2332 Mdqafgnf.exe 40 PID 1372 wrote to memory of 2912 1372 Mofecpnl.exe 41 PID 1372 wrote to memory of 2912 1372 Mofecpnl.exe 41 PID 1372 wrote to memory of 2912 1372 Mofecpnl.exe 41 PID 1372 wrote to memory of 2912 1372 Mofecpnl.exe 41 PID 2912 wrote to memory of 1200 2912 Madapkmp.exe 42 PID 2912 wrote to memory of 1200 2912 Madapkmp.exe 42 PID 2912 wrote to memory of 1200 2912 Madapkmp.exe 42 PID 2912 wrote to memory of 1200 2912 Madapkmp.exe 42 PID 1200 wrote to memory of 664 1200 Mepnpj32.exe 43 PID 1200 wrote to memory of 664 1200 Mepnpj32.exe 43 PID 1200 wrote to memory of 664 1200 Mepnpj32.exe 43 PID 1200 wrote to memory of 664 1200 Mepnpj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe"C:\Users\Admin\AppData\Local\Temp\bc45256aa1355ba1605f57de654bc429f4cdcbc2869188a3c0d6416321b6b2cd.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe33⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe34⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe36⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe39⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe41⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe43⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe44⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe46⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe50⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe52⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe58⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe59⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe60⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe61⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe64⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe66⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe67⤵PID:772
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe69⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe70⤵PID:3048
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe71⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe73⤵PID:896
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe75⤵PID:2688
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe76⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe77⤵PID:2480
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe80⤵PID:1260
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe81⤵PID:1908
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe83⤵PID:2820
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe84⤵PID:584
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe86⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe87⤵PID:2136
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1272 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe90⤵PID:2636
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe92⤵PID:2740
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe93⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe94⤵PID:1132
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe96⤵PID:2120
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe97⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe98⤵PID:804
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe100⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe101⤵PID:1008
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe102⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe103⤵PID:1680
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe104⤵PID:2592
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe105⤵PID:1652
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe110⤵PID:2920
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe111⤵PID:1616
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe112⤵PID:2296
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe113⤵PID:600
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe114⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe117⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe118⤵PID:2028
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe119⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe120⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-