Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 22:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe
-
Size
451KB
-
MD5
2a53b61fad79ae23709a4b185decff4b
-
SHA1
aedf6cf8dab7d9ac5555233b509d844fbc4c42e9
-
SHA256
5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8
-
SHA512
73a30c1c1c137ed1e96ee5cfa95ae1f8bff95a329cfb1fea9b835ec886aa958cf0c7d1c1d2aafce7e4f1e9e0ec435194704ef83b727b3b91d7cb28ac37f36cfa
-
SSDEEP
6144:/sf0YWVdAXPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:bbn/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaifdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conkepdq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfalqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdkgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qododfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbemb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbhmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnbjlpom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmepgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfebnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcomce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejehgkdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcbgkka.exe -
Executes dropped EXE 64 IoCs
pid Process 2576 Kiijnq32.exe 2760 Kfbcbd32.exe 2708 Lanaiahq.exe 2656 Lmebnb32.exe 2560 Legmbd32.exe 2464 Mooaljkh.exe 756 Moanaiie.exe 2800 Ngfflj32.exe 2348 Ncmfqkdj.exe 1784 Okoafmkm.exe 1924 Ogkkfmml.exe 2248 Pjnamh32.exe 2460 Pgbafl32.exe 1676 Pkdgpo32.exe 1928 Aniimjbo.exe 3048 Acmhepko.exe 544 Becnhgmg.exe 2340 Bbikgk32.exe 1812 Bmclhi32.exe 1760 Cpceidcn.exe 1388 Cdanpb32.exe 1952 Conkepdq.exe 632 Cicpch32.exe 1208 Cophko32.exe 2028 Dkgippgb.exe 868 Ddajoelp.exe 2916 Dnjngk32.exe 1712 Dpmdofno.exe 2588 Ejehgkdp.exe 1304 Ecpjfq32.exe 2712 Ekknjcfh.exe 2772 Edccch32.exe 1740 Fokdfajl.exe 684 Fblmglgm.exe 580 Fgkbeb32.exe 2840 Fpicodoj.exe 2832 Giahhj32.exe 976 Gehhmkko.exe 1800 Gnbjlpom.exe 1708 Gligjd32.exe 2544 Hafock32.exe 2668 Hdfhdfgl.exe 2008 Hjqqap32.exe 2888 Hdiejfej.exe 1684 Hfjnla32.exe 2428 Hlffdh32.exe 1804 Ihmgiiff.exe 1964 Ibckfa32.exe 1360 Ioilkblq.exe 2352 Iecdhm32.exe 1336 Iefamlak.exe 2000 Ippbnjni.exe 1992 Iihfgp32.exe 1596 Idmkdh32.exe 2744 Jpdkii32.exe 2732 Jnhlbn32.exe 2644 Jcedkd32.exe 2496 Jpiedieo.exe 2940 Jlpeij32.exe 664 Jcjnfdbp.exe 2684 Jkebjf32.exe 1776 Kbokgpgg.exe 536 Kmmebm32.exe 1636 Kfeikcfa.exe -
Loads dropped DLL 64 IoCs
pid Process 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 2576 Kiijnq32.exe 2576 Kiijnq32.exe 2760 Kfbcbd32.exe 2760 Kfbcbd32.exe 2708 Lanaiahq.exe 2708 Lanaiahq.exe 2656 Lmebnb32.exe 2656 Lmebnb32.exe 2560 Legmbd32.exe 2560 Legmbd32.exe 2464 Mooaljkh.exe 2464 Mooaljkh.exe 756 Moanaiie.exe 756 Moanaiie.exe 2800 Ngfflj32.exe 2800 Ngfflj32.exe 2348 Ncmfqkdj.exe 2348 Ncmfqkdj.exe 1784 Okoafmkm.exe 1784 Okoafmkm.exe 1924 Ogkkfmml.exe 1924 Ogkkfmml.exe 2248 Pjnamh32.exe 2248 Pjnamh32.exe 2460 Pgbafl32.exe 2460 Pgbafl32.exe 1676 Pkdgpo32.exe 1676 Pkdgpo32.exe 1928 Aniimjbo.exe 1928 Aniimjbo.exe 3048 Acmhepko.exe 3048 Acmhepko.exe 544 Becnhgmg.exe 544 Becnhgmg.exe 2340 Bbikgk32.exe 2340 Bbikgk32.exe 1812 Bmclhi32.exe 1812 Bmclhi32.exe 1760 Cpceidcn.exe 1760 Cpceidcn.exe 1388 Cdanpb32.exe 1388 Cdanpb32.exe 1952 Conkepdq.exe 1952 Conkepdq.exe 632 Cicpch32.exe 632 Cicpch32.exe 1208 Cophko32.exe 1208 Cophko32.exe 2028 Dkgippgb.exe 2028 Dkgippgb.exe 868 Ddajoelp.exe 868 Ddajoelp.exe 2916 Dnjngk32.exe 2916 Dnjngk32.exe 1712 Dpmdofno.exe 1712 Dpmdofno.exe 2588 Ejehgkdp.exe 2588 Ejehgkdp.exe 1304 Ecpjfq32.exe 1304 Ecpjfq32.exe 2712 Ekknjcfh.exe 2712 Ekknjcfh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obbdml32.exe Nbpghl32.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cjljnn32.exe File opened for modification C:\Windows\SysWOW64\Jnhlbn32.exe Jpdkii32.exe File created C:\Windows\SysWOW64\Dhbhmb32.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Efljhq32.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Dllbljej.dll Hlafnbal.exe File created C:\Windows\SysWOW64\Pclmghko.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Hadcipbi.exe Gekfnoog.exe File created C:\Windows\SysWOW64\Lbemfbdk.exe Lklejh32.exe File created C:\Windows\SysWOW64\Eipgjaoi.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Alacdcjm.dll Phfmllbd.exe File opened for modification C:\Windows\SysWOW64\Aknlofim.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Clpabm32.exe Ccdmnj32.exe File created C:\Windows\SysWOW64\Bgcbhd32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Lgkkmm32.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Mgbaml32.exe Lgpdglhn.exe File created C:\Windows\SysWOW64\Kiijnq32.exe 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe File created C:\Windows\SysWOW64\Clhfpifk.dll Opifnm32.exe File created C:\Windows\SysWOW64\Bhcool32.dll Dfcgbb32.exe File opened for modification C:\Windows\SysWOW64\Lhiddoph.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Lgkkmm32.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Iegeonpc.exe Ijaaae32.exe File opened for modification C:\Windows\SysWOW64\Mclcijfd.exe Mcifdj32.exe File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe Aohdmdoh.exe File created C:\Windows\SysWOW64\Fpkbeabf.dll Eolmip32.exe File created C:\Windows\SysWOW64\Foafdoag.exe Fmcjhdbc.exe File opened for modification C:\Windows\SysWOW64\Hlafnbal.exe Halbai32.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Nbpghl32.exe File created C:\Windows\SysWOW64\Enjjhk32.dll Qglmpi32.exe File created C:\Windows\SysWOW64\Mknhnalm.dll Affdle32.exe File created C:\Windows\SysWOW64\Kgclio32.exe Kklkcn32.exe File created C:\Windows\SysWOW64\Kjcijlpq.dll Hqiqjlga.exe File created C:\Windows\SysWOW64\Lnlnlc32.exe Lbemfbdk.exe File created C:\Windows\SysWOW64\Nhdhif32.exe Nnkcpq32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Meoell32.exe File created C:\Windows\SysWOW64\Bbbgod32.exe Amfognic.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Eaheeecg.exe File created C:\Windows\SysWOW64\Oplelf32.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Iladfn32.exe Ipjdameg.exe File created C:\Windows\SysWOW64\Dkbfgoak.dll Hloiib32.exe File created C:\Windows\SysWOW64\Mkgpnd32.dll Lcomce32.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gjbmelgm.exe File opened for modification C:\Windows\SysWOW64\Pgbdodnh.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Mmdjkhdh.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Gpggei32.exe Fgocmc32.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Pqkobqhd.exe Phpjnnki.exe File created C:\Windows\SysWOW64\Dmgkgeah.exe Dbafjlaa.exe File opened for modification C:\Windows\SysWOW64\Hdfhdfgl.exe Hafock32.exe File created C:\Windows\SysWOW64\Odbeilbg.exe Nkjapglg.exe File opened for modification C:\Windows\SysWOW64\Kdjccf32.exe Jplkmgol.exe File opened for modification C:\Windows\SysWOW64\Ijaaae32.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Fgkbeb32.exe Fblmglgm.exe File opened for modification C:\Windows\SysWOW64\Nbjcqe32.exe Noljjglk.exe File created C:\Windows\SysWOW64\Bajqfq32.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bffbdadk.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Lgkkmm32.exe File created C:\Windows\SysWOW64\Hgapag32.dll Lngpog32.exe File created C:\Windows\SysWOW64\Bccblb32.dll Cfoaho32.exe File created C:\Windows\SysWOW64\Kjfmokdk.dll Iefamlak.exe File created C:\Windows\SysWOW64\Cohkpj32.exe Cbajkiof.exe File opened for modification C:\Windows\SysWOW64\Ghlfjq32.exe Godaakic.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2512 4596 WerFault.exe 497 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Ppcbgkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feddombd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecdhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jolghndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbjlpom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaiebmn.dll" Dhbhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbfepmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgofmajn.dll" Edccch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbcafk32.dll" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocmadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpicodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enghee32.dll" Lqmjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnlnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgippgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplaplgi.dll" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfppg32.dll" Lanaiahq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmdofno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdkak32.dll" Ilcoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfkifhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ailhedbj.dll" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klbdgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2576 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 28 PID 2852 wrote to memory of 2576 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 28 PID 2852 wrote to memory of 2576 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 28 PID 2852 wrote to memory of 2576 2852 5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe 28 PID 2576 wrote to memory of 2760 2576 Kiijnq32.exe 29 PID 2576 wrote to memory of 2760 2576 Kiijnq32.exe 29 PID 2576 wrote to memory of 2760 2576 Kiijnq32.exe 29 PID 2576 wrote to memory of 2760 2576 Kiijnq32.exe 29 PID 2760 wrote to memory of 2708 2760 Kfbcbd32.exe 30 PID 2760 wrote to memory of 2708 2760 Kfbcbd32.exe 30 PID 2760 wrote to memory of 2708 2760 Kfbcbd32.exe 30 PID 2760 wrote to memory of 2708 2760 Kfbcbd32.exe 30 PID 2708 wrote to memory of 2656 2708 Lanaiahq.exe 31 PID 2708 wrote to memory of 2656 2708 Lanaiahq.exe 31 PID 2708 wrote to memory of 2656 2708 Lanaiahq.exe 31 PID 2708 wrote to memory of 2656 2708 Lanaiahq.exe 31 PID 2656 wrote to memory of 2560 2656 Lmebnb32.exe 32 PID 2656 wrote to memory of 2560 2656 Lmebnb32.exe 32 PID 2656 wrote to memory of 2560 2656 Lmebnb32.exe 32 PID 2656 wrote to memory of 2560 2656 Lmebnb32.exe 32 PID 2560 wrote to memory of 2464 2560 Legmbd32.exe 33 PID 2560 wrote to memory of 2464 2560 Legmbd32.exe 33 PID 2560 wrote to memory of 2464 2560 Legmbd32.exe 33 PID 2560 wrote to memory of 2464 2560 Legmbd32.exe 33 PID 2464 wrote to memory of 756 2464 Mooaljkh.exe 34 PID 2464 wrote to memory of 756 2464 Mooaljkh.exe 34 PID 2464 wrote to memory of 756 2464 Mooaljkh.exe 34 PID 2464 wrote to memory of 756 2464 Mooaljkh.exe 34 PID 756 wrote to memory of 2800 756 Moanaiie.exe 35 PID 756 wrote to memory of 2800 756 Moanaiie.exe 35 PID 756 wrote to memory of 2800 756 Moanaiie.exe 35 PID 756 wrote to memory of 2800 756 Moanaiie.exe 35 PID 2800 wrote to memory of 2348 2800 Ngfflj32.exe 36 PID 2800 wrote to memory of 2348 2800 Ngfflj32.exe 36 PID 2800 wrote to memory of 2348 2800 Ngfflj32.exe 36 PID 2800 wrote to memory of 2348 2800 Ngfflj32.exe 36 PID 2348 wrote to memory of 1784 2348 Ncmfqkdj.exe 37 PID 2348 wrote to memory of 1784 2348 Ncmfqkdj.exe 37 PID 2348 wrote to memory of 1784 2348 Ncmfqkdj.exe 37 PID 2348 wrote to memory of 1784 2348 Ncmfqkdj.exe 37 PID 1784 wrote to memory of 1924 1784 Okoafmkm.exe 38 PID 1784 wrote to memory of 1924 1784 Okoafmkm.exe 38 PID 1784 wrote to memory of 1924 1784 Okoafmkm.exe 38 PID 1784 wrote to memory of 1924 1784 Okoafmkm.exe 38 PID 1924 wrote to memory of 2248 1924 Ogkkfmml.exe 39 PID 1924 wrote to memory of 2248 1924 Ogkkfmml.exe 39 PID 1924 wrote to memory of 2248 1924 Ogkkfmml.exe 39 PID 1924 wrote to memory of 2248 1924 Ogkkfmml.exe 39 PID 2248 wrote to memory of 2460 2248 Pjnamh32.exe 40 PID 2248 wrote to memory of 2460 2248 Pjnamh32.exe 40 PID 2248 wrote to memory of 2460 2248 Pjnamh32.exe 40 PID 2248 wrote to memory of 2460 2248 Pjnamh32.exe 40 PID 2460 wrote to memory of 1676 2460 Pgbafl32.exe 41 PID 2460 wrote to memory of 1676 2460 Pgbafl32.exe 41 PID 2460 wrote to memory of 1676 2460 Pgbafl32.exe 41 PID 2460 wrote to memory of 1676 2460 Pgbafl32.exe 41 PID 1676 wrote to memory of 1928 1676 Pkdgpo32.exe 42 PID 1676 wrote to memory of 1928 1676 Pkdgpo32.exe 42 PID 1676 wrote to memory of 1928 1676 Pkdgpo32.exe 42 PID 1676 wrote to memory of 1928 1676 Pkdgpo32.exe 42 PID 1928 wrote to memory of 3048 1928 Aniimjbo.exe 43 PID 1928 wrote to memory of 3048 1928 Aniimjbo.exe 43 PID 1928 wrote to memory of 3048 1928 Aniimjbo.exe 43 PID 1928 wrote to memory of 3048 1928 Aniimjbo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe"C:\Users\Admin\AppData\Local\Temp\5e9d70d47915e0906d0e2c11ad30a211670a7890d1d2a29adeb8310f58cb35d8.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe34⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe36⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe38⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe43⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe44⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe45⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe46⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe49⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe50⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe53⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe54⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe57⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe58⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe59⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe60⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe62⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe63⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe64⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe66⤵PID:940
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe67⤵PID:1324
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe68⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe69⤵PID:2132
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe70⤵PID:1128
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe71⤵PID:972
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe72⤵PID:892
-
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe73⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe74⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe75⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe76⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe77⤵PID:2596
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe78⤵PID:1116
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe79⤵PID:864
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe80⤵PID:2144
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe81⤵PID:656
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe82⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe83⤵PID:2184
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe84⤵PID:2308
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe87⤵PID:604
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe88⤵
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe89⤵PID:1532
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe90⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe91⤵PID:1048
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe92⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe93⤵PID:2696
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe95⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe96⤵PID:2616
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe97⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe98⤵PID:2216
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe99⤵PID:2848
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe100⤵PID:2156
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe101⤵PID:948
-
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe102⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe103⤵PID:2360
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe104⤵PID:1748
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe105⤵PID:436
-
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe107⤵PID:968
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe108⤵PID:1452
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe109⤵PID:2020
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe110⤵PID:2764
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe111⤵PID:2816
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe113⤵PID:900
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe114⤵PID:2196
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe115⤵PID:2688
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe117⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe118⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe119⤵PID:2012
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe120⤵PID:2964
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe121⤵
- Drops file in System32 directory
PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-