Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 02:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2516d6d60382d334069cdfdb63434680N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
2516d6d60382d334069cdfdb63434680N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
2516d6d60382d334069cdfdb63434680N.exe
-
Size
63KB
-
MD5
2516d6d60382d334069cdfdb63434680
-
SHA1
ad8d7e0a5e319346ebdbc10aa55818b469cf89aa
-
SHA256
1e788db382f83326934c691d5e2100bb0ed4c9af279e3cd5c6199f7415ba4368
-
SHA512
54bf9e7174f6746608024a8823e441a580d927c971dbf95ce15b32137592ceebd22aae28697915f0a1dd6bcc3670930347a714d08b428384481196255744fc8f
-
SSDEEP
768:WuZlFREQFOj0dKBE4rkc1Yuvjpbsj92OMDwnhdC3BXd0wVlehZ/1H5RdXdnhg20n:WunEOtdNCDrXd0wHw7bXH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgkeonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdiabcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjpfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Minnmomo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndekok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abejlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndfmljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggqfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeeafii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qahnid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipedihgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjaiaolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqcncnpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghmeikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmbolin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgnpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjdia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbnjpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgclpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkgdmbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcinia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahdmanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpehje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edghighp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqcqli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legohm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbnjpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponokmah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcolpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloimcca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaolne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhlgoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpccnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbmdphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichbckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcidgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlcbafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbgbaio.exe -
Executes dropped EXE 64 IoCs
pid Process 2020 Kpkali32.exe 1988 Kamncagl.exe 2684 Kkbbqjgb.exe 1660 Kbljmd32.exe 2884 Kgibeklf.exe 2616 Kmeknakn.exe 2596 Kcpcjl32.exe 1800 Lmhhcaik.exe 2412 Lcbppk32.exe 1096 Lmjdia32.exe 2988 Lcdmekne.exe 2996 Liaenblm.exe 2280 Llpajmkq.exe 2816 Llbnpm32.exe 1244 Lopjlh32.exe 2044 Lblflgqk.exe 2560 Lobgah32.exe 1644 Lbncbgoh.exe 704 Mkihfi32.exe 2340 Macpcccp.exe 3064 Mhmhpm32.exe 1136 Mogqlgbi.exe 1076 Mafmhcam.exe 984 Mknaahhn.exe 3052 Mmlmmdga.exe 832 Mkqnghfk.exe 1924 Mmojcceo.exe 1708 Majfcb32.exe 2160 Nldgdpjf.exe 2844 Nelkme32.exe 2768 Nlfdjphd.exe 2520 Nhmdoq32.exe 2564 Npdlpnnj.exe 2628 Nimaic32.exe 2900 Nlkmeo32.exe 2024 Nceeaikk.exe 3032 Nhbnjpic.exe 2956 Ohdkop32.exe 2664 Ooncljom.exe 2232 Okecak32.exe 1504 Oaolne32.exe 700 Onelbfab.exe 556 Oqdioaqf.exe 1320 Odpeop32.exe 2468 Omkidb32.exe 2316 Ogpnakfp.exe 936 Ojojmfed.exe 2360 Ohajic32.exe 1616 Pcgnfl32.exe 888 Pfekbg32.exe 2492 Pidgnc32.exe 2072 Pkbcjn32.exe 1692 Ponokmah.exe 2840 Pcikllja.exe 2888 Pfhghgie.exe 2720 Pifcdbhi.exe 2652 Pmbpda32.exe 2784 Poplqm32.exe 1640 Pncllifp.exe 3028 Pfjdmggb.exe 2980 Piipibff.exe 3040 Pgkqeo32.exe 2792 Pobhfl32.exe 2344 Pneiaidn.exe -
Loads dropped DLL 64 IoCs
pid Process 1540 2516d6d60382d334069cdfdb63434680N.exe 1540 2516d6d60382d334069cdfdb63434680N.exe 2020 Kpkali32.exe 2020 Kpkali32.exe 1988 Kamncagl.exe 1988 Kamncagl.exe 2684 Kkbbqjgb.exe 2684 Kkbbqjgb.exe 1660 Kbljmd32.exe 1660 Kbljmd32.exe 2884 Kgibeklf.exe 2884 Kgibeklf.exe 2616 Kmeknakn.exe 2616 Kmeknakn.exe 2596 Kcpcjl32.exe 2596 Kcpcjl32.exe 1800 Lmhhcaik.exe 1800 Lmhhcaik.exe 2412 Lcbppk32.exe 2412 Lcbppk32.exe 1096 Lmjdia32.exe 1096 Lmjdia32.exe 2988 Lcdmekne.exe 2988 Lcdmekne.exe 2996 Liaenblm.exe 2996 Liaenblm.exe 2280 Llpajmkq.exe 2280 Llpajmkq.exe 2816 Llbnpm32.exe 2816 Llbnpm32.exe 1244 Lopjlh32.exe 1244 Lopjlh32.exe 2044 Lblflgqk.exe 2044 Lblflgqk.exe 2560 Lobgah32.exe 2560 Lobgah32.exe 1644 Lbncbgoh.exe 1644 Lbncbgoh.exe 704 Mkihfi32.exe 704 Mkihfi32.exe 2340 Macpcccp.exe 2340 Macpcccp.exe 3064 Mhmhpm32.exe 3064 Mhmhpm32.exe 1136 Mogqlgbi.exe 1136 Mogqlgbi.exe 1076 Mafmhcam.exe 1076 Mafmhcam.exe 984 Mknaahhn.exe 984 Mknaahhn.exe 3052 Mmlmmdga.exe 3052 Mmlmmdga.exe 832 Mkqnghfk.exe 832 Mkqnghfk.exe 1924 Mmojcceo.exe 1924 Mmojcceo.exe 1708 Majfcb32.exe 1708 Majfcb32.exe 2160 Nldgdpjf.exe 2160 Nldgdpjf.exe 2844 Nelkme32.exe 2844 Nelkme32.exe 2768 Nlfdjphd.exe 2768 Nlfdjphd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlogojjp.exe Mmlfcn32.exe File opened for modification C:\Windows\SysWOW64\Gijplg32.exe Ggicdo32.exe File created C:\Windows\SysWOW64\Hfqddkgm.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Dclikp32.exe Dpnmoe32.exe File opened for modification C:\Windows\SysWOW64\Dbaflm32.exe Dcofqphi.exe File created C:\Windows\SysWOW64\Ndolpa32.dll Ofbgbaio.exe File opened for modification C:\Windows\SysWOW64\Bjehlldb.exe Bfjmkn32.exe File created C:\Windows\SysWOW64\Jbbpmo32.exe Jnfdlpje.exe File created C:\Windows\SysWOW64\Aipbidbj.exe Abejlj32.exe File opened for modification C:\Windows\SysWOW64\Jookedhp.exe Jhebij32.exe File opened for modification C:\Windows\SysWOW64\Minnmomo.exe Mjknab32.exe File created C:\Windows\SysWOW64\Fgbmdphe.exe Fqhegf32.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Efakhk32.exe File created C:\Windows\SysWOW64\Bnoidn32.dll Oqdioaqf.exe File created C:\Windows\SysWOW64\Fedgnqao.dll Ahpfoa32.exe File created C:\Windows\SysWOW64\Dajjck32.dll Cdnicemo.exe File created C:\Windows\SysWOW64\Manknb32.dll Mcoioi32.exe File created C:\Windows\SysWOW64\Mphfji32.exe Minnmomo.exe File opened for modification C:\Windows\SysWOW64\Niednn32.exe Nanlla32.exe File created C:\Windows\SysWOW64\Lefhfe32.dll Nldgdpjf.exe File created C:\Windows\SysWOW64\Jhaceq32.dll Naebmppm.exe File opened for modification C:\Windows\SysWOW64\Aipbidbj.exe Abejlj32.exe File created C:\Windows\SysWOW64\Dgclpp32.exe Dddodd32.exe File opened for modification C:\Windows\SysWOW64\Djahmk32.exe Dgclpp32.exe File created C:\Windows\SysWOW64\Boohgk32.exe Bjclfmfe.exe File created C:\Windows\SysWOW64\Penioo32.dll Llmnjg32.exe File created C:\Windows\SysWOW64\Bpgjob32.exe Bmhncg32.exe File opened for modification C:\Windows\SysWOW64\Ndaaclac.exe Nabegpbp.exe File created C:\Windows\SysWOW64\Jbhpld32.dll Nkmffegm.exe File created C:\Windows\SysWOW64\Aigkfhbp.dll Ocbnqfln.exe File opened for modification C:\Windows\SysWOW64\Bichbckg.exe Bjphff32.exe File created C:\Windows\SysWOW64\Fbibaaia.dll Nelkme32.exe File created C:\Windows\SysWOW64\Jliaac32.dll Okecak32.exe File created C:\Windows\SysWOW64\Ehnknfdn.exe Ebccal32.exe File created C:\Windows\SysWOW64\Omccmkee.dll Gigjch32.exe File created C:\Windows\SysWOW64\Leilnllb.exe Lnpcabef.exe File created C:\Windows\SysWOW64\Ngajeg32.exe Nhojjjhj.exe File created C:\Windows\SysWOW64\Qbidffao.exe Qokhjjbk.exe File created C:\Windows\SysWOW64\Cdkfco32.exe Caligc32.exe File created C:\Windows\SysWOW64\Lcbppk32.exe Lmhhcaik.exe File opened for modification C:\Windows\SysWOW64\Hjeojnep.exe Hhfcnb32.exe File opened for modification C:\Windows\SysWOW64\Dphmiokb.exe Dechlfkl.exe File created C:\Windows\SysWOW64\Nedmil32.dll Dcjleq32.exe File created C:\Windows\SysWOW64\Gigjch32.exe Gapbbk32.exe File opened for modification C:\Windows\SysWOW64\Danblfmk.exe Dnbfkh32.exe File created C:\Windows\SysWOW64\Mbgapn32.dll Dddodd32.exe File opened for modification C:\Windows\SysWOW64\Acldpojj.exe Apphpp32.exe File created C:\Windows\SysWOW64\Djddbkck.exe Dfhial32.exe File created C:\Windows\SysWOW64\Okmpmg32.dll Qbggqfca.exe File created C:\Windows\SysWOW64\Qlqagg32.dll Dmhcgd32.exe File opened for modification C:\Windows\SysWOW64\Fnnbfjmp.exe Fkpfjnnl.exe File created C:\Windows\SysWOW64\Glgiaghd.dll Fnnbfjmp.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Pfekbg32.exe File created C:\Windows\SysWOW64\Ndneljdm.dll Mpeidjfo.exe File created C:\Windows\SysWOW64\Ndekok32.exe Nmlcbafa.exe File created C:\Windows\SysWOW64\Dhimmamn.dll Cignlf32.exe File created C:\Windows\SysWOW64\Elpimpqf.dll Gmmihk32.exe File created C:\Windows\SysWOW64\Ghdjjgdp.dll Campbj32.exe File opened for modification C:\Windows\SysWOW64\Ebccal32.exe Ecabfpff.exe File created C:\Windows\SysWOW64\Mfdklc32.exe Momckfid.exe File created C:\Windows\SysWOW64\Nhjaok32.exe Neldbo32.exe File created C:\Windows\SysWOW64\Gckknqkg.exe Fqmobelc.exe File created C:\Windows\SysWOW64\Apbeeppo.exe Aihmhe32.exe File opened for modification C:\Windows\SysWOW64\Jcfmkcdn.exe Jojaje32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5972 5944 WerFault.exe 539 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjpihcg.dll" Bchmolkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glkinb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mafmhcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhcpggl.dll" Lhhhjhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olapcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkoadhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apppkecb.dll" Bbpffhnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqhegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebfj32.dll" Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpliec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbffga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniidaih.dll" Boohgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npphimpc.dll" Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhimmamn.dll" Cignlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gminbold.dll" Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daedpf32.dll" Qklfqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apddce32.dll" Dlgjie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmdgmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgaikep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpimpqf.dll" Gmmihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcbpemp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqlhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnglekch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cemfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhniing.dll" Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgbhe32.dll" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenjdp32.dll" Kmpkhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcajpjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padbmn32.dll" Danblfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabjgoga.dll" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagpldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkbmemd.dll" Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgibeklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geedqq32.dll" Omkidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajcpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcield32.dll" Gijplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqonafca.dll" Bijobb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkhid32.dll" Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmggi32.dll" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfcfocfd.dll" Ojojmfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmnnblmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opaeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcfdk32.dll" Gaghcjhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeakllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecahfibj.dll" Legohm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfekbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgoief32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2020 1540 2516d6d60382d334069cdfdb63434680N.exe 29 PID 1540 wrote to memory of 2020 1540 2516d6d60382d334069cdfdb63434680N.exe 29 PID 1540 wrote to memory of 2020 1540 2516d6d60382d334069cdfdb63434680N.exe 29 PID 1540 wrote to memory of 2020 1540 2516d6d60382d334069cdfdb63434680N.exe 29 PID 2020 wrote to memory of 1988 2020 Kpkali32.exe 30 PID 2020 wrote to memory of 1988 2020 Kpkali32.exe 30 PID 2020 wrote to memory of 1988 2020 Kpkali32.exe 30 PID 2020 wrote to memory of 1988 2020 Kpkali32.exe 30 PID 1988 wrote to memory of 2684 1988 Kamncagl.exe 31 PID 1988 wrote to memory of 2684 1988 Kamncagl.exe 31 PID 1988 wrote to memory of 2684 1988 Kamncagl.exe 31 PID 1988 wrote to memory of 2684 1988 Kamncagl.exe 31 PID 2684 wrote to memory of 1660 2684 Kkbbqjgb.exe 32 PID 2684 wrote to memory of 1660 2684 Kkbbqjgb.exe 32 PID 2684 wrote to memory of 1660 2684 Kkbbqjgb.exe 32 PID 2684 wrote to memory of 1660 2684 Kkbbqjgb.exe 32 PID 1660 wrote to memory of 2884 1660 Kbljmd32.exe 33 PID 1660 wrote to memory of 2884 1660 Kbljmd32.exe 33 PID 1660 wrote to memory of 2884 1660 Kbljmd32.exe 33 PID 1660 wrote to memory of 2884 1660 Kbljmd32.exe 33 PID 2884 wrote to memory of 2616 2884 Kgibeklf.exe 34 PID 2884 wrote to memory of 2616 2884 Kgibeklf.exe 34 PID 2884 wrote to memory of 2616 2884 Kgibeklf.exe 34 PID 2884 wrote to memory of 2616 2884 Kgibeklf.exe 34 PID 2616 wrote to memory of 2596 2616 Kmeknakn.exe 35 PID 2616 wrote to memory of 2596 2616 Kmeknakn.exe 35 PID 2616 wrote to memory of 2596 2616 Kmeknakn.exe 35 PID 2616 wrote to memory of 2596 2616 Kmeknakn.exe 35 PID 2596 wrote to memory of 1800 2596 Kcpcjl32.exe 36 PID 2596 wrote to memory of 1800 2596 Kcpcjl32.exe 36 PID 2596 wrote to memory of 1800 2596 Kcpcjl32.exe 36 PID 2596 wrote to memory of 1800 2596 Kcpcjl32.exe 36 PID 1800 wrote to memory of 2412 1800 Lmhhcaik.exe 37 PID 1800 wrote to memory of 2412 1800 Lmhhcaik.exe 37 PID 1800 wrote to memory of 2412 1800 Lmhhcaik.exe 37 PID 1800 wrote to memory of 2412 1800 Lmhhcaik.exe 37 PID 2412 wrote to memory of 1096 2412 Lcbppk32.exe 38 PID 2412 wrote to memory of 1096 2412 Lcbppk32.exe 38 PID 2412 wrote to memory of 1096 2412 Lcbppk32.exe 38 PID 2412 wrote to memory of 1096 2412 Lcbppk32.exe 38 PID 1096 wrote to memory of 2988 1096 Lmjdia32.exe 39 PID 1096 wrote to memory of 2988 1096 Lmjdia32.exe 39 PID 1096 wrote to memory of 2988 1096 Lmjdia32.exe 39 PID 1096 wrote to memory of 2988 1096 Lmjdia32.exe 39 PID 2988 wrote to memory of 2996 2988 Lcdmekne.exe 40 PID 2988 wrote to memory of 2996 2988 Lcdmekne.exe 40 PID 2988 wrote to memory of 2996 2988 Lcdmekne.exe 40 PID 2988 wrote to memory of 2996 2988 Lcdmekne.exe 40 PID 2996 wrote to memory of 2280 2996 Liaenblm.exe 41 PID 2996 wrote to memory of 2280 2996 Liaenblm.exe 41 PID 2996 wrote to memory of 2280 2996 Liaenblm.exe 41 PID 2996 wrote to memory of 2280 2996 Liaenblm.exe 41 PID 2280 wrote to memory of 2816 2280 Llpajmkq.exe 42 PID 2280 wrote to memory of 2816 2280 Llpajmkq.exe 42 PID 2280 wrote to memory of 2816 2280 Llpajmkq.exe 42 PID 2280 wrote to memory of 2816 2280 Llpajmkq.exe 42 PID 2816 wrote to memory of 1244 2816 Llbnpm32.exe 43 PID 2816 wrote to memory of 1244 2816 Llbnpm32.exe 43 PID 2816 wrote to memory of 1244 2816 Llbnpm32.exe 43 PID 2816 wrote to memory of 1244 2816 Llbnpm32.exe 43 PID 1244 wrote to memory of 2044 1244 Lopjlh32.exe 44 PID 1244 wrote to memory of 2044 1244 Lopjlh32.exe 44 PID 1244 wrote to memory of 2044 1244 Lopjlh32.exe 44 PID 1244 wrote to memory of 2044 1244 Lopjlh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2516d6d60382d334069cdfdb63434680N.exe"C:\Users\Admin\AppData\Local\Temp\2516d6d60382d334069cdfdb63434680N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe34⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe36⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe39⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe40⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe43⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe45⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe47⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe49⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe52⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe55⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe56⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe57⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe58⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe60⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe61⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe63⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe64⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe65⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe66⤵PID:2216
-
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe68⤵PID:1932
-
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe69⤵PID:1380
-
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe70⤵PID:1080
-
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe71⤵PID:1492
-
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe72⤵PID:1272
-
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe73⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe74⤵PID:1008
-
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe75⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe76⤵PID:2264
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe77⤵PID:2480
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe80⤵PID:1716
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe81⤵PID:2676
-
C:\Windows\SysWOW64\Qgeckn32.exeC:\Windows\system32\Qgeckn32.exe82⤵PID:1016
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe83⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe84⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe85⤵PID:996
-
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe86⤵PID:1088
-
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe88⤵PID:1496
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe89⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe90⤵PID:2156
-
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe91⤵PID:2688
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe92⤵PID:560
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe93⤵PID:2000
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe95⤵
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe96⤵PID:2192
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe98⤵PID:928
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe99⤵PID:2660
-
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe100⤵PID:2544
-
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe102⤵PID:2680
-
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe103⤵PID:2864
-
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe104⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Boohgk32.exeC:\Windows\system32\Boohgk32.exe105⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe106⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Behpcefk.exeC:\Windows\system32\Behpcefk.exe107⤵PID:2960
-
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe108⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe109⤵PID:2100
-
C:\Windows\SysWOW64\Baoahf32.exeC:\Windows\system32\Baoahf32.exe110⤵PID:784
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe111⤵PID:2212
-
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe112⤵PID:1720
-
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe113⤵PID:1760
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe114⤵PID:2252
-
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe115⤵PID:2852
-
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe116⤵PID:2776
-
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe118⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe119⤵PID:2752
-
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe120⤵PID:2368
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe121⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-