Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
509917b3695ed46e36309343876a59e0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
509917b3695ed46e36309343876a59e0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
509917b3695ed46e36309343876a59e0N.exe
-
Size
97KB
-
MD5
509917b3695ed46e36309343876a59e0
-
SHA1
6c87c1bc2f5223875b4368117abaa9684b00ff2b
-
SHA256
a367735b021a9163087429dee0e816d84e945cc489796d9d1972746f9f7b0614
-
SHA512
620a94bec655b84096c8a659bd4c09f030bd95a43e82fd01a30c153753d0f5455b7c543934ad8bd81e43efa88d984baa84297e70e59a78e4d064631c63a5a575
-
SSDEEP
1536:KKR18dZ6PWBIAWSiP6rkizUsZAYGtir8GC7GK5wr2PbWM9vJXeYZ6:Ks8d1Kt6rJzUIG4nVSWKJXeK6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lngpog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhenjmbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjljnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imbjcpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdkpiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdgipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddjlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piabdiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlafkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijaaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbeedh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2636 Klfjpa32.exe 2660 Kgkonj32.exe 2840 Kpdcfoph.exe 2580 Keqkofno.exe 2652 Koipglep.exe 1688 Khadpa32.exe 2708 Klmqapci.exe 2572 Lhcafa32.exe 1600 Lonibk32.exe 1112 Lgingm32.exe 1056 Lncfcgeb.exe 1652 Lgkkmm32.exe 1676 Lpcoeb32.exe 2620 Lgngbmjp.exe 1952 Lngpog32.exe 2108 Llmmpcfe.exe 1252 Mgbaml32.exe 2492 Mloiec32.exe 1860 Mqjefamk.exe 3060 Mfgnnhkc.exe 1728 Mjcjog32.exe 2052 Mlafkb32.exe 2424 Mfjkdh32.exe 1692 Mobomnoq.exe 2244 Mbqkiind.exe 1524 Mkipao32.exe 2768 Mbchni32.exe 2568 Ngpqfp32.exe 2528 Nbeedh32.exe 2152 Nknimnap.exe 2192 Njpihk32.exe 2872 Nfgjml32.exe 1496 Njbfnjeg.exe 868 Nmabjfek.exe 1888 Njeccjcd.exe 2128 Nqokpd32.exe 768 Nbpghl32.exe 1088 Obbdml32.exe 1624 Oeaqig32.exe 2956 Omhhke32.exe 2180 Ohbikbkb.exe 2628 Olmela32.exe 2488 Oajndh32.exe 2480 Oalkih32.exe 2484 Odkgec32.exe 3036 Ojeobm32.exe 888 Ohipla32.exe 2680 Ojglhm32.exe 2732 Pmehdh32.exe 2692 Ppddpd32.exe 2588 Phklaacg.exe 2564 Pjihmmbk.exe 1644 Pacajg32.exe 2844 Pdbmfb32.exe 1772 Pfpibn32.exe 1712 Plmbkd32.exe 2280 Pddjlb32.exe 1848 Piabdiep.exe 1980 Ponklpcg.exe 2348 Pbigmn32.exe 2960 Plbkfdba.exe 2968 Ppmgfb32.exe 1776 Paocnkph.exe 1436 Qiflohqk.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 509917b3695ed46e36309343876a59e0N.exe 2188 509917b3695ed46e36309343876a59e0N.exe 2636 Klfjpa32.exe 2636 Klfjpa32.exe 2660 Kgkonj32.exe 2660 Kgkonj32.exe 2840 Kpdcfoph.exe 2840 Kpdcfoph.exe 2580 Keqkofno.exe 2580 Keqkofno.exe 2652 Koipglep.exe 2652 Koipglep.exe 1688 Khadpa32.exe 1688 Khadpa32.exe 2708 Klmqapci.exe 2708 Klmqapci.exe 2572 Lhcafa32.exe 2572 Lhcafa32.exe 1600 Lonibk32.exe 1600 Lonibk32.exe 1112 Lgingm32.exe 1112 Lgingm32.exe 1056 Lncfcgeb.exe 1056 Lncfcgeb.exe 1652 Lgkkmm32.exe 1652 Lgkkmm32.exe 1676 Lpcoeb32.exe 1676 Lpcoeb32.exe 2620 Lgngbmjp.exe 2620 Lgngbmjp.exe 1952 Lngpog32.exe 1952 Lngpog32.exe 2108 Llmmpcfe.exe 2108 Llmmpcfe.exe 1252 Mgbaml32.exe 1252 Mgbaml32.exe 2492 Mloiec32.exe 2492 Mloiec32.exe 1860 Mqjefamk.exe 1860 Mqjefamk.exe 3060 Mfgnnhkc.exe 3060 Mfgnnhkc.exe 1728 Mjcjog32.exe 1728 Mjcjog32.exe 2052 Mlafkb32.exe 2052 Mlafkb32.exe 2424 Mfjkdh32.exe 2424 Mfjkdh32.exe 1692 Mobomnoq.exe 1692 Mobomnoq.exe 2244 Mbqkiind.exe 2244 Mbqkiind.exe 1524 Mkipao32.exe 1524 Mkipao32.exe 2768 Mbchni32.exe 2768 Mbchni32.exe 2568 Ngpqfp32.exe 2568 Ngpqfp32.exe 2528 Nbeedh32.exe 2528 Nbeedh32.exe 2152 Nknimnap.exe 2152 Nknimnap.exe 2192 Njpihk32.exe 2192 Njpihk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Bnlgbnbp.exe File created C:\Windows\SysWOW64\Obbdml32.exe Nbpghl32.exe File created C:\Windows\SysWOW64\Icjgpj32.dll Bhmaeg32.exe File created C:\Windows\SysWOW64\Fdnjkh32.exe Faonom32.exe File created C:\Windows\SysWOW64\Lpeeijod.dll Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Faonom32.exe File opened for modification C:\Windows\SysWOW64\Ngpqfp32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Ppddpd32.exe Pmehdh32.exe File opened for modification C:\Windows\SysWOW64\Pjihmmbk.exe Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Paocnkph.exe Ppmgfb32.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Kekkiq32.exe Koaclfgl.exe File created C:\Windows\SysWOW64\Oalkih32.exe Oajndh32.exe File created C:\Windows\SysWOW64\Qiflohqk.exe Paocnkph.exe File created C:\Windows\SysWOW64\Pblmdj32.dll Ghgfekpn.exe File created C:\Windows\SysWOW64\Colpld32.exe Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Gmhkin32.exe Feachqgb.exe File created C:\Windows\SysWOW64\Kkojbf32.exe Kdeaelok.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Bhkeohhn.exe File created C:\Windows\SysWOW64\Jalcdhla.dll Apkgpf32.exe File created C:\Windows\SysWOW64\Nbiahjpi.dll Ehnfpifm.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe Honnki32.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Klfjpa32.exe 509917b3695ed46e36309343876a59e0N.exe File created C:\Windows\SysWOW64\Noockemb.dll Lgingm32.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bgghac32.exe File created C:\Windows\SysWOW64\Dafoikjb.exe Djlfma32.exe File created C:\Windows\SysWOW64\Gnlnhm32.dll Gehiioaj.exe File created C:\Windows\SysWOW64\Ikaihg32.dll Ibcphc32.exe File created C:\Windows\SysWOW64\Jmfcop32.exe Jikhnaao.exe File opened for modification C:\Windows\SysWOW64\Dpklkgoj.exe Dmmpolof.exe File opened for modification C:\Windows\SysWOW64\Feddombd.exe Eojlbb32.exe File created C:\Windows\SysWOW64\Ffbpca32.dll Iocgfhhc.exe File opened for modification C:\Windows\SysWOW64\Ioeclg32.exe Imggplgm.exe File created C:\Windows\SysWOW64\Jagcgk32.dll Mjcjog32.exe File opened for modification C:\Windows\SysWOW64\Bhkeohhn.exe Afliclij.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Jjjdhc32.exe File created C:\Windows\SysWOW64\Efljhq32.exe Eoebgcol.exe File opened for modification C:\Windows\SysWOW64\Gehiioaj.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Hlekjpbi.dll Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Elnfdpam.dll Cqfbjhgf.exe File created C:\Windows\SysWOW64\Klkpdn32.dll Mfjkdh32.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cceogcfj.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Jhenjmbb.exe File created C:\Windows\SysWOW64\Ngpqfp32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll Bkknac32.exe File created C:\Windows\SysWOW64\Ikedjg32.dll Fdnjkh32.exe File created C:\Windows\SysWOW64\Fliook32.exe Fijbco32.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hdbpekam.exe File created C:\Windows\SysWOW64\Fniamd32.dll Mfgnnhkc.exe File created C:\Windows\SysWOW64\Ohbikbkb.exe Omhhke32.exe File opened for modification C:\Windows\SysWOW64\Baefnmml.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bgghac32.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Koipglep.exe File created C:\Windows\SysWOW64\Jbfghckb.dll Klfjpa32.exe File created C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe File created C:\Windows\SysWOW64\Inajahoe.dll Acicla32.exe File created C:\Windows\SysWOW64\Bnapnm32.exe Bkbdabog.exe File opened for modification C:\Windows\SysWOW64\Jgjkfi32.exe Jpbcek32.exe File opened for modification C:\Windows\SysWOW64\Pmehdh32.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Bqolji32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Mlpckqje.dll Ijcngenj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3772 3712 WerFault.exe 292 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hmpaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kkojbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghgfekpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmffen32.dll" Ngpqfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koipglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aphjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koipglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dafoikjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnllk32.dll" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqfbjhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iipejmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpcbceo.dll" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpeem32.dll" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll" Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocdjfob.dll" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlifadkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qkghgpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqapifjb.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfqea32.dll" Pfpibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjqff32.dll" Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjcjog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2636 2188 509917b3695ed46e36309343876a59e0N.exe 30 PID 2188 wrote to memory of 2636 2188 509917b3695ed46e36309343876a59e0N.exe 30 PID 2188 wrote to memory of 2636 2188 509917b3695ed46e36309343876a59e0N.exe 30 PID 2188 wrote to memory of 2636 2188 509917b3695ed46e36309343876a59e0N.exe 30 PID 2636 wrote to memory of 2660 2636 Klfjpa32.exe 31 PID 2636 wrote to memory of 2660 2636 Klfjpa32.exe 31 PID 2636 wrote to memory of 2660 2636 Klfjpa32.exe 31 PID 2636 wrote to memory of 2660 2636 Klfjpa32.exe 31 PID 2660 wrote to memory of 2840 2660 Kgkonj32.exe 32 PID 2660 wrote to memory of 2840 2660 Kgkonj32.exe 32 PID 2660 wrote to memory of 2840 2660 Kgkonj32.exe 32 PID 2660 wrote to memory of 2840 2660 Kgkonj32.exe 32 PID 2840 wrote to memory of 2580 2840 Kpdcfoph.exe 33 PID 2840 wrote to memory of 2580 2840 Kpdcfoph.exe 33 PID 2840 wrote to memory of 2580 2840 Kpdcfoph.exe 33 PID 2840 wrote to memory of 2580 2840 Kpdcfoph.exe 33 PID 2580 wrote to memory of 2652 2580 Keqkofno.exe 34 PID 2580 wrote to memory of 2652 2580 Keqkofno.exe 34 PID 2580 wrote to memory of 2652 2580 Keqkofno.exe 34 PID 2580 wrote to memory of 2652 2580 Keqkofno.exe 34 PID 2652 wrote to memory of 1688 2652 Koipglep.exe 35 PID 2652 wrote to memory of 1688 2652 Koipglep.exe 35 PID 2652 wrote to memory of 1688 2652 Koipglep.exe 35 PID 2652 wrote to memory of 1688 2652 Koipglep.exe 35 PID 1688 wrote to memory of 2708 1688 Khadpa32.exe 36 PID 1688 wrote to memory of 2708 1688 Khadpa32.exe 36 PID 1688 wrote to memory of 2708 1688 Khadpa32.exe 36 PID 1688 wrote to memory of 2708 1688 Khadpa32.exe 36 PID 2708 wrote to memory of 2572 2708 Klmqapci.exe 37 PID 2708 wrote to memory of 2572 2708 Klmqapci.exe 37 PID 2708 wrote to memory of 2572 2708 Klmqapci.exe 37 PID 2708 wrote to memory of 2572 2708 Klmqapci.exe 37 PID 2572 wrote to memory of 1600 2572 Lhcafa32.exe 38 PID 2572 wrote to memory of 1600 2572 Lhcafa32.exe 38 PID 2572 wrote to memory of 1600 2572 Lhcafa32.exe 38 PID 2572 wrote to memory of 1600 2572 Lhcafa32.exe 38 PID 1600 wrote to memory of 1112 1600 Lonibk32.exe 39 PID 1600 wrote to memory of 1112 1600 Lonibk32.exe 39 PID 1600 wrote to memory of 1112 1600 Lonibk32.exe 39 PID 1600 wrote to memory of 1112 1600 Lonibk32.exe 39 PID 1112 wrote to memory of 1056 1112 Lgingm32.exe 40 PID 1112 wrote to memory of 1056 1112 Lgingm32.exe 40 PID 1112 wrote to memory of 1056 1112 Lgingm32.exe 40 PID 1112 wrote to memory of 1056 1112 Lgingm32.exe 40 PID 1056 wrote to memory of 1652 1056 Lncfcgeb.exe 41 PID 1056 wrote to memory of 1652 1056 Lncfcgeb.exe 41 PID 1056 wrote to memory of 1652 1056 Lncfcgeb.exe 41 PID 1056 wrote to memory of 1652 1056 Lncfcgeb.exe 41 PID 1652 wrote to memory of 1676 1652 Lgkkmm32.exe 42 PID 1652 wrote to memory of 1676 1652 Lgkkmm32.exe 42 PID 1652 wrote to memory of 1676 1652 Lgkkmm32.exe 42 PID 1652 wrote to memory of 1676 1652 Lgkkmm32.exe 42 PID 1676 wrote to memory of 2620 1676 Lpcoeb32.exe 43 PID 1676 wrote to memory of 2620 1676 Lpcoeb32.exe 43 PID 1676 wrote to memory of 2620 1676 Lpcoeb32.exe 43 PID 1676 wrote to memory of 2620 1676 Lpcoeb32.exe 43 PID 2620 wrote to memory of 1952 2620 Lgngbmjp.exe 44 PID 2620 wrote to memory of 1952 2620 Lgngbmjp.exe 44 PID 2620 wrote to memory of 1952 2620 Lgngbmjp.exe 44 PID 2620 wrote to memory of 1952 2620 Lgngbmjp.exe 44 PID 1952 wrote to memory of 2108 1952 Lngpog32.exe 45 PID 1952 wrote to memory of 2108 1952 Lngpog32.exe 45 PID 1952 wrote to memory of 2108 1952 Lngpog32.exe 45 PID 1952 wrote to memory of 2108 1952 Lngpog32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\509917b3695ed46e36309343876a59e0N.exe"C:\Users\Admin\AppData\Local\Temp\509917b3695ed46e36309343876a59e0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe34⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe35⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe36⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe39⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe40⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe43⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe45⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe46⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe47⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe48⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe51⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe53⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe54⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe55⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe62⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe65⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe66⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe67⤵PID:1604
-
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe68⤵PID:2416
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe70⤵PID:2828
-
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe71⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe72⤵PID:1648
-
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe75⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe76⤵PID:2092
-
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe78⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe80⤵PID:1504
-
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe82⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe83⤵PID:2648
-
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe84⤵PID:2536
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe85⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe86⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe87⤵
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe88⤵PID:2040
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe89⤵PID:2228
-
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe90⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe91⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe92⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe93⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe94⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe95⤵PID:2772
-
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe97⤵PID:2604
-
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe98⤵PID:2860
-
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe99⤵PID:2916
-
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe100⤵PID:1696
-
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe101⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe102⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe103⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe104⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe105⤵PID:972
-
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe106⤵PID:876
-
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe107⤵PID:2464
-
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe108⤵PID:2848
-
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe109⤵PID:1880
-
C:\Windows\SysWOW64\Cmhjdiap.exeC:\Windows\system32\Cmhjdiap.exe110⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe112⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe117⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe118⤵PID:2832
-
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe119⤵PID:2608
-
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe120⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe121⤵PID:396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-