Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe
-
Size
63KB
-
MD5
af87cdb5903fdea59d333515da80ba02
-
SHA1
29025a5df39aeb78e53d26eeb4c0ade31ad1b912
-
SHA256
21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954
-
SHA512
aaad20d62ad3296c5fc3ad41f8056321f960d9c763859e585ac861c9bcce8d54f262e0655e460e889a8a1b5be538e2e97746cca373734fa56b70e45d9abeb2ef
-
SSDEEP
768:4HnW21ee9wYtvjAtSpLhqZ2ERamR5/bP2KO2ZVXeCUqc/1H5oVEPgmrUTvn93b7w:4+e99pL/1KO2ZVXeCUh+VsEn9rjDHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeclebja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlafkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egonhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggdcbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjqgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeekmjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbfagca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephbal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmmbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlofgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabaocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnhngjf.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Lclicpkm.exe 2216 Lfkeokjp.exe 2812 Lcofio32.exe 2816 Ldpbpgoh.exe 2980 Lnhgim32.exe 2648 Lbcbjlmb.exe 2516 Lgqkbb32.exe 3048 Lbfook32.exe 1632 Lddlkg32.exe 1616 Mkndhabp.exe 1420 Mnmpdlac.exe 1724 Mqklqhpg.exe 1560 Mkqqnq32.exe 1428 Mmbmeifk.exe 356 Mqnifg32.exe 2036 Mfjann32.exe 2228 Mmdjkhdh.exe 836 Mobfgdcl.exe 2512 Mgjnhaco.exe 2040 Mfmndn32.exe 904 Mikjpiim.exe 1488 Mpebmc32.exe 2476 Mcqombic.exe 2184 Mimgeigj.exe 1492 Mklcadfn.exe 1976 Mklcadfn.exe 2356 Nfahomfd.exe 2988 Nmkplgnq.exe 2280 Nnmlcp32.exe 2772 Nfdddm32.exe 2500 Ngealejo.exe 2668 Nplimbka.exe 2644 Nameek32.exe 676 Nlcibc32.exe 1580 Nnafnopi.exe 1972 Nlefhcnc.exe 1952 Njhfcp32.exe 1848 Nfoghakb.exe 1312 Onfoin32.exe 1796 Ohncbdbd.exe 2284 Oippjl32.exe 2492 Oaghki32.exe 596 Opihgfop.exe 1528 Omnipjni.exe 1776 Olpilg32.exe 1436 Oplelf32.exe 1044 Odgamdef.exe 2316 Objaha32.exe 2432 Offmipej.exe 2380 Oidiekdn.exe 1596 Ompefj32.exe 2180 Olbfagca.exe 2620 Obmnna32.exe 2768 Ofhjopbg.exe 2728 Oiffkkbk.exe 2664 Ohiffh32.exe 3064 Olebgfao.exe 1012 Opqoge32.exe 1624 Obokcqhk.exe 1292 Oabkom32.exe 1200 Oemgplgo.exe 3036 Phlclgfc.exe 2436 Plgolf32.exe 988 Pofkha32.exe -
Loads dropped DLL 64 IoCs
pid Process 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 2088 Lclicpkm.exe 2088 Lclicpkm.exe 2216 Lfkeokjp.exe 2216 Lfkeokjp.exe 2812 Lcofio32.exe 2812 Lcofio32.exe 2816 Ldpbpgoh.exe 2816 Ldpbpgoh.exe 2980 Lnhgim32.exe 2980 Lnhgim32.exe 2648 Lbcbjlmb.exe 2648 Lbcbjlmb.exe 2516 Lgqkbb32.exe 2516 Lgqkbb32.exe 3048 Lbfook32.exe 3048 Lbfook32.exe 1632 Lddlkg32.exe 1632 Lddlkg32.exe 1616 Mkndhabp.exe 1616 Mkndhabp.exe 1420 Mnmpdlac.exe 1420 Mnmpdlac.exe 1724 Mqklqhpg.exe 1724 Mqklqhpg.exe 1560 Mkqqnq32.exe 1560 Mkqqnq32.exe 1428 Mmbmeifk.exe 1428 Mmbmeifk.exe 356 Mqnifg32.exe 356 Mqnifg32.exe 2036 Mfjann32.exe 2036 Mfjann32.exe 2228 Mmdjkhdh.exe 2228 Mmdjkhdh.exe 836 Mobfgdcl.exe 836 Mobfgdcl.exe 2512 Mgjnhaco.exe 2512 Mgjnhaco.exe 2040 Mfmndn32.exe 2040 Mfmndn32.exe 904 Mikjpiim.exe 904 Mikjpiim.exe 1488 Mpebmc32.exe 1488 Mpebmc32.exe 2476 Mcqombic.exe 2476 Mcqombic.exe 2184 Mimgeigj.exe 2184 Mimgeigj.exe 1492 Mklcadfn.exe 1492 Mklcadfn.exe 1976 Mklcadfn.exe 1976 Mklcadfn.exe 2356 Nfahomfd.exe 2356 Nfahomfd.exe 2988 Nmkplgnq.exe 2988 Nmkplgnq.exe 2280 Nnmlcp32.exe 2280 Nnmlcp32.exe 2772 Nfdddm32.exe 2772 Nfdddm32.exe 2500 Ngealejo.exe 2500 Ngealejo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Acicla32.exe File opened for modification C:\Windows\SysWOW64\Imggplgm.exe Iikkon32.exe File opened for modification C:\Windows\SysWOW64\Nkkmgncb.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Oalkih32.exe File created C:\Windows\SysWOW64\Bpifad32.dll Piabdiep.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pifbjn32.exe File created C:\Windows\SysWOW64\Ekmfne32.exe Ecfnmh32.exe File created C:\Windows\SysWOW64\Ohdfqbio.exe Oiafee32.exe File created C:\Windows\SysWOW64\Adaiee32.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Fckhhgcf.exe Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Hkahgk32.exe Hgflflqg.exe File created C:\Windows\SysWOW64\Jndjmifj.exe Jlfnangf.exe File opened for modification C:\Windows\SysWOW64\Bqolji32.exe Bnapnm32.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Kobgmfjh.dll Iamfdo32.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Gkmbmh32.exe File created C:\Windows\SysWOW64\Mobomnoq.exe Mkfclo32.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Bknjfb32.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Kekkiq32.exe File created C:\Windows\SysWOW64\Nqhepeai.exe Nbeedh32.exe File opened for modification C:\Windows\SysWOW64\Ephbal32.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Keeeje32.exe Kcginj32.exe File created C:\Windows\SysWOW64\Popgboae.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Hjlbdc32.exe Hfpfdeon.exe File opened for modification C:\Windows\SysWOW64\Bbjpil32.exe Bolcma32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Ibkhnd32.dll Pebpkk32.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Kpafapbk.exe Kmcjedcg.exe File created C:\Windows\SysWOW64\Bqmpdioa.exe Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Enoopc32.dll Fiepea32.exe File created C:\Windows\SysWOW64\Phoogg32.dll Alddjg32.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Mnmpdlac.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Djdgic32.exe Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\Mqjefamk.exe Mhcmedli.exe File opened for modification C:\Windows\SysWOW64\Onqkclni.exe Ojeobm32.exe File created C:\Windows\SysWOW64\Iampng32.dll Eemnnn32.exe File created C:\Windows\SysWOW64\Iecbnqcj.dll Fbegbacp.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mcqombic.exe File opened for modification C:\Windows\SysWOW64\Icdcllpc.exe Iphgln32.exe File created C:\Windows\SysWOW64\Acnlgajg.exe Apppkekc.exe File created C:\Windows\SysWOW64\Bknjfb32.exe Blkjkflb.exe File opened for modification C:\Windows\SysWOW64\Jnagmc32.exe Jfjolf32.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Kkmmlgik.exe File created C:\Windows\SysWOW64\Godonkii.dll Bfdenafn.exe File created C:\Windows\SysWOW64\Bqlfaj32.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Ibcphc32.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Qchaehnb.dll Lfkeokjp.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mmbmeifk.exe File created C:\Windows\SysWOW64\Ifbphh32.exe Icdcllpc.exe File opened for modification C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File opened for modification C:\Windows\SysWOW64\Giolnomh.exe Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe Klecfkff.exe File created C:\Windows\SysWOW64\Kheoph32.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Eeiheo32.exe Ebklic32.exe File created C:\Windows\SysWOW64\Lpqlemaj.exe Lhiddoph.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Afffenbp.exe File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Ggkibhjf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7192 6828 WerFault.exe 738 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmapaflf.dll" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbgbj32.dll" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbhcoif.dll" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifemminl.dll" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" Qeppdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Nqhepeai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohipla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpcehcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpimq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggknna32.dll" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbphh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanlcl32.dll" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckohkhoi.dll" Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Fpjofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibfmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inojhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmfne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdcbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacpmi32.dll" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmidcdi.dll" Khohkamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdhaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlfdac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgfca32.dll" Kokmmkcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2088 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 30 PID 2392 wrote to memory of 2088 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 30 PID 2392 wrote to memory of 2088 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 30 PID 2392 wrote to memory of 2088 2392 21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe 30 PID 2088 wrote to memory of 2216 2088 Lclicpkm.exe 31 PID 2088 wrote to memory of 2216 2088 Lclicpkm.exe 31 PID 2088 wrote to memory of 2216 2088 Lclicpkm.exe 31 PID 2088 wrote to memory of 2216 2088 Lclicpkm.exe 31 PID 2216 wrote to memory of 2812 2216 Lfkeokjp.exe 32 PID 2216 wrote to memory of 2812 2216 Lfkeokjp.exe 32 PID 2216 wrote to memory of 2812 2216 Lfkeokjp.exe 32 PID 2216 wrote to memory of 2812 2216 Lfkeokjp.exe 32 PID 2812 wrote to memory of 2816 2812 Lcofio32.exe 33 PID 2812 wrote to memory of 2816 2812 Lcofio32.exe 33 PID 2812 wrote to memory of 2816 2812 Lcofio32.exe 33 PID 2812 wrote to memory of 2816 2812 Lcofio32.exe 33 PID 2816 wrote to memory of 2980 2816 Ldpbpgoh.exe 34 PID 2816 wrote to memory of 2980 2816 Ldpbpgoh.exe 34 PID 2816 wrote to memory of 2980 2816 Ldpbpgoh.exe 34 PID 2816 wrote to memory of 2980 2816 Ldpbpgoh.exe 34 PID 2980 wrote to memory of 2648 2980 Lnhgim32.exe 35 PID 2980 wrote to memory of 2648 2980 Lnhgim32.exe 35 PID 2980 wrote to memory of 2648 2980 Lnhgim32.exe 35 PID 2980 wrote to memory of 2648 2980 Lnhgim32.exe 35 PID 2648 wrote to memory of 2516 2648 Lbcbjlmb.exe 36 PID 2648 wrote to memory of 2516 2648 Lbcbjlmb.exe 36 PID 2648 wrote to memory of 2516 2648 Lbcbjlmb.exe 36 PID 2648 wrote to memory of 2516 2648 Lbcbjlmb.exe 36 PID 2516 wrote to memory of 3048 2516 Lgqkbb32.exe 37 PID 2516 wrote to memory of 3048 2516 Lgqkbb32.exe 37 PID 2516 wrote to memory of 3048 2516 Lgqkbb32.exe 37 PID 2516 wrote to memory of 3048 2516 Lgqkbb32.exe 37 PID 3048 wrote to memory of 1632 3048 Lbfook32.exe 38 PID 3048 wrote to memory of 1632 3048 Lbfook32.exe 38 PID 3048 wrote to memory of 1632 3048 Lbfook32.exe 38 PID 3048 wrote to memory of 1632 3048 Lbfook32.exe 38 PID 1632 wrote to memory of 1616 1632 Lddlkg32.exe 39 PID 1632 wrote to memory of 1616 1632 Lddlkg32.exe 39 PID 1632 wrote to memory of 1616 1632 Lddlkg32.exe 39 PID 1632 wrote to memory of 1616 1632 Lddlkg32.exe 39 PID 1616 wrote to memory of 1420 1616 Mkndhabp.exe 40 PID 1616 wrote to memory of 1420 1616 Mkndhabp.exe 40 PID 1616 wrote to memory of 1420 1616 Mkndhabp.exe 40 PID 1616 wrote to memory of 1420 1616 Mkndhabp.exe 40 PID 1420 wrote to memory of 1724 1420 Mnmpdlac.exe 41 PID 1420 wrote to memory of 1724 1420 Mnmpdlac.exe 41 PID 1420 wrote to memory of 1724 1420 Mnmpdlac.exe 41 PID 1420 wrote to memory of 1724 1420 Mnmpdlac.exe 41 PID 1724 wrote to memory of 1560 1724 Mqklqhpg.exe 42 PID 1724 wrote to memory of 1560 1724 Mqklqhpg.exe 42 PID 1724 wrote to memory of 1560 1724 Mqklqhpg.exe 42 PID 1724 wrote to memory of 1560 1724 Mqklqhpg.exe 42 PID 1560 wrote to memory of 1428 1560 Mkqqnq32.exe 43 PID 1560 wrote to memory of 1428 1560 Mkqqnq32.exe 43 PID 1560 wrote to memory of 1428 1560 Mkqqnq32.exe 43 PID 1560 wrote to memory of 1428 1560 Mkqqnq32.exe 43 PID 1428 wrote to memory of 356 1428 Mmbmeifk.exe 44 PID 1428 wrote to memory of 356 1428 Mmbmeifk.exe 44 PID 1428 wrote to memory of 356 1428 Mmbmeifk.exe 44 PID 1428 wrote to memory of 356 1428 Mmbmeifk.exe 44 PID 356 wrote to memory of 2036 356 Mqnifg32.exe 45 PID 356 wrote to memory of 2036 356 Mqnifg32.exe 45 PID 356 wrote to memory of 2036 356 Mqnifg32.exe 45 PID 356 wrote to memory of 2036 356 Mqnifg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe"C:\Users\Admin\AppData\Local\Temp\21e24c67997f19f2de32a72d283712949caad71181fdea6483a0242a0bc64954.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe34⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe35⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe39⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe40⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe41⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe42⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe46⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe47⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe49⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe50⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe51⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe52⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe55⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe57⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe58⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe59⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe63⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe64⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe65⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe66⤵PID:1184
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe67⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe69⤵PID:2460
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe70⤵PID:2504
-
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe73⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe74⤵PID:2888
-
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe75⤵PID:2680
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe76⤵PID:1544
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe77⤵PID:1820
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe79⤵PID:2028
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe80⤵PID:1736
-
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe81⤵PID:2704
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe82⤵PID:264
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe83⤵PID:1700
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe84⤵PID:536
-
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe86⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe87⤵PID:2872
-
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe90⤵PID:2120
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe93⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe94⤵PID:840
-
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe95⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe96⤵PID:2340
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe97⤵PID:2452
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe98⤵PID:2828
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe99⤵PID:2628
-
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe100⤵PID:2608
-
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe101⤵PID:1116
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe102⤵PID:1328
-
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe103⤵PID:1708
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe104⤵PID:332
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe105⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe106⤵PID:1140
-
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe107⤵PID:1188
-
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe108⤵PID:1648
-
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe110⤵PID:2936
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe111⤵PID:2964
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe112⤵PID:2788
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe113⤵PID:1644
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe114⤵PID:2468
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe115⤵PID:2568
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe116⤵PID:2920
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe117⤵PID:644
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe118⤵PID:920
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe119⤵PID:2396
-
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe120⤵PID:2744
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-