Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6fa999f93576132b49b176bd7c26dc0_exe32.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
f6fa999f93576132b49b176bd7c26dc0_exe32.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f6fa999f93576132b49b176bd7c26dc0_exe32.exe
-
Size
80KB
-
MD5
f6fa999f93576132b49b176bd7c26dc0
-
SHA1
8f6b04289e955e44252cc871be2578140b392502
-
SHA256
7ad90e819adfca14b33867f49efc5498ab09de26ee6c88e93753df70d0ce6204
-
SHA512
4eb87739a9cdba8c7d80a4cda15f09f64bd585e6485166d61f92980eab24592425b57a52db454946da2c7c6e54d95d12980070edfa9bed06f8e88b3e8fd55be7
-
SSDEEP
1536:Uk/ENYg1/NUx9PTPuaIq9iCyGWhQ2LsJ9VqDlzVxyh+CbxMa:Uk/ENYRSaGCyXrsJ9IDlRxyhTb7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnifg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbciaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppmcmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlnghj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkeoongd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbfpafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjmonac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofomolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmboqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmqip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oedqcdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcoaebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccoplcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjckcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doipoldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbegonmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilfka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbahldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbeeppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpaqdnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmqip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paghojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebbeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnpgqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiongbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeeelhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdooongp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iediin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiffngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epjbienl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejldfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjibgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlahqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkgegad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobjia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlmnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnlqjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilehl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2152 Nagbgl32.exe 2660 Jioopgef.exe 2688 Kpdjaecc.exe 2420 Lcofio32.exe 2468 Mcjhmcok.exe 2892 Mqnifg32.exe 2116 Nibqqh32.exe 1368 Nhlgmd32.exe 1340 Pkcbnanl.exe 1184 Pleofj32.exe 1692 Allefimb.exe 916 Afdiondb.exe 1744 Cgfkmgnj.exe 2776 Goiongbc.exe 2244 Ieofkp32.exe 3024 Jjpdmi32.exe 1952 Mqjefamk.exe 1600 Mimpkcdn.exe 1452 Olmela32.exe 956 Ojeobm32.exe 748 Ppmgfb32.exe 2148 Fgjjad32.exe 1748 Iediin32.exe 2872 Koaclfgl.exe 1236 Kkmmlgik.exe 2308 Kpieengb.exe 828 Lghgmg32.exe 2192 Lklikj32.exe 2584 Mndhnd32.exe 2616 Moeeelhn.exe 2676 Nhbciaki.exe 2168 Ogliemkk.exe 2208 Omlncc32.exe 676 Ocefpnom.exe 1232 Ochcem32.exe 2744 Oielnd32.exe 2772 Pbomli32.exe 1656 Pfhhflmg.exe 800 Qdofep32.exe 1092 Fpmned32.exe 2376 Ffgfancd.exe 2104 Ghoijebj.exe 3052 Gcppkbia.exe 2288 Hijhhl32.exe 1040 Hkbkpcpd.exe 1808 Jbphgpfg.exe 1620 Kfggkc32.exe 848 Keango32.exe 2000 Kecjmodq.exe 556 Lonlkcho.exe 872 Ldkdckff.exe 1584 Lkifkdjm.exe 2280 Mcidkf32.exe 2072 Nknkeg32.exe 2664 Nggipg32.exe 2724 Ofaolcmh.exe 2512 Oqojhp32.exe 2712 Pjlgle32.exe 2504 Blgcio32.exe 2692 Beadgdli.exe 920 Cppobaeb.exe 1896 Dlpbna32.exe 1344 Dfhgggim.exe 2380 Dhgccbhp.exe -
Loads dropped DLL 64 IoCs
pid Process 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 2152 Nagbgl32.exe 2152 Nagbgl32.exe 2660 Jioopgef.exe 2660 Jioopgef.exe 2688 Kpdjaecc.exe 2688 Kpdjaecc.exe 2420 Lcofio32.exe 2420 Lcofio32.exe 2468 Mcjhmcok.exe 2468 Mcjhmcok.exe 2892 Mqnifg32.exe 2892 Mqnifg32.exe 2116 Nibqqh32.exe 2116 Nibqqh32.exe 1368 Nhlgmd32.exe 1368 Nhlgmd32.exe 1340 Pkcbnanl.exe 1340 Pkcbnanl.exe 1184 Pleofj32.exe 1184 Pleofj32.exe 1692 Allefimb.exe 1692 Allefimb.exe 916 Afdiondb.exe 916 Afdiondb.exe 1744 Cgfkmgnj.exe 1744 Cgfkmgnj.exe 2776 Goiongbc.exe 2776 Goiongbc.exe 2244 Ieofkp32.exe 2244 Ieofkp32.exe 3024 Jjpdmi32.exe 3024 Jjpdmi32.exe 1952 Mqjefamk.exe 1952 Mqjefamk.exe 1600 Mimpkcdn.exe 1600 Mimpkcdn.exe 1452 Olmela32.exe 1452 Olmela32.exe 956 Ojeobm32.exe 956 Ojeobm32.exe 748 Ppmgfb32.exe 748 Ppmgfb32.exe 2148 Fgjjad32.exe 2148 Fgjjad32.exe 1748 Iediin32.exe 1748 Iediin32.exe 2872 Koaclfgl.exe 2872 Koaclfgl.exe 1236 Kkmmlgik.exe 1236 Kkmmlgik.exe 2308 Kpieengb.exe 2308 Kpieengb.exe 828 Lghgmg32.exe 828 Lghgmg32.exe 2192 Lklikj32.exe 2192 Lklikj32.exe 2584 Mndhnd32.exe 2584 Mndhnd32.exe 2616 Moeeelhn.exe 2616 Moeeelhn.exe 2676 Nhbciaki.exe 2676 Nhbciaki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lihifhoq.exe Lielphqc.exe File created C:\Windows\SysWOW64\Okaclf32.dll Hhhmki32.exe File created C:\Windows\SysWOW64\Eccanfla.dll Ikfffh32.exe File opened for modification C:\Windows\SysWOW64\Emhnqbjo.exe Enpdjfgj.exe File created C:\Windows\SysWOW64\Mojjfdkn.dll Ganbjb32.exe File created C:\Windows\SysWOW64\Ciohilci.dll Kfmehdpc.exe File created C:\Windows\SysWOW64\Dangeigl.dll Beadgdli.exe File created C:\Windows\SysWOW64\Mqfooonp.exe Mjmgbe32.exe File opened for modification C:\Windows\SysWOW64\Pmabmf32.exe Pghjqlmi.exe File created C:\Windows\SysWOW64\Elikhl32.dll Eoalpaaa.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Pgpjpnhk.exe File created C:\Windows\SysWOW64\Nfqdgd32.dll Kgfoee32.exe File created C:\Windows\SysWOW64\Pdnbmp32.dll Hnkffi32.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Ckiiiine.exe File created C:\Windows\SysWOW64\Iagaod32.exe Ganbjb32.exe File created C:\Windows\SysWOW64\Pmhcaf32.dll Kbppfb32.exe File opened for modification C:\Windows\SysWOW64\Daqoafkh.exe Dobcekld.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Jopbnn32.exe File opened for modification C:\Windows\SysWOW64\Ncnlnaim.exe Lgiobadq.exe File created C:\Windows\SysWOW64\Gngfoo32.dll Lnhmqc32.exe File created C:\Windows\SysWOW64\Ghqobdnq.dll Oeidlc32.exe File created C:\Windows\SysWOW64\Ehjgfcpm.dll Dhfnca32.exe File created C:\Windows\SysWOW64\Mheeif32.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Aglmbfdk.exe Qqbeel32.exe File opened for modification C:\Windows\SysWOW64\Hgbhibio.exe Hedllgjk.exe File created C:\Windows\SysWOW64\Pdlmnm32.exe Pjgiad32.exe File created C:\Windows\SysWOW64\Onpbaf32.dll Pmdocf32.exe File opened for modification C:\Windows\SysWOW64\Ohmljj32.exe Oacdmpan.exe File opened for modification C:\Windows\SysWOW64\Aipickfe.exe Qbiamm32.exe File created C:\Windows\SysWOW64\Hnkffi32.exe Hocmpm32.exe File created C:\Windows\SysWOW64\Fbflbd32.dll Ahcjmkbo.exe File created C:\Windows\SysWOW64\Mcfied32.dll Fkdlaplh.exe File opened for modification C:\Windows\SysWOW64\Bdiaqj32.exe Aajedn32.exe File opened for modification C:\Windows\SysWOW64\Hhpjfoji.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Onqjglfg.dll Ijhmnf32.exe File created C:\Windows\SysWOW64\Gphkoi32.dll Dlomnp32.exe File created C:\Windows\SysWOW64\Lagknhgp.dll Bamdcf32.exe File created C:\Windows\SysWOW64\Bfnnpbnn.exe Bocfch32.exe File opened for modification C:\Windows\SysWOW64\Olmela32.exe Mimpkcdn.exe File opened for modification C:\Windows\SysWOW64\Bdknfiea.exe Bambjnfn.exe File created C:\Windows\SysWOW64\Qogcek32.dll Lheilofe.exe File opened for modification C:\Windows\SysWOW64\Bfliqmjg.exe Bdnmda32.exe File created C:\Windows\SysWOW64\Pkpijaik.dll Oekaab32.exe File created C:\Windows\SysWOW64\Nahemf32.exe Nlkmeo32.exe File created C:\Windows\SysWOW64\Aaligm32.dll Amdhidqk.exe File opened for modification C:\Windows\SysWOW64\Dkeoongd.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Bkkioeig.exe Ahcjmkbo.exe File created C:\Windows\SysWOW64\Fakhhk32.exe Fljfdd32.exe File created C:\Windows\SysWOW64\Jhcojn32.dll Cocbbk32.exe File opened for modification C:\Windows\SysWOW64\Aeajcf32.exe Abcngkmp.exe File opened for modification C:\Windows\SysWOW64\Bjclfmfe.exe Aipbidbj.exe File created C:\Windows\SysWOW64\Pjgiad32.exe Oljbil32.exe File created C:\Windows\SysWOW64\Nogeln32.dll Gpiffngk.exe File opened for modification C:\Windows\SysWOW64\Lnhmqc32.exe Lkjadh32.exe File created C:\Windows\SysWOW64\Oafmnb32.dll Ddmohbln.exe File created C:\Windows\SysWOW64\Qchaehnb.dll Kpdjaecc.exe File opened for modification C:\Windows\SysWOW64\Jbphgpfg.exe Hkbkpcpd.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fakhhk32.exe File created C:\Windows\SysWOW64\Mipnhkpd.dll Apapcnaf.exe File opened for modification C:\Windows\SysWOW64\Afngoand.exe Aogpmcmb.exe File created C:\Windows\SysWOW64\Aoclac32.dll Idlgohcl.exe File created C:\Windows\SysWOW64\Npjonlee.exe Mfbnfcli.exe File opened for modification C:\Windows\SysWOW64\Aoilcc32.exe Apglgfde.exe File opened for modification C:\Windows\SysWOW64\Pjhpin32.exe Ncnlnaim.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdohkjmo.dll" Gamkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nogjbbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obpbhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdooongp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqoafkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkpppmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbojek.dll" Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaicjed.dll" Icqagkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imifpagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfbahldf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpeidjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okefloqc.dll" Bjanfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdabhkob.dll" Apglgfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphkoi32.dll" Dlomnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joeaefka.dll" Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpijaik.dll" Oekaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdaimdkg.dll" Oqojhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmfpddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnhhp32.dll" Boqbcbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbedafec.dll" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abdeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqoqlfkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlgmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilhki32.dll" Cipnng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbafel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmphha32.dll" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkopmmim.dll" Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnndco32.dll" Clehoiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegljo32.dll" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclcqbcj.dll" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbaafocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmcfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmmdj32.dll" Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqfkj32.dll" Qfbahldf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqbeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkpppmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnomfqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfmnnic.dll" Hejcggee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hldldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmmidhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafhmf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2152 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 28 PID 1864 wrote to memory of 2152 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 28 PID 1864 wrote to memory of 2152 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 28 PID 1864 wrote to memory of 2152 1864 f6fa999f93576132b49b176bd7c26dc0_exe32.exe 28 PID 2152 wrote to memory of 2660 2152 Nagbgl32.exe 29 PID 2152 wrote to memory of 2660 2152 Nagbgl32.exe 29 PID 2152 wrote to memory of 2660 2152 Nagbgl32.exe 29 PID 2152 wrote to memory of 2660 2152 Nagbgl32.exe 29 PID 2660 wrote to memory of 2688 2660 Jioopgef.exe 30 PID 2660 wrote to memory of 2688 2660 Jioopgef.exe 30 PID 2660 wrote to memory of 2688 2660 Jioopgef.exe 30 PID 2660 wrote to memory of 2688 2660 Jioopgef.exe 30 PID 2688 wrote to memory of 2420 2688 Kpdjaecc.exe 31 PID 2688 wrote to memory of 2420 2688 Kpdjaecc.exe 31 PID 2688 wrote to memory of 2420 2688 Kpdjaecc.exe 31 PID 2688 wrote to memory of 2420 2688 Kpdjaecc.exe 31 PID 2420 wrote to memory of 2468 2420 Lcofio32.exe 32 PID 2420 wrote to memory of 2468 2420 Lcofio32.exe 32 PID 2420 wrote to memory of 2468 2420 Lcofio32.exe 32 PID 2420 wrote to memory of 2468 2420 Lcofio32.exe 32 PID 2468 wrote to memory of 2892 2468 Mcjhmcok.exe 33 PID 2468 wrote to memory of 2892 2468 Mcjhmcok.exe 33 PID 2468 wrote to memory of 2892 2468 Mcjhmcok.exe 33 PID 2468 wrote to memory of 2892 2468 Mcjhmcok.exe 33 PID 2892 wrote to memory of 2116 2892 Mqnifg32.exe 34 PID 2892 wrote to memory of 2116 2892 Mqnifg32.exe 34 PID 2892 wrote to memory of 2116 2892 Mqnifg32.exe 34 PID 2892 wrote to memory of 2116 2892 Mqnifg32.exe 34 PID 2116 wrote to memory of 1368 2116 Nibqqh32.exe 35 PID 2116 wrote to memory of 1368 2116 Nibqqh32.exe 35 PID 2116 wrote to memory of 1368 2116 Nibqqh32.exe 35 PID 2116 wrote to memory of 1368 2116 Nibqqh32.exe 35 PID 1368 wrote to memory of 1340 1368 Nhlgmd32.exe 36 PID 1368 wrote to memory of 1340 1368 Nhlgmd32.exe 36 PID 1368 wrote to memory of 1340 1368 Nhlgmd32.exe 36 PID 1368 wrote to memory of 1340 1368 Nhlgmd32.exe 36 PID 1340 wrote to memory of 1184 1340 Pkcbnanl.exe 37 PID 1340 wrote to memory of 1184 1340 Pkcbnanl.exe 37 PID 1340 wrote to memory of 1184 1340 Pkcbnanl.exe 37 PID 1340 wrote to memory of 1184 1340 Pkcbnanl.exe 37 PID 1184 wrote to memory of 1692 1184 Pleofj32.exe 38 PID 1184 wrote to memory of 1692 1184 Pleofj32.exe 38 PID 1184 wrote to memory of 1692 1184 Pleofj32.exe 38 PID 1184 wrote to memory of 1692 1184 Pleofj32.exe 38 PID 1692 wrote to memory of 916 1692 Allefimb.exe 39 PID 1692 wrote to memory of 916 1692 Allefimb.exe 39 PID 1692 wrote to memory of 916 1692 Allefimb.exe 39 PID 1692 wrote to memory of 916 1692 Allefimb.exe 39 PID 916 wrote to memory of 1744 916 Afdiondb.exe 41 PID 916 wrote to memory of 1744 916 Afdiondb.exe 41 PID 916 wrote to memory of 1744 916 Afdiondb.exe 41 PID 916 wrote to memory of 1744 916 Afdiondb.exe 41 PID 1744 wrote to memory of 2776 1744 Cgfkmgnj.exe 42 PID 1744 wrote to memory of 2776 1744 Cgfkmgnj.exe 42 PID 1744 wrote to memory of 2776 1744 Cgfkmgnj.exe 42 PID 1744 wrote to memory of 2776 1744 Cgfkmgnj.exe 42 PID 2776 wrote to memory of 2244 2776 Goiongbc.exe 43 PID 2776 wrote to memory of 2244 2776 Goiongbc.exe 43 PID 2776 wrote to memory of 2244 2776 Goiongbc.exe 43 PID 2776 wrote to memory of 2244 2776 Goiongbc.exe 43 PID 2244 wrote to memory of 3024 2244 Ieofkp32.exe 44 PID 2244 wrote to memory of 3024 2244 Ieofkp32.exe 44 PID 2244 wrote to memory of 3024 2244 Ieofkp32.exe 44 PID 2244 wrote to memory of 3024 2244 Ieofkp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6fa999f93576132b49b176bd7c26dc0_exe32.exe"C:\Users\Admin\AppData\Local\Temp\f6fa999f93576132b49b176bd7c26dc0_exe32.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Fgjjad32.exeC:\Windows\system32\Fgjjad32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Iediin32.exeC:\Windows\system32\Iediin32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe33⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe34⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe35⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe36⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe37⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe38⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe39⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe41⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe42⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe43⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe44⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe45⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe47⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe48⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe50⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe51⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe52⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe53⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe54⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe60⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe62⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe63⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe64⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe67⤵PID:2284
-
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe68⤵PID:1784
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe69⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe70⤵PID:1124
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe71⤵PID:2152
-
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe72⤵PID:1880
-
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe73⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe75⤵PID:2992
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe76⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe77⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe78⤵PID:1708
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe79⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe80⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe81⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe82⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe83⤵PID:2392
-
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe84⤵PID:1108
-
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe85⤵PID:2240
-
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe86⤵PID:2836
-
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe87⤵PID:1980
-
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe88⤵PID:1772
-
C:\Windows\SysWOW64\Pgcnnh32.exeC:\Windows\system32\Pgcnnh32.exe89⤵PID:2820
-
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe90⤵PID:940
-
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe91⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe92⤵PID:2040
-
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe93⤵PID:2020
-
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe94⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe95⤵PID:656
-
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe96⤵PID:2596
-
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe97⤵PID:2572
-
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe98⤵PID:1368
-
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe99⤵PID:2576
-
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe100⤵PID:592
-
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe101⤵PID:3048
-
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe102⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe103⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe104⤵PID:2272
-
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe105⤵PID:2304
-
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe106⤵PID:2084
-
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe107⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe108⤵PID:2968
-
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe109⤵PID:3012
-
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe110⤵PID:2248
-
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe111⤵PID:1572
-
C:\Windows\SysWOW64\Fppmcmah.exeC:\Windows\system32\Fppmcmah.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Gpmllpef.exeC:\Windows\system32\Gpmllpef.exe113⤵PID:3044
-
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe114⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe115⤵PID:1364
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe116⤵PID:1120
-
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe117⤵PID:1492
-
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe118⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe119⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe120⤵PID:1612
-
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-