Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 21:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe
-
Size
45KB
-
MD5
1898baaa2292419eda485d8745376243
-
SHA1
3af7eefbce64e075c20eb6f9dcf1856ab16514b2
-
SHA256
8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72
-
SHA512
387f55b5bb33d3b1e1e6761c3572ac76bcaa74fc85b37229f2f86cedbf82dc599b8236b2d7ee3437250b6ba341b176d5278846b982331e54fc0cc3f42172ed17
-
SSDEEP
768:OjpIuzWF9VLbloC3dx3wdc83EkxDu8M7gDnhv7VhHvvfzAkcv5/1H5gb:WIumLJdtxg7vtp7Xv5cvz2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habfipdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbalifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichllgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meijhc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2792 Mdmmfa32.exe 2640 Mdpjlajk.exe 2808 Mimbdhhb.exe 2468 Mlkopcge.exe 2600 Mcegmm32.exe 2504 Nolhan32.exe 1736 Nialog32.exe 2744 Nkbhgojk.exe 864 Ndkmpe32.exe 1748 Nkeelohh.exe 1648 Nejiih32.exe 588 Naajoinb.exe 440 Nkiogn32.exe 1904 Npfgpe32.exe 1652 Oklkmnbp.exe 2280 Oddpfc32.exe 1380 Onmdoioa.exe 2340 Ombapedi.exe 1916 Ofjfhk32.exe 2300 Omdneebf.exe 1932 Obafnlpn.exe 908 Omfkke32.exe 1888 Ooeggp32.exe 1376 Pdaoog32.exe 2096 Pgplkb32.exe 2964 Pqhpdhcc.exe 1704 Pgbhabjp.exe 1640 Pqkmjh32.exe 2520 Pgeefbhm.exe 2688 Pnomcl32.exe 2604 Peiepfgg.exe 1572 Pfjbgnme.exe 2388 Pmdjdh32.exe 2552 Pcnbablo.exe 2908 Pjhknm32.exe 856 Qpecfc32.exe 1696 Qjjgclai.exe 240 Qbelgood.exe 268 Aipddi32.exe 2632 Anlmmp32.exe 1656 Aefeijle.exe 1720 Alpmfdcb.exe 1588 Anojbobe.exe 1352 Aamfnkai.exe 2836 Ahgnke32.exe 2200 Ajejgp32.exe 1568 Aaobdjof.exe 1820 Adnopfoj.exe 940 Alegac32.exe 1944 Anccmo32.exe 2360 Aemkjiem.exe 2012 Ahlgfdeq.exe 2716 Ajjcbpdd.exe 2556 Aadloj32.exe 2636 Bdbhke32.exe 2568 Bbhela32.exe 2496 Bkommo32.exe 2764 Bpleef32.exe 2756 Bbjbaa32.exe 2044 Behnnm32.exe 1040 Blbfjg32.exe 768 Bblogakg.exe 1752 Bghjhp32.exe 1344 Bifgdk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 2792 Mdmmfa32.exe 2792 Mdmmfa32.exe 2640 Mdpjlajk.exe 2640 Mdpjlajk.exe 2808 Mimbdhhb.exe 2808 Mimbdhhb.exe 2468 Mlkopcge.exe 2468 Mlkopcge.exe 2600 Mcegmm32.exe 2600 Mcegmm32.exe 2504 Nolhan32.exe 2504 Nolhan32.exe 1736 Nialog32.exe 1736 Nialog32.exe 2744 Nkbhgojk.exe 2744 Nkbhgojk.exe 864 Ndkmpe32.exe 864 Ndkmpe32.exe 1748 Nkeelohh.exe 1748 Nkeelohh.exe 1648 Nejiih32.exe 1648 Nejiih32.exe 588 Naajoinb.exe 588 Naajoinb.exe 440 Nkiogn32.exe 440 Nkiogn32.exe 1904 Npfgpe32.exe 1904 Npfgpe32.exe 1652 Oklkmnbp.exe 1652 Oklkmnbp.exe 2280 Oddpfc32.exe 2280 Oddpfc32.exe 1380 Onmdoioa.exe 1380 Onmdoioa.exe 2340 Ombapedi.exe 2340 Ombapedi.exe 1916 Ofjfhk32.exe 1916 Ofjfhk32.exe 2300 Omdneebf.exe 2300 Omdneebf.exe 1932 Obafnlpn.exe 1932 Obafnlpn.exe 908 Omfkke32.exe 908 Omfkke32.exe 1888 Ooeggp32.exe 1888 Ooeggp32.exe 1376 Pdaoog32.exe 1376 Pdaoog32.exe 2096 Pgplkb32.exe 2096 Pgplkb32.exe 2964 Pqhpdhcc.exe 2964 Pqhpdhcc.exe 1704 Pgbhabjp.exe 1704 Pgbhabjp.exe 1640 Pqkmjh32.exe 1640 Pqkmjh32.exe 2520 Pgeefbhm.exe 2520 Pgeefbhm.exe 2688 Pnomcl32.exe 2688 Pnomcl32.exe 2604 Peiepfgg.exe 2604 Peiepfgg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhglodcb.dll Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ckjpacfp.exe File opened for modification C:\Windows\SysWOW64\Gpqpjj32.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Nafmbhpm.dll Jfiale32.exe File opened for modification C:\Windows\SysWOW64\Kkaiqk32.exe Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Mmneda32.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Nekbmgcn.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Ndkmpe32.exe File created C:\Windows\SysWOW64\Kckmmp32.dll Aamfnkai.exe File created C:\Windows\SysWOW64\Khknah32.dll Effcma32.exe File opened for modification C:\Windows\SysWOW64\Homclekn.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Dgaqoq32.dll Hanlnp32.exe File created C:\Windows\SysWOW64\Jkjfah32.exe Jdpndnei.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Omfkke32.exe File created C:\Windows\SysWOW64\Jocflgga.exe Ihjnom32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jofbag32.exe File created C:\Windows\SysWOW64\Gdchio32.dll 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fmpkjkma.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hoamgd32.exe File created C:\Windows\SysWOW64\Kofopj32.exe Kilfcpqm.exe File created C:\Windows\SysWOW64\Mkoleq32.dll Kilfcpqm.exe File created C:\Windows\SysWOW64\Melfncqb.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Biicik32.exe File opened for modification C:\Windows\SysWOW64\Labkdack.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Qfgkcdoe.dll Jocflgga.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Iohmol32.dll Fpngfgle.exe File created C:\Windows\SysWOW64\Hakphqja.exe Homclekn.exe File created C:\Windows\SysWOW64\Qpehocqo.dll Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hkfagfop.exe File created C:\Windows\SysWOW64\Fojebabb.dll Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cohigamf.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File opened for modification C:\Windows\SysWOW64\Iipgcaob.exe Idcokkak.exe File opened for modification C:\Windows\SysWOW64\Fcjcfe32.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Gfhladfn.exe Gpncej32.exe File created C:\Windows\SysWOW64\Hoamgd32.exe Hkfagfop.exe File created C:\Windows\SysWOW64\Ecfmdf32.dll Mponel32.exe File created C:\Windows\SysWOW64\Fnkjhb32.exe Fllnlg32.exe File created C:\Windows\SysWOW64\Qagnqken.dll Hhgdkjol.exe File created C:\Windows\SysWOW64\Fdebncjd.dll Ichllgfb.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File opened for modification C:\Windows\SysWOW64\Lclnemgd.exe Kkaiqk32.exe File created C:\Windows\SysWOW64\Fdbnmk32.dll Lmikibio.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nialog32.exe File created C:\Windows\SysWOW64\Ofjfhk32.exe Ombapedi.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Kincipnk.exe Kcakaipc.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Lghniakc.dll Oklkmnbp.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Fahgfoih.dll Cghggc32.exe File created C:\Windows\SysWOW64\Bpebiecm.dll Inkccpgk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3924 3900 WerFault.exe 234 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfobbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll" Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kofopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnpjo.dll" Gpqpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll" Lmlhnagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Melfncqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meijhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll" Lclnemgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeabq32.dll" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnbfd32.dll" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kohkfj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 2792 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 28 PID 1444 wrote to memory of 2792 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 28 PID 1444 wrote to memory of 2792 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 28 PID 1444 wrote to memory of 2792 1444 8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe 28 PID 2792 wrote to memory of 2640 2792 Mdmmfa32.exe 29 PID 2792 wrote to memory of 2640 2792 Mdmmfa32.exe 29 PID 2792 wrote to memory of 2640 2792 Mdmmfa32.exe 29 PID 2792 wrote to memory of 2640 2792 Mdmmfa32.exe 29 PID 2640 wrote to memory of 2808 2640 Mdpjlajk.exe 30 PID 2640 wrote to memory of 2808 2640 Mdpjlajk.exe 30 PID 2640 wrote to memory of 2808 2640 Mdpjlajk.exe 30 PID 2640 wrote to memory of 2808 2640 Mdpjlajk.exe 30 PID 2808 wrote to memory of 2468 2808 Mimbdhhb.exe 31 PID 2808 wrote to memory of 2468 2808 Mimbdhhb.exe 31 PID 2808 wrote to memory of 2468 2808 Mimbdhhb.exe 31 PID 2808 wrote to memory of 2468 2808 Mimbdhhb.exe 31 PID 2468 wrote to memory of 2600 2468 Mlkopcge.exe 32 PID 2468 wrote to memory of 2600 2468 Mlkopcge.exe 32 PID 2468 wrote to memory of 2600 2468 Mlkopcge.exe 32 PID 2468 wrote to memory of 2600 2468 Mlkopcge.exe 32 PID 2600 wrote to memory of 2504 2600 Mcegmm32.exe 33 PID 2600 wrote to memory of 2504 2600 Mcegmm32.exe 33 PID 2600 wrote to memory of 2504 2600 Mcegmm32.exe 33 PID 2600 wrote to memory of 2504 2600 Mcegmm32.exe 33 PID 2504 wrote to memory of 1736 2504 Nolhan32.exe 34 PID 2504 wrote to memory of 1736 2504 Nolhan32.exe 34 PID 2504 wrote to memory of 1736 2504 Nolhan32.exe 34 PID 2504 wrote to memory of 1736 2504 Nolhan32.exe 34 PID 1736 wrote to memory of 2744 1736 Nialog32.exe 35 PID 1736 wrote to memory of 2744 1736 Nialog32.exe 35 PID 1736 wrote to memory of 2744 1736 Nialog32.exe 35 PID 1736 wrote to memory of 2744 1736 Nialog32.exe 35 PID 2744 wrote to memory of 864 2744 Nkbhgojk.exe 36 PID 2744 wrote to memory of 864 2744 Nkbhgojk.exe 36 PID 2744 wrote to memory of 864 2744 Nkbhgojk.exe 36 PID 2744 wrote to memory of 864 2744 Nkbhgojk.exe 36 PID 864 wrote to memory of 1748 864 Ndkmpe32.exe 37 PID 864 wrote to memory of 1748 864 Ndkmpe32.exe 37 PID 864 wrote to memory of 1748 864 Ndkmpe32.exe 37 PID 864 wrote to memory of 1748 864 Ndkmpe32.exe 37 PID 1748 wrote to memory of 1648 1748 Nkeelohh.exe 38 PID 1748 wrote to memory of 1648 1748 Nkeelohh.exe 38 PID 1748 wrote to memory of 1648 1748 Nkeelohh.exe 38 PID 1748 wrote to memory of 1648 1748 Nkeelohh.exe 38 PID 1648 wrote to memory of 588 1648 Nejiih32.exe 39 PID 1648 wrote to memory of 588 1648 Nejiih32.exe 39 PID 1648 wrote to memory of 588 1648 Nejiih32.exe 39 PID 1648 wrote to memory of 588 1648 Nejiih32.exe 39 PID 588 wrote to memory of 440 588 Naajoinb.exe 40 PID 588 wrote to memory of 440 588 Naajoinb.exe 40 PID 588 wrote to memory of 440 588 Naajoinb.exe 40 PID 588 wrote to memory of 440 588 Naajoinb.exe 40 PID 440 wrote to memory of 1904 440 Nkiogn32.exe 41 PID 440 wrote to memory of 1904 440 Nkiogn32.exe 41 PID 440 wrote to memory of 1904 440 Nkiogn32.exe 41 PID 440 wrote to memory of 1904 440 Nkiogn32.exe 41 PID 1904 wrote to memory of 1652 1904 Npfgpe32.exe 42 PID 1904 wrote to memory of 1652 1904 Npfgpe32.exe 42 PID 1904 wrote to memory of 1652 1904 Npfgpe32.exe 42 PID 1904 wrote to memory of 1652 1904 Npfgpe32.exe 42 PID 1652 wrote to memory of 2280 1652 Oklkmnbp.exe 43 PID 1652 wrote to memory of 2280 1652 Oklkmnbp.exe 43 PID 1652 wrote to memory of 2280 1652 Oklkmnbp.exe 43 PID 1652 wrote to memory of 2280 1652 Oklkmnbp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe"C:\Users\Admin\AppData\Local\Temp\8182dfd9f4baf145f38a7b35b2ffee168c85d265ab6c3367871575adee4a2f72.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe33⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe34⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe35⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe36⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe39⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe47⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe49⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe50⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe51⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe53⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe58⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe59⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe62⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe67⤵PID:2056
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe69⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe70⤵PID:776
-
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe72⤵PID:2120
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe75⤵PID:1616
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe76⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe79⤵PID:2900
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe80⤵PID:800
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe83⤵PID:596
-
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe84⤵PID:2788
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe85⤵PID:568
-
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe88⤵PID:2288
-
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe89⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe92⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe93⤵PID:580
-
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe94⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe97⤵PID:1044
-
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe98⤵PID:2440
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe99⤵PID:2644
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe104⤵PID:1908
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1008 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe109⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe111⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe112⤵PID:2812
-
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe113⤵PID:2024
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe114⤵PID:2952
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe115⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe116⤵PID:2760
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe118⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe120⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe121⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-