Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe
-
Size
227KB
-
MD5
126e618bbe9106644c068b8b10b72410
-
SHA1
13f4b302c5347df3b1f6622ad9c09ddc2bc627dd
-
SHA256
bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d
-
SHA512
0eb9098e49b885298801c041e8eb743c081ec64655b0117d2ec64cf2b742a4ddbe41090efa739eeea2723fd1755a28e11f733574efbb5ff814e3b50fdbe02208
-
SSDEEP
3072:/B42rUzYTfgyn5w3I1Dey5pwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:p42r+C8Sqrm7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjdlffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnkbdlbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe -
Executes dropped EXE 64 IoCs
pid Process 904 Lpgele32.exe 2256 Lkmjin32.exe 2616 Lmkfei32.exe 2708 Ldenbcge.exe 2484 Lchnnp32.exe 2492 Mcjkcplm.exe 2924 Midcpj32.exe 2448 Mpolmdkg.exe 2648 Mcmhiojk.exe 1948 Mekdekin.exe 404 Mcodno32.exe 920 Mhlmgf32.exe 1656 Mofecpnl.exe 2104 Mdcnlglc.exe 1924 Mkmfhacp.exe 268 Mnkbdlbd.exe 1504 Mdejaf32.exe 868 Mkobnqan.exe 2052 Ndgggf32.exe 1548 Ngfcca32.exe 1572 Njdpomfe.exe 2864 Npnhlg32.exe 276 Ndjdlffl.exe 2324 Nleiqhcg.exe 1364 Ncoamb32.exe 2192 Nhlifi32.exe 2660 Nofabc32.exe 3044 Ncancbha.exe 2684 Nfpjomgd.exe 2476 Nhnfkigh.exe 2468 Nkmbgdfl.exe 2368 Nohnhc32.exe 1760 Nbfjdn32.exe 2044 Ohqbqhde.exe 2172 Omloag32.exe 1984 Okoomd32.exe 1980 Onmkio32.exe 2140 Odgcfijj.exe 2228 Oicpfh32.exe 2092 Ogfpbeim.exe 292 Oomhcbjp.exe 1864 Onphoo32.exe 2432 Oqndkj32.exe 2440 Oiellh32.exe 2988 Okchhc32.exe 2788 Onbddoog.exe 1632 Oqqapjnk.exe 2160 Oelmai32.exe 2876 Ogjimd32.exe 1992 Okfencna.exe 2652 Ondajnme.exe 2672 Omgaek32.exe 2576 Oenifh32.exe 2592 Ogmfbd32.exe 2752 Ofpfnqjp.exe 308 Ongnonkb.exe 2772 Pminkk32.exe 1288 Pphjgfqq.exe 2884 Pccfge32.exe 1640 Pfbccp32.exe 2444 Pipopl32.exe 312 Paggai32.exe 560 Ppjglfon.exe 848 Pbiciana.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 904 Lpgele32.exe 904 Lpgele32.exe 2256 Lkmjin32.exe 2256 Lkmjin32.exe 2616 Lmkfei32.exe 2616 Lmkfei32.exe 2708 Ldenbcge.exe 2708 Ldenbcge.exe 2484 Lchnnp32.exe 2484 Lchnnp32.exe 2492 Mcjkcplm.exe 2492 Mcjkcplm.exe 2924 Midcpj32.exe 2924 Midcpj32.exe 2448 Mpolmdkg.exe 2448 Mpolmdkg.exe 2648 Mcmhiojk.exe 2648 Mcmhiojk.exe 1948 Mekdekin.exe 1948 Mekdekin.exe 404 Mcodno32.exe 404 Mcodno32.exe 920 Mhlmgf32.exe 920 Mhlmgf32.exe 1656 Mofecpnl.exe 1656 Mofecpnl.exe 2104 Mdcnlglc.exe 2104 Mdcnlglc.exe 1924 Mkmfhacp.exe 1924 Mkmfhacp.exe 268 Mnkbdlbd.exe 268 Mnkbdlbd.exe 1504 Mdejaf32.exe 1504 Mdejaf32.exe 868 Mkobnqan.exe 868 Mkobnqan.exe 2052 Ndgggf32.exe 2052 Ndgggf32.exe 1548 Ngfcca32.exe 1548 Ngfcca32.exe 1572 Njdpomfe.exe 1572 Njdpomfe.exe 2864 Npnhlg32.exe 2864 Npnhlg32.exe 276 Ndjdlffl.exe 276 Ndjdlffl.exe 2324 Nleiqhcg.exe 2324 Nleiqhcg.exe 1364 Ncoamb32.exe 1364 Ncoamb32.exe 2192 Nhlifi32.exe 2192 Nhlifi32.exe 2660 Nofabc32.exe 2660 Nofabc32.exe 3044 Ncancbha.exe 3044 Ncancbha.exe 2684 Nfpjomgd.exe 2684 Nfpjomgd.exe 2476 Nhnfkigh.exe 2476 Nhnfkigh.exe 2468 Nkmbgdfl.exe 2468 Nkmbgdfl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbehoa32.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Epdkli32.exe Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Mcjkcplm.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Mkobnqan.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Difoda32.dll Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Mdejaf32.exe Mnkbdlbd.exe File created C:\Windows\SysWOW64\Hokefmej.dll Ajbdna32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eiomkn32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Bnebmi32.dll Nhlifi32.exe File created C:\Windows\SysWOW64\Fhdclk32.dll Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Amammd32.dll Idceea32.exe File created C:\Windows\SysWOW64\Negbaime.dll Mpolmdkg.exe File created C:\Windows\SysWOW64\Glamna32.dll Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Clcflkic.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ejbfhfaj.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Pelipl32.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Jkdalhhc.dll Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Jngohf32.dll Ampqjm32.exe File created C:\Windows\SysWOW64\Ckblig32.dll Cfeddafl.exe File created C:\Windows\SysWOW64\Gmfmen32.dll Mhlmgf32.exe File created C:\Windows\SysWOW64\Mkmfhacp.exe Mdcnlglc.exe File created C:\Windows\SysWOW64\Njdpomfe.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Nhlifi32.exe Ncoamb32.exe File created C:\Windows\SysWOW64\Ncancbha.exe Nofabc32.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Pminkk32.exe File created C:\Windows\SysWOW64\Fmnhkk32.dll Pipopl32.exe File created C:\Windows\SysWOW64\Oomkin32.dll Ppjglfon.exe File created C:\Windows\SysWOW64\Ahchbf32.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hlakpp32.exe File opened for modification C:\Windows\SysWOW64\Mekdekin.exe Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File created C:\Windows\SysWOW64\Ihomanac.dll Balijo32.exe File created C:\Windows\SysWOW64\Fcmgfkeg.exe Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Ldenbcge.exe Lmkfei32.exe File created C:\Windows\SysWOW64\Gooqhm32.dll Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Mhlmgf32.exe Mcodno32.exe File opened for modification C:\Windows\SysWOW64\Mofecpnl.exe Mhlmgf32.exe File opened for modification C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3680 3636 WerFault.exe 249 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfbll32.dll" bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomkin32.dll" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkmjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngohf32.dll" Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkmfhacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmjejphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeceh32.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 904 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 28 PID 2412 wrote to memory of 904 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 28 PID 2412 wrote to memory of 904 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 28 PID 2412 wrote to memory of 904 2412 bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe 28 PID 904 wrote to memory of 2256 904 Lpgele32.exe 29 PID 904 wrote to memory of 2256 904 Lpgele32.exe 29 PID 904 wrote to memory of 2256 904 Lpgele32.exe 29 PID 904 wrote to memory of 2256 904 Lpgele32.exe 29 PID 2256 wrote to memory of 2616 2256 Lkmjin32.exe 30 PID 2256 wrote to memory of 2616 2256 Lkmjin32.exe 30 PID 2256 wrote to memory of 2616 2256 Lkmjin32.exe 30 PID 2256 wrote to memory of 2616 2256 Lkmjin32.exe 30 PID 2616 wrote to memory of 2708 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2708 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2708 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2708 2616 Lmkfei32.exe 31 PID 2708 wrote to memory of 2484 2708 Ldenbcge.exe 32 PID 2708 wrote to memory of 2484 2708 Ldenbcge.exe 32 PID 2708 wrote to memory of 2484 2708 Ldenbcge.exe 32 PID 2708 wrote to memory of 2484 2708 Ldenbcge.exe 32 PID 2484 wrote to memory of 2492 2484 Lchnnp32.exe 33 PID 2484 wrote to memory of 2492 2484 Lchnnp32.exe 33 PID 2484 wrote to memory of 2492 2484 Lchnnp32.exe 33 PID 2484 wrote to memory of 2492 2484 Lchnnp32.exe 33 PID 2492 wrote to memory of 2924 2492 Mcjkcplm.exe 34 PID 2492 wrote to memory of 2924 2492 Mcjkcplm.exe 34 PID 2492 wrote to memory of 2924 2492 Mcjkcplm.exe 34 PID 2492 wrote to memory of 2924 2492 Mcjkcplm.exe 34 PID 2924 wrote to memory of 2448 2924 Midcpj32.exe 35 PID 2924 wrote to memory of 2448 2924 Midcpj32.exe 35 PID 2924 wrote to memory of 2448 2924 Midcpj32.exe 35 PID 2924 wrote to memory of 2448 2924 Midcpj32.exe 35 PID 2448 wrote to memory of 2648 2448 Mpolmdkg.exe 36 PID 2448 wrote to memory of 2648 2448 Mpolmdkg.exe 36 PID 2448 wrote to memory of 2648 2448 Mpolmdkg.exe 36 PID 2448 wrote to memory of 2648 2448 Mpolmdkg.exe 36 PID 2648 wrote to memory of 1948 2648 Mcmhiojk.exe 37 PID 2648 wrote to memory of 1948 2648 Mcmhiojk.exe 37 PID 2648 wrote to memory of 1948 2648 Mcmhiojk.exe 37 PID 2648 wrote to memory of 1948 2648 Mcmhiojk.exe 37 PID 1948 wrote to memory of 404 1948 Mekdekin.exe 38 PID 1948 wrote to memory of 404 1948 Mekdekin.exe 38 PID 1948 wrote to memory of 404 1948 Mekdekin.exe 38 PID 1948 wrote to memory of 404 1948 Mekdekin.exe 38 PID 404 wrote to memory of 920 404 Mcodno32.exe 39 PID 404 wrote to memory of 920 404 Mcodno32.exe 39 PID 404 wrote to memory of 920 404 Mcodno32.exe 39 PID 404 wrote to memory of 920 404 Mcodno32.exe 39 PID 920 wrote to memory of 1656 920 Mhlmgf32.exe 40 PID 920 wrote to memory of 1656 920 Mhlmgf32.exe 40 PID 920 wrote to memory of 1656 920 Mhlmgf32.exe 40 PID 920 wrote to memory of 1656 920 Mhlmgf32.exe 40 PID 1656 wrote to memory of 2104 1656 Mofecpnl.exe 41 PID 1656 wrote to memory of 2104 1656 Mofecpnl.exe 41 PID 1656 wrote to memory of 2104 1656 Mofecpnl.exe 41 PID 1656 wrote to memory of 2104 1656 Mofecpnl.exe 41 PID 2104 wrote to memory of 1924 2104 Mdcnlglc.exe 42 PID 2104 wrote to memory of 1924 2104 Mdcnlglc.exe 42 PID 2104 wrote to memory of 1924 2104 Mdcnlglc.exe 42 PID 2104 wrote to memory of 1924 2104 Mdcnlglc.exe 42 PID 1924 wrote to memory of 268 1924 Mkmfhacp.exe 43 PID 1924 wrote to memory of 268 1924 Mkmfhacp.exe 43 PID 1924 wrote to memory of 268 1924 Mkmfhacp.exe 43 PID 1924 wrote to memory of 268 1924 Mkmfhacp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe"C:\Users\Admin\AppData\Local\Temp\bcbf49c88842630a7679e9f84f7daec54c4385f239adf0fe8facd723676b142d.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe33⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe34⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe36⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe39⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe42⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe43⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe44⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe46⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe47⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe51⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe52⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe53⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe54⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe55⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe63⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe67⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe71⤵PID:892
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe72⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe74⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe77⤵PID:1956
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe80⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe81⤵PID:2852
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe82⤵PID:336
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe83⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe84⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe85⤵PID:2152
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe87⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe93⤵PID:2532
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe95⤵PID:1680
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe97⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe99⤵PID:716
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe101⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe103⤵PID:1128
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe105⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe107⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe108⤵PID:2756
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe109⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe110⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe111⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe112⤵PID:1960
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe114⤵PID:1772
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe115⤵PID:1800
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe116⤵PID:2184
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe117⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe118⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe119⤵PID:624
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe120⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe121⤵
- Modifies registry class
PID:2380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-