Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 17:10
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe
-
Size
377KB
-
MD5
0c73e4dc86863317f030ab1658c1ccbe
-
SHA1
64286f86993e171ec92deb3a6b7f05b95f28d82f
-
SHA256
035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa
-
SHA512
b5a14e623562288debcdc12f2a0bdb10d140e5527baf94e98ab81ba2a29d22a9154c7709a20d2fdaa505f79b2d7002378bc63da734fb7a5a36d3dd2dea3f7402
-
SSDEEP
6144:2u56I4dCeNp5OBGSgnohijgAUv5fKx/SgnohignC5V:2Q4XO+dMTv5i1dayV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjhcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflgep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaepqjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baocghgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiaephpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menjdbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecppkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acocaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjpiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgagbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgemphmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijnqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbdbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adapgfqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgqfbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acocaf32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000a0000000231e9-7.dat UPX behavioral2/files/0x0006000000023203-16.dat UPX behavioral2/memory/1996-14-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023205-24.dat UPX behavioral2/memory/368-25-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023207-32.dat UPX behavioral2/files/0x0006000000023209-40.dat UPX behavioral2/files/0x000600000002320b-48.dat UPX behavioral2/memory/2024-53-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x000600000002320f-64.dat UPX behavioral2/files/0x000600000002320d-56.dat UPX behavioral2/memory/3460-65-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/1536-81-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023218-95.dat UPX behavioral2/files/0x0006000000023218-96.dat UPX behavioral2/files/0x0006000000023218-90.dat UPX behavioral2/files/0x0006000000023215-89.dat UPX behavioral2/memory/436-88-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023215-87.dat UPX behavioral2/files/0x0006000000023213-80.dat UPX behavioral2/files/0x000600000002321e-113.dat UPX behavioral2/files/0x000600000002321c-112.dat UPX behavioral2/files/0x000600000002321e-120.dat UPX behavioral2/memory/4764-139-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023224-143.dat UPX behavioral2/files/0x000200000001e6ae-174.dat UPX behavioral2/files/0x000600000002322a-188.dat UPX behavioral2/files/0x0006000000023230-209.dat UPX behavioral2/files/0x0006000000023237-239.dat UPX behavioral2/memory/2584-385-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/1904-420-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/1476-453-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4400-509-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/5164-543-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/5324-572-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x00060000000232c8-648.dat UPX behavioral2/files/0x00060000000232e2-720.dat UPX behavioral2/files/0x0006000000023314-863.dat UPX behavioral2/files/0x0006000000023306-822.dat UPX behavioral2/files/0x00060000000232f4-771.dat UPX behavioral2/files/0x000600000002331c-889.dat UPX behavioral2/files/0x00060000000232ee-754.dat UPX behavioral2/files/0x00060000000232e6-731.dat UPX behavioral2/files/0x00060000000232da-698.dat UPX behavioral2/files/0x00060000000232c0-626.dat UPX behavioral2/files/0x00060000000232bc-615.dat UPX behavioral2/memory/5284-561-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/5204-554-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x00060000000232a6-549.dat UPX behavioral2/files/0x00060000000232a0-533.dat UPX behavioral2/files/0x000600000002329c-521.dat UPX behavioral2/memory/3668-520-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/3716-414-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/3444-406-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/644-401-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/448-392-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/3440-377-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/3608-371-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/2440-362-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/files/0x0006000000023239-246.dat UPX behavioral2/files/0x0006000000023237-238.dat UPX behavioral2/files/0x00080000000231f8-232.dat UPX behavioral2/files/0x0006000000023234-224.dat UPX behavioral2/files/0x0006000000023232-216.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1996 Mjeddggd.exe 3764 Mamleegg.exe 368 Mdkhapfj.exe 4344 Mcnhmm32.exe 220 Mkepnjng.exe 2024 Mnfipekh.exe 2336 Maaepd32.exe 3460 Mdpalp32.exe 3924 Ndbnboqb.exe 3552 Nceonl32.exe 436 Nklfoi32.exe 1136 Nnjbke32.exe 3024 Ncihikcg.exe 3240 Ngedij32.exe 1920 Nkqpjidj.exe 5100 Nnolfdcn.exe 4764 Nbkhfc32.exe 4832 Ndidbn32.exe 4580 Nggqoj32.exe 4416 Njfmke32.exe 1164 Nnaikd32.exe 4632 Nbmelbid.exe 4680 Nqpego32.exe 2440 Ndkahnhh.exe 4624 Ogjmdigk.exe 1228 Okeieh32.exe 3608 Ojhiqefo.exe 3224 Ondeac32.exe 1488 Oboaabga.exe 3600 Ocqnij32.exe 3440 Ogljjiei.exe 4916 Ojjffddl.exe 3276 Onfbfc32.exe 2572 Obangb32.exe 2584 Oqdoboli.exe 3556 Odpjcm32.exe 1468 Occkojkm.exe 448 Ogogoi32.exe 400 Ogogoi32.exe 4444 Okjbpglo.exe 644 Ojmcld32.exe 3444 Onholckc.exe 3744 Obdkma32.exe 3716 Oqgkhnjf.exe 4968 Odbgim32.exe 1904 Ocegdjij.exe 4440 Ogaceh32.exe 1396 Okloegjl.exe 4256 Ojopad32.exe 4668 Onklabip.exe 2304 Obfhba32.exe 2708 Odednmpm.exe 3252 Ocgdji32.exe 1952 Ogcpjhoq.exe 1476 Okolkg32.exe 5044 Ojalgcnd.exe 2100 Obidhaog.exe 3020 Oqkdcn32.exe 4424 Pcjapi32.exe 1828 Pgemphmn.exe 1232 Pjdilcla.exe 4056 Pnpemb32.exe 2008 Pqnaim32.exe 992 Pghieg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dhbgqohi.exe Dedkdcie.exe File opened for modification C:\Windows\SysWOW64\Eabbjc32.exe Eocenh32.exe File opened for modification C:\Windows\SysWOW64\Ogaceh32.exe Ocegdjij.exe File created C:\Windows\SysWOW64\Ncfdie32.exe Nphhmj32.exe File created C:\Windows\SysWOW64\Ajfhnjhq.exe Agglboim.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Bchomn32.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Colffknh.exe Ckpjfm32.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Helfik32.exe File created C:\Windows\SysWOW64\Ipbdmaah.exe Imdgqfbd.exe File created C:\Windows\SysWOW64\Jefbfgig.exe Jbhfjljd.exe File opened for modification C:\Windows\SysWOW64\Ngdmod32.exe Ndfqbhia.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Jlpkba32.exe Jianff32.exe File created C:\Windows\SysWOW64\Ejnjpohk.dll Klljnp32.exe File created C:\Windows\SysWOW64\Onjegled.exe Ofcmfodb.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Ambgef32.exe File created C:\Windows\SysWOW64\Anbkio32.exe Ajfoiqll.exe File created C:\Windows\SysWOW64\Qegnoi32.dll Hfcicmqp.exe File created C:\Windows\SysWOW64\Ebinhj32.dll Mdehlk32.exe File created C:\Windows\SysWOW64\Fdjlic32.dll Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Bebboiqi.dll Mnfipekh.exe File created C:\Windows\SysWOW64\Oepgml32.dll Bdfibe32.exe File opened for modification C:\Windows\SysWOW64\Fhqcam32.exe Febgea32.exe File created C:\Windows\SysWOW64\Imhkcaln.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Mdmnlj32.exe Mmbfpp32.exe File created C:\Windows\SysWOW64\Gdeqhl32.exe Gcddpdpo.exe File created C:\Windows\SysWOW64\Jlbgha32.exe Jidklf32.exe File created C:\Windows\SysWOW64\Menjdbgj.exe Mcpnhfhf.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Dkkcge32.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Kjhonjco.dll Pnihcq32.exe File opened for modification C:\Windows\SysWOW64\Bahmfj32.exe Abemjmgg.exe File created C:\Windows\SysWOW64\Hjqaij32.dll Dllfkn32.exe File created C:\Windows\SysWOW64\Hkkhqd32.exe Himldi32.exe File opened for modification C:\Windows\SysWOW64\Ndfqbhia.exe Nloiakho.exe File created C:\Windows\SysWOW64\Ickfifmb.dll Agglboim.exe File created C:\Windows\SysWOW64\Kjmidh32.dll Oqdoboli.exe File created C:\Windows\SysWOW64\Bnnjen32.exe Bjbndobo.exe File created C:\Windows\SysWOW64\Bkblkg32.dll Ibqpimpl.exe File created C:\Windows\SysWOW64\Jianff32.exe Jefbfgig.exe File opened for modification C:\Windows\SysWOW64\Pfaigm32.exe Pcbmka32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Adcmmeog.exe Aealah32.exe File created C:\Windows\SysWOW64\Chbnia32.exe Cecbmf32.exe File created C:\Windows\SysWOW64\Jfeopj32.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Lmgfda32.exe Lepncd32.exe File created C:\Windows\SysWOW64\Nnqbanmo.exe Njefqo32.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pcbmka32.exe File created C:\Windows\SysWOW64\Jheiojpj.dll Nggqoj32.exe File created C:\Windows\SysWOW64\Onklabip.exe Ojopad32.exe File created C:\Windows\SysWOW64\Pcjapi32.exe Oqkdcn32.exe File created C:\Windows\SysWOW64\Ncfmpnfb.dll Bnlnon32.exe File created C:\Windows\SysWOW64\Kcfcjd32.dll Clkndpag.exe File created C:\Windows\SysWOW64\Jbaqqh32.dll Oneklm32.exe File created C:\Windows\SysWOW64\Ajneip32.exe Alkdnboj.exe File created C:\Windows\SysWOW64\Cliaoq32.exe Chmeobkq.exe File created C:\Windows\SysWOW64\Dldpkoil.exe Dhidjpqc.exe File opened for modification C:\Windows\SysWOW64\Fcckif32.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Gfpcgpae.exe Glhonj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11308 10376 WerFault.exe 549 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlajgl32.dll" Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bnmcjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaqgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lebkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiapmca.dll" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpamgn32.dll" Ojjffddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" Mdpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgqeappe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblabf.dll" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogmkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeflhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfoiqll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmlcbbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocegdjij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balfaiil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfmpnfb.dll" Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll" Hodgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njciko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" Ajanck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhondp32.dll" Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohkbc32.dll" Gcimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmanlfp.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifebhe.dll" Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilidbbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggjdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" Mjeddggd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1996 1536 035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe 87 PID 1536 wrote to memory of 1996 1536 035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe 87 PID 1536 wrote to memory of 1996 1536 035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe 87 PID 1996 wrote to memory of 3764 1996 Mjeddggd.exe 88 PID 1996 wrote to memory of 3764 1996 Mjeddggd.exe 88 PID 1996 wrote to memory of 3764 1996 Mjeddggd.exe 88 PID 3764 wrote to memory of 368 3764 Mamleegg.exe 89 PID 3764 wrote to memory of 368 3764 Mamleegg.exe 89 PID 3764 wrote to memory of 368 3764 Mamleegg.exe 89 PID 368 wrote to memory of 4344 368 Mdkhapfj.exe 90 PID 368 wrote to memory of 4344 368 Mdkhapfj.exe 90 PID 368 wrote to memory of 4344 368 Mdkhapfj.exe 90 PID 4344 wrote to memory of 220 4344 Mcnhmm32.exe 91 PID 4344 wrote to memory of 220 4344 Mcnhmm32.exe 91 PID 4344 wrote to memory of 220 4344 Mcnhmm32.exe 91 PID 220 wrote to memory of 2024 220 Mkepnjng.exe 92 PID 220 wrote to memory of 2024 220 Mkepnjng.exe 92 PID 220 wrote to memory of 2024 220 Mkepnjng.exe 92 PID 2024 wrote to memory of 2336 2024 Mnfipekh.exe 93 PID 2024 wrote to memory of 2336 2024 Mnfipekh.exe 93 PID 2024 wrote to memory of 2336 2024 Mnfipekh.exe 93 PID 2336 wrote to memory of 3460 2336 Maaepd32.exe 94 PID 2336 wrote to memory of 3460 2336 Maaepd32.exe 94 PID 2336 wrote to memory of 3460 2336 Maaepd32.exe 94 PID 3460 wrote to memory of 3924 3460 Mdpalp32.exe 95 PID 3460 wrote to memory of 3924 3460 Mdpalp32.exe 95 PID 3460 wrote to memory of 3924 3460 Mdpalp32.exe 95 PID 3924 wrote to memory of 3552 3924 Ndbnboqb.exe 96 PID 3924 wrote to memory of 3552 3924 Ndbnboqb.exe 96 PID 3924 wrote to memory of 3552 3924 Ndbnboqb.exe 96 PID 3552 wrote to memory of 436 3552 Nceonl32.exe 97 PID 3552 wrote to memory of 436 3552 Nceonl32.exe 97 PID 3552 wrote to memory of 436 3552 Nceonl32.exe 97 PID 436 wrote to memory of 1136 436 Nklfoi32.exe 98 PID 436 wrote to memory of 1136 436 Nklfoi32.exe 98 PID 436 wrote to memory of 1136 436 Nklfoi32.exe 98 PID 1136 wrote to memory of 3024 1136 Nnjbke32.exe 99 PID 1136 wrote to memory of 3024 1136 Nnjbke32.exe 99 PID 1136 wrote to memory of 3024 1136 Nnjbke32.exe 99 PID 3024 wrote to memory of 3240 3024 Ncihikcg.exe 100 PID 3024 wrote to memory of 3240 3024 Ncihikcg.exe 100 PID 3024 wrote to memory of 3240 3024 Ncihikcg.exe 100 PID 3240 wrote to memory of 1920 3240 Ngedij32.exe 101 PID 3240 wrote to memory of 1920 3240 Ngedij32.exe 101 PID 3240 wrote to memory of 1920 3240 Ngedij32.exe 101 PID 1920 wrote to memory of 5100 1920 Nkqpjidj.exe 102 PID 1920 wrote to memory of 5100 1920 Nkqpjidj.exe 102 PID 1920 wrote to memory of 5100 1920 Nkqpjidj.exe 102 PID 5100 wrote to memory of 4764 5100 Nnolfdcn.exe 103 PID 5100 wrote to memory of 4764 5100 Nnolfdcn.exe 103 PID 5100 wrote to memory of 4764 5100 Nnolfdcn.exe 103 PID 4764 wrote to memory of 4832 4764 Nbkhfc32.exe 104 PID 4764 wrote to memory of 4832 4764 Nbkhfc32.exe 104 PID 4764 wrote to memory of 4832 4764 Nbkhfc32.exe 104 PID 4832 wrote to memory of 4580 4832 Ndidbn32.exe 105 PID 4832 wrote to memory of 4580 4832 Ndidbn32.exe 105 PID 4832 wrote to memory of 4580 4832 Ndidbn32.exe 105 PID 4580 wrote to memory of 4416 4580 Nggqoj32.exe 106 PID 4580 wrote to memory of 4416 4580 Nggqoj32.exe 106 PID 4580 wrote to memory of 4416 4580 Nggqoj32.exe 106 PID 4416 wrote to memory of 1164 4416 Njfmke32.exe 107 PID 4416 wrote to memory of 1164 4416 Njfmke32.exe 107 PID 4416 wrote to memory of 1164 4416 Njfmke32.exe 107 PID 1164 wrote to memory of 4632 1164 Nnaikd32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe"C:\Users\Admin\AppData\Local\Temp\035a449610eb56af315c4b185f6fc81bd6059a403b061cbfeab5c2c67c45c8aa.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe23⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe25⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe26⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe27⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe28⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe29⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe30⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe31⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe32⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe34⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe35⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe38⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe39⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe40⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe42⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe43⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe44⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe45⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe48⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe49⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4256 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe51⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe52⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe53⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe54⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe55⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe56⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe57⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe58⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe60⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe62⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe63⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe65⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe66⤵PID:1736
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe67⤵PID:3228
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe68⤵
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe69⤵PID:2316
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe70⤵PID:5056
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe71⤵PID:3732
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe73⤵PID:4836
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe74⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe75⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4592 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4064 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe78⤵PID:1612
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4400 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe81⤵PID:956
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe82⤵PID:3668
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe83⤵
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe84⤵PID:1748
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe85⤵PID:5128
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe86⤵PID:5164
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe87⤵PID:5204
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe88⤵PID:5240
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe89⤵PID:5284
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe91⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe92⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5460 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe94⤵PID:5496
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe95⤵PID:5540
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe96⤵PID:5576
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe97⤵PID:5616
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe99⤵PID:5700
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe100⤵PID:5736
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe102⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe103⤵PID:5852
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe104⤵
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe106⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe108⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe109⤵PID:6076
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe110⤵PID:6124
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe111⤵PID:5152
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe114⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe115⤵PID:5452
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe116⤵PID:5528
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe117⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe118⤵PID:5624
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe119⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe120⤵PID:5728
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe121⤵PID:5800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-