Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe
Resource
win10v2004-20240319-en
General
-
Target
a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe
-
Size
168KB
-
MD5
08d5607dfeadf36294918b7cd9359170
-
SHA1
5b49039bf3d458c8f0ea5b023fbb3a62b72875d9
-
SHA256
a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb
-
SHA512
9336f6f25f290651bad3c519d49d9b9db39ccafbe40adf25da6c92b6e6cefae95ea4d77b052b098da6eb2fddd60c18f94830578d3e0bf3542ca5d33c26c62891
-
SSDEEP
3072:HUnLN8Y40VqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXn32HaJt:0940g4fQkjxqvak+PH/RARMHGb3fJt
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loooca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdejaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbacbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjbad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdekin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe -
Executes dropped EXE 64 IoCs
pid Process 1244 Lkmjin32.exe 2996 Lpjbad32.exe 2704 Lefkjkmc.exe 2784 Llqcfe32.exe 2816 Loooca32.exe 2216 Mgfgdn32.exe 2168 Mlcple32.exe 2000 Moalhq32.exe 2624 Mekdekin.exe 620 Mochnppo.exe 1448 Mdqafgnf.exe 1712 Mlgigdoh.exe 1368 Mnieom32.exe 1560 Mohbip32.exe 1284 Magnek32.exe 2132 Mdejaf32.exe 684 Mgcgmb32.exe 592 Njbcim32.exe 1000 Ncjgbcoi.exe 1380 Njdpomfe.exe 2488 Ndjdlffl.exe 1520 Nghphaeo.exe 1328 Nhlifi32.exe 1668 Nlgefh32.exe 3028 Nofabc32.exe 2852 Ncancbha.exe 1736 Njkfpl32.exe 2300 Omloag32.exe 2588 Onmkio32.exe 2564 Ofdcjm32.exe 2644 Obkdonic.exe 2456 Oqqapjnk.exe 2524 Oelmai32.exe 2608 Ondajnme.exe 2636 Omgaek32.exe 760 Oenifh32.exe 2240 Ogmfbd32.exe 1964 Ongnonkb.exe 2212 Pphjgfqq.exe 2424 Pgobhcac.exe 1740 Pjmodopf.exe 1860 Paggai32.exe 1528 Pcfcmd32.exe 2064 Pfdpip32.exe 844 Pmnhfjmg.exe 640 Ppmdbe32.exe 280 Pchpbded.exe 924 Peiljl32.exe 880 Pmqdkj32.exe 2172 Pnbacbac.exe 1204 Pbmmcq32.exe 2592 Pigeqkai.exe 1612 Plfamfpm.exe 2860 Pabjem32.exe 2468 Penfelgm.exe 1792 Qlhnbf32.exe 2788 Qjknnbed.exe 2336 Qaefjm32.exe 2760 Qdccfh32.exe 2004 Qjmkcbcb.exe 2036 Qmlgonbe.exe 1596 Qecoqk32.exe 1256 Adeplhib.exe 992 Ajphib32.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 1244 Lkmjin32.exe 1244 Lkmjin32.exe 2996 Lpjbad32.exe 2996 Lpjbad32.exe 2704 Lefkjkmc.exe 2704 Lefkjkmc.exe 2784 Llqcfe32.exe 2784 Llqcfe32.exe 2816 Loooca32.exe 2816 Loooca32.exe 2216 Mgfgdn32.exe 2216 Mgfgdn32.exe 2168 Mlcple32.exe 2168 Mlcple32.exe 2000 Moalhq32.exe 2000 Moalhq32.exe 2624 Mekdekin.exe 2624 Mekdekin.exe 620 Mochnppo.exe 620 Mochnppo.exe 1448 Mdqafgnf.exe 1448 Mdqafgnf.exe 1712 Mlgigdoh.exe 1712 Mlgigdoh.exe 1368 Mnieom32.exe 1368 Mnieom32.exe 1560 Mohbip32.exe 1560 Mohbip32.exe 1284 Magnek32.exe 1284 Magnek32.exe 2132 Mdejaf32.exe 2132 Mdejaf32.exe 684 Mgcgmb32.exe 684 Mgcgmb32.exe 592 Njbcim32.exe 592 Njbcim32.exe 1000 Ncjgbcoi.exe 1000 Ncjgbcoi.exe 1380 Njdpomfe.exe 1380 Njdpomfe.exe 2488 Ndjdlffl.exe 2488 Ndjdlffl.exe 1520 Nghphaeo.exe 1520 Nghphaeo.exe 1328 Nhlifi32.exe 1328 Nhlifi32.exe 1668 Nlgefh32.exe 1668 Nlgefh32.exe 3028 Nofabc32.exe 3028 Nofabc32.exe 2852 Ncancbha.exe 2852 Ncancbha.exe 3036 Ofbfdmeb.exe 3036 Ofbfdmeb.exe 2300 Omloag32.exe 2300 Omloag32.exe 2588 Onmkio32.exe 2588 Onmkio32.exe 2564 Ofdcjm32.exe 2564 Ofdcjm32.exe 2644 Obkdonic.exe 2644 Obkdonic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Anllbdkl.dll Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Banepo32.exe File opened for modification C:\Windows\SysWOW64\Gcmjhbal.dll Ealnephf.exe File created C:\Windows\SysWOW64\Mgfgdn32.exe Loooca32.exe File created C:\Windows\SysWOW64\Pigeqkai.exe Pbmmcq32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cckace32.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File opened for modification C:\Windows\SysWOW64\Bgknheej.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dgmglh32.exe File created C:\Windows\SysWOW64\Dfijnd32.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Njdpomfe.exe Ncjgbcoi.exe File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Kjcidhml.dll Pchpbded.exe File created C:\Windows\SysWOW64\Kqmoql32.dll Plfamfpm.exe File created C:\Windows\SysWOW64\Ddflckmp.dll Bgknheej.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Ndjdlffl.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Hbkdjjal.dll Paggai32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bghabf32.exe File created C:\Windows\SysWOW64\Njgpdbgm.dll Nhlifi32.exe File created C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Mmlblm32.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Loooca32.exe Llqcfe32.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Bcaomf32.exe File opened for modification C:\Windows\SysWOW64\Dnneja32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Ebagmn32.dll Dgdmmgpj.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ondajnme.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Ogmfbd32.exe File opened for modification C:\Windows\SysWOW64\Baqbenep.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Midahn32.dll Eeempocb.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cckace32.exe File created C:\Windows\SysWOW64\Bifdjp32.dll Moalhq32.exe File created C:\Windows\SysWOW64\Obkdonic.exe Ofdcjm32.exe File created C:\Windows\SysWOW64\Oockje32.dll Chemfl32.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Globlmmj.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Ongnonkb.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Ondajnme.exe Oelmai32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Qhbpij32.dll Goddhg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3236 3240 WerFault.exe 262 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompoljfn.dll" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhkk32.dll" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfgdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikfj32.dll" Adeplhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildamhjd.dll" Ndjdlffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqamandk.dll" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bdooajdc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1244 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 28 PID 2356 wrote to memory of 1244 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 28 PID 2356 wrote to memory of 1244 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 28 PID 2356 wrote to memory of 1244 2356 a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe 28 PID 1244 wrote to memory of 2996 1244 Lkmjin32.exe 29 PID 1244 wrote to memory of 2996 1244 Lkmjin32.exe 29 PID 1244 wrote to memory of 2996 1244 Lkmjin32.exe 29 PID 1244 wrote to memory of 2996 1244 Lkmjin32.exe 29 PID 2996 wrote to memory of 2704 2996 Lpjbad32.exe 30 PID 2996 wrote to memory of 2704 2996 Lpjbad32.exe 30 PID 2996 wrote to memory of 2704 2996 Lpjbad32.exe 30 PID 2996 wrote to memory of 2704 2996 Lpjbad32.exe 30 PID 2704 wrote to memory of 2784 2704 Lefkjkmc.exe 31 PID 2704 wrote to memory of 2784 2704 Lefkjkmc.exe 31 PID 2704 wrote to memory of 2784 2704 Lefkjkmc.exe 31 PID 2704 wrote to memory of 2784 2704 Lefkjkmc.exe 31 PID 2784 wrote to memory of 2816 2784 Llqcfe32.exe 32 PID 2784 wrote to memory of 2816 2784 Llqcfe32.exe 32 PID 2784 wrote to memory of 2816 2784 Llqcfe32.exe 32 PID 2784 wrote to memory of 2816 2784 Llqcfe32.exe 32 PID 2816 wrote to memory of 2216 2816 Loooca32.exe 33 PID 2816 wrote to memory of 2216 2816 Loooca32.exe 33 PID 2816 wrote to memory of 2216 2816 Loooca32.exe 33 PID 2816 wrote to memory of 2216 2816 Loooca32.exe 33 PID 2216 wrote to memory of 2168 2216 Mgfgdn32.exe 34 PID 2216 wrote to memory of 2168 2216 Mgfgdn32.exe 34 PID 2216 wrote to memory of 2168 2216 Mgfgdn32.exe 34 PID 2216 wrote to memory of 2168 2216 Mgfgdn32.exe 34 PID 2168 wrote to memory of 2000 2168 Mlcple32.exe 35 PID 2168 wrote to memory of 2000 2168 Mlcple32.exe 35 PID 2168 wrote to memory of 2000 2168 Mlcple32.exe 35 PID 2168 wrote to memory of 2000 2168 Mlcple32.exe 35 PID 2000 wrote to memory of 2624 2000 Moalhq32.exe 36 PID 2000 wrote to memory of 2624 2000 Moalhq32.exe 36 PID 2000 wrote to memory of 2624 2000 Moalhq32.exe 36 PID 2000 wrote to memory of 2624 2000 Moalhq32.exe 36 PID 2624 wrote to memory of 620 2624 Mekdekin.exe 37 PID 2624 wrote to memory of 620 2624 Mekdekin.exe 37 PID 2624 wrote to memory of 620 2624 Mekdekin.exe 37 PID 2624 wrote to memory of 620 2624 Mekdekin.exe 37 PID 620 wrote to memory of 1448 620 Mochnppo.exe 38 PID 620 wrote to memory of 1448 620 Mochnppo.exe 38 PID 620 wrote to memory of 1448 620 Mochnppo.exe 38 PID 620 wrote to memory of 1448 620 Mochnppo.exe 38 PID 1448 wrote to memory of 1712 1448 Mdqafgnf.exe 39 PID 1448 wrote to memory of 1712 1448 Mdqafgnf.exe 39 PID 1448 wrote to memory of 1712 1448 Mdqafgnf.exe 39 PID 1448 wrote to memory of 1712 1448 Mdqafgnf.exe 39 PID 1712 wrote to memory of 1368 1712 Mlgigdoh.exe 40 PID 1712 wrote to memory of 1368 1712 Mlgigdoh.exe 40 PID 1712 wrote to memory of 1368 1712 Mlgigdoh.exe 40 PID 1712 wrote to memory of 1368 1712 Mlgigdoh.exe 40 PID 1368 wrote to memory of 1560 1368 Mnieom32.exe 41 PID 1368 wrote to memory of 1560 1368 Mnieom32.exe 41 PID 1368 wrote to memory of 1560 1368 Mnieom32.exe 41 PID 1368 wrote to memory of 1560 1368 Mnieom32.exe 41 PID 1560 wrote to memory of 1284 1560 Mohbip32.exe 42 PID 1560 wrote to memory of 1284 1560 Mohbip32.exe 42 PID 1560 wrote to memory of 1284 1560 Mohbip32.exe 42 PID 1560 wrote to memory of 1284 1560 Mohbip32.exe 42 PID 1284 wrote to memory of 2132 1284 Magnek32.exe 43 PID 1284 wrote to memory of 2132 1284 Magnek32.exe 43 PID 1284 wrote to memory of 2132 1284 Magnek32.exe 43 PID 1284 wrote to memory of 2132 1284 Magnek32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe"C:\Users\Admin\AppData\Local\Temp\a4dd6c5eb7c4bc5dcfd243b2e60b4b2e547a9ca31a9e56227ece6f07cfa346bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe28⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe29⤵
- Loads dropped DLL
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe38⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe41⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe42⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe46⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe47⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe48⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe56⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe57⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe58⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe61⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe64⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe67⤵PID:2296
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe68⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe69⤵PID:3060
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe70⤵PID:1876
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe71⤵PID:2404
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe73⤵PID:944
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe74⤵PID:1408
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe75⤵PID:2396
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe78⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe80⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe82⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe83⤵PID:1936
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe84⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe86⤵PID:2204
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe87⤵PID:920
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe88⤵PID:1924
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe89⤵PID:1388
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe91⤵PID:1804
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe97⤵PID:2836
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe98⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe102⤵PID:3032
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe103⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe104⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe105⤵PID:888
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe106⤵PID:968
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe107⤵PID:2604
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe108⤵PID:1556
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe109⤵PID:2128
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe110⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe111⤵PID:1920
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe112⤵PID:2020
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe115⤵PID:1108
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe118⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe120⤵PID:1248
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-