Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0003c980564bfa059cf2dad4671495cf.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0003c980564bfa059cf2dad4671495cf.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0003c980564bfa059cf2dad4671495cf.exe
-
Size
242KB
-
MD5
0003c980564bfa059cf2dad4671495cf
-
SHA1
5b48f9155c2205a379f21fb2e145dea905dcf557
-
SHA256
43bc3390e1f935f441927b7015aca6b483e7208d7ac0e510b126a6d226d53566
-
SHA512
03ccad6f047570a226585af9fdc102ec7a9626ca3e59d682397c5facd87ce24edc362408fdbdac1ac8b162901c6ca0ab54929becfbb77fd3245adfac8c2176ef
-
SSDEEP
3072:Cl8NmM7VEV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:C/M5EV66LB6X62UyHEYa0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdekin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe -
Executes dropped EXE 64 IoCs
pid Process 1524 Libgjj32.exe 2088 Llqcfe32.exe 3008 Mcjkcplm.exe 3016 Meigpkka.exe 2496 Mhgclfje.exe 2472 Moalhq32.exe 2996 Mcmhiojk.exe 2768 Mekdekin.exe 2936 Migpeiag.exe 2072 Mabejlob.exe 1820 Mkjica32.exe 2748 Mofecpnl.exe 1668 Mepnpj32.exe 1580 Mhnjle32.exe 2052 Mnkbdlbd.exe 384 Mdejaf32.exe 1516 Mgcgmb32.exe 1736 Njbcim32.exe 288 Naikkk32.exe 2280 Njdpomfe.exe 1696 Npnhlg32.exe 1672 Ncmdhb32.exe 1684 Nghphaeo.exe 2884 Nnbhek32.exe 2388 Nqqdag32.exe 2940 Nfmmin32.exe 2728 Nlgefh32.exe 2712 Nofabc32.exe 1304 Ncancbha.exe 2912 Nfpjomgd.exe 2632 Nhnfkigh.exe 2664 Nohnhc32.exe 1076 Odegpj32.exe 2620 Omloag32.exe 1316 Okoomd32.exe 2792 Onmkio32.exe 2004 Ofdcjm32.exe 2116 Oicpfh32.exe 2780 Okalbc32.exe 1924 Obkdonic.exe 864 Odjpkihg.exe 2816 Okchhc32.exe 1792 Ojficpfn.exe 1680 Onbddoog.exe 592 Oqqapjnk.exe 2752 Ocomlemo.exe 1596 Oqcnfjli.exe 2548 Oenifh32.exe 2732 Ogmfbd32.exe 2692 Ofpfnqjp.exe 2784 Ojkboo32.exe 1708 Pminkk32.exe 2516 Pphjgfqq.exe 1980 Pccfge32.exe 2308 Pgobhcac.exe 1716 Pjmodopf.exe 1128 Pmlkpjpj.exe 1104 Pfdpip32.exe 1608 Piblek32.exe 2844 Pmnhfjmg.exe 904 Plahag32.exe 1540 Pchpbded.exe 2184 Pbkpna32.exe 2504 Peiljl32.exe -
Loads dropped DLL 64 IoCs
pid Process 3004 0003c980564bfa059cf2dad4671495cf.exe 3004 0003c980564bfa059cf2dad4671495cf.exe 1524 Libgjj32.exe 1524 Libgjj32.exe 2088 Llqcfe32.exe 2088 Llqcfe32.exe 3008 Mcjkcplm.exe 3008 Mcjkcplm.exe 3016 Meigpkka.exe 3016 Meigpkka.exe 2496 Mhgclfje.exe 2496 Mhgclfje.exe 2472 Moalhq32.exe 2472 Moalhq32.exe 2996 Mcmhiojk.exe 2996 Mcmhiojk.exe 2768 Mekdekin.exe 2768 Mekdekin.exe 2936 Migpeiag.exe 2936 Migpeiag.exe 2072 Mabejlob.exe 2072 Mabejlob.exe 1820 Mkjica32.exe 1820 Mkjica32.exe 2748 Mofecpnl.exe 2748 Mofecpnl.exe 1668 Mepnpj32.exe 1668 Mepnpj32.exe 1580 Mhnjle32.exe 1580 Mhnjle32.exe 2052 Mnkbdlbd.exe 2052 Mnkbdlbd.exe 384 Mdejaf32.exe 384 Mdejaf32.exe 1516 Mgcgmb32.exe 1516 Mgcgmb32.exe 1736 Njbcim32.exe 1736 Njbcim32.exe 288 Naikkk32.exe 288 Naikkk32.exe 2280 Njdpomfe.exe 2280 Njdpomfe.exe 1696 Npnhlg32.exe 1696 Npnhlg32.exe 1672 Ncmdhb32.exe 1672 Ncmdhb32.exe 1684 Nghphaeo.exe 1684 Nghphaeo.exe 2884 Nnbhek32.exe 2884 Nnbhek32.exe 2388 Nqqdag32.exe 2388 Nqqdag32.exe 2940 Nfmmin32.exe 2940 Nfmmin32.exe 2728 Nlgefh32.exe 2728 Nlgefh32.exe 2712 Nofabc32.exe 2712 Nofabc32.exe 1304 Ncancbha.exe 1304 Ncancbha.exe 2912 Nfpjomgd.exe 2912 Nfpjomgd.exe 2632 Nhnfkigh.exe 2632 Nhnfkigh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Admemg32.exe Apajlhka.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Aadlib32.dll Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Aljgfioc.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Apajlhka.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Facdeo32.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Fnnajckm.dll Ojkboo32.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Ddagfm32.exe File opened for modification C:\Windows\SysWOW64\Cillgpen.dll Doobajme.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pmlkpjpj.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Hkpnhgge.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Ccdlbf32.exe Cdakgibq.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Djnpnc32.exe File created C:\Windows\SysWOW64\Gcmjhbal.dll Ebinic32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Globlmmj.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Plahag32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cljcelan.exe File created C:\Windows\SysWOW64\Ebagmn32.dll Djbiicon.exe File created C:\Windows\SysWOW64\Epdkli32.exe Ekholjqg.exe File opened for modification C:\Windows\SysWOW64\Glpjaf32.dll Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Feeiob32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Qhbpij32.dll Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Onbddoog.exe Ojficpfn.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Glfhll32.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gonnhhln.exe File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Ghmiam32.exe Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Ccdlbf32.exe Cdakgibq.exe File opened for modification C:\Windows\SysWOW64\Lopekk32.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Pmlkpjpj.exe Pjmodopf.exe File created C:\Windows\SysWOW64\Pigeqkai.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cckace32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe -
Program crash 1 IoCs
pid pid_target Process 4312 4144 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Llqcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodnnc32.dll" Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjholl32.dll" Nqqdag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Ajdadamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfegkapd.dll" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpeliikc.dll" Aepojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" Phjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahchbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinika32.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiedjneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjigg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1524 3004 0003c980564bfa059cf2dad4671495cf.exe 28 PID 3004 wrote to memory of 1524 3004 0003c980564bfa059cf2dad4671495cf.exe 28 PID 3004 wrote to memory of 1524 3004 0003c980564bfa059cf2dad4671495cf.exe 28 PID 3004 wrote to memory of 1524 3004 0003c980564bfa059cf2dad4671495cf.exe 28 PID 1524 wrote to memory of 2088 1524 Libgjj32.exe 29 PID 1524 wrote to memory of 2088 1524 Libgjj32.exe 29 PID 1524 wrote to memory of 2088 1524 Libgjj32.exe 29 PID 1524 wrote to memory of 2088 1524 Libgjj32.exe 29 PID 2088 wrote to memory of 3008 2088 Llqcfe32.exe 30 PID 2088 wrote to memory of 3008 2088 Llqcfe32.exe 30 PID 2088 wrote to memory of 3008 2088 Llqcfe32.exe 30 PID 2088 wrote to memory of 3008 2088 Llqcfe32.exe 30 PID 3008 wrote to memory of 3016 3008 Mcjkcplm.exe 31 PID 3008 wrote to memory of 3016 3008 Mcjkcplm.exe 31 PID 3008 wrote to memory of 3016 3008 Mcjkcplm.exe 31 PID 3008 wrote to memory of 3016 3008 Mcjkcplm.exe 31 PID 3016 wrote to memory of 2496 3016 Meigpkka.exe 32 PID 3016 wrote to memory of 2496 3016 Meigpkka.exe 32 PID 3016 wrote to memory of 2496 3016 Meigpkka.exe 32 PID 3016 wrote to memory of 2496 3016 Meigpkka.exe 32 PID 2496 wrote to memory of 2472 2496 Mhgclfje.exe 33 PID 2496 wrote to memory of 2472 2496 Mhgclfje.exe 33 PID 2496 wrote to memory of 2472 2496 Mhgclfje.exe 33 PID 2496 wrote to memory of 2472 2496 Mhgclfje.exe 33 PID 2472 wrote to memory of 2996 2472 Moalhq32.exe 34 PID 2472 wrote to memory of 2996 2472 Moalhq32.exe 34 PID 2472 wrote to memory of 2996 2472 Moalhq32.exe 34 PID 2472 wrote to memory of 2996 2472 Moalhq32.exe 34 PID 2996 wrote to memory of 2768 2996 Mcmhiojk.exe 35 PID 2996 wrote to memory of 2768 2996 Mcmhiojk.exe 35 PID 2996 wrote to memory of 2768 2996 Mcmhiojk.exe 35 PID 2996 wrote to memory of 2768 2996 Mcmhiojk.exe 35 PID 2768 wrote to memory of 2936 2768 Mekdekin.exe 36 PID 2768 wrote to memory of 2936 2768 Mekdekin.exe 36 PID 2768 wrote to memory of 2936 2768 Mekdekin.exe 36 PID 2768 wrote to memory of 2936 2768 Mekdekin.exe 36 PID 2936 wrote to memory of 2072 2936 Migpeiag.exe 37 PID 2936 wrote to memory of 2072 2936 Migpeiag.exe 37 PID 2936 wrote to memory of 2072 2936 Migpeiag.exe 37 PID 2936 wrote to memory of 2072 2936 Migpeiag.exe 37 PID 2072 wrote to memory of 1820 2072 Mabejlob.exe 38 PID 2072 wrote to memory of 1820 2072 Mabejlob.exe 38 PID 2072 wrote to memory of 1820 2072 Mabejlob.exe 38 PID 2072 wrote to memory of 1820 2072 Mabejlob.exe 38 PID 1820 wrote to memory of 2748 1820 Mkjica32.exe 39 PID 1820 wrote to memory of 2748 1820 Mkjica32.exe 39 PID 1820 wrote to memory of 2748 1820 Mkjica32.exe 39 PID 1820 wrote to memory of 2748 1820 Mkjica32.exe 39 PID 2748 wrote to memory of 1668 2748 Mofecpnl.exe 40 PID 2748 wrote to memory of 1668 2748 Mofecpnl.exe 40 PID 2748 wrote to memory of 1668 2748 Mofecpnl.exe 40 PID 2748 wrote to memory of 1668 2748 Mofecpnl.exe 40 PID 1668 wrote to memory of 1580 1668 Mepnpj32.exe 41 PID 1668 wrote to memory of 1580 1668 Mepnpj32.exe 41 PID 1668 wrote to memory of 1580 1668 Mepnpj32.exe 41 PID 1668 wrote to memory of 1580 1668 Mepnpj32.exe 41 PID 1580 wrote to memory of 2052 1580 Mhnjle32.exe 42 PID 1580 wrote to memory of 2052 1580 Mhnjle32.exe 42 PID 1580 wrote to memory of 2052 1580 Mhnjle32.exe 42 PID 1580 wrote to memory of 2052 1580 Mhnjle32.exe 42 PID 2052 wrote to memory of 384 2052 Mnkbdlbd.exe 43 PID 2052 wrote to memory of 384 2052 Mnkbdlbd.exe 43 PID 2052 wrote to memory of 384 2052 Mnkbdlbd.exe 43 PID 2052 wrote to memory of 384 2052 Mnkbdlbd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0003c980564bfa059cf2dad4671495cf.exe"C:\Users\Admin\AppData\Local\Temp\0003c980564bfa059cf2dad4671495cf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe33⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe35⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe38⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe39⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe40⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe41⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe42⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe43⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe46⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe51⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe53⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe54⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe55⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe56⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe59⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe60⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe62⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe64⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe65⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe66⤵PID:2080
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe67⤵PID:2460
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe68⤵PID:1728
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe69⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe70⤵PID:2444
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe71⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe72⤵PID:564
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe73⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe74⤵PID:1748
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe76⤵PID:1312
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe78⤵PID:2596
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe79⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe80⤵PID:1880
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe81⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe82⤵PID:2944
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe83⤵PID:1172
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe84⤵PID:1112
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe85⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe86⤵PID:588
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe87⤵PID:412
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe89⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe90⤵PID:1688
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe92⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe93⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe94⤵PID:2044
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe95⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe96⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe99⤵PID:1988
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe100⤵PID:768
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe101⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe102⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe103⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe104⤵PID:572
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe105⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe107⤵PID:1052
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe108⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe110⤵PID:2424
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe111⤵PID:3036
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe112⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe113⤵PID:284
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe114⤵PID:828
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe115⤵PID:780
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe116⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe118⤵PID:2392
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe121⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-