Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 04:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe
-
Size
63KB
-
MD5
6c218ea654516149cbf8684467e8c766
-
SHA1
67dfb44512540ad85b5dd67ffe89a390bbe585da
-
SHA256
f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2
-
SHA512
c48282f99fbf148839d23ff27ea482aec03456a195de5aba80ba396e9c73ba5119fda9f3064f3252a270b5aafac42dbb02d54f8d4a2cc42d70d8fbe93202d80c
-
SSDEEP
768:y4REOWWHQa+HVZN1kS5aPAQiacr0IChdM8/1H5oVEAimrUTvn93b7NRDMFME3eUf:y4GODeuSMFABChv+VREn9rjDHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfpbeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1320 Mkmfhacp.exe 2028 Mdejaf32.exe 2596 Mkobnqan.exe 2932 Naikkk32.exe 2736 Ndgggf32.exe 2384 Ngfcca32.exe 2120 Nnplpl32.exe 344 Npnhlg32.exe 2644 Ncmdhb32.exe 2648 Nfkpdn32.exe 1944 Nleiqhcg.exe 2308 Nocemcbj.exe 1620 Nfmmin32.exe 2840 Nhlifi32.exe 2096 Nofabc32.exe 2264 Nbdnoo32.exe 1252 Nhnfkigh.exe 980 Nmjblg32.exe 1548 Nohnhc32.exe 896 Ofbfdmeb.exe 452 Ohqbqhde.exe 3048 Okoomd32.exe 1840 Onmkio32.exe 752 Ofdcjm32.exe 2804 Ogfpbeim.exe 1264 Oomhcbjp.exe 1596 Odjpkihg.exe 2572 Oiellh32.exe 2060 Onbddoog.exe 2544 Oqqapjnk.exe 2612 Oelmai32.exe 2524 Ojieip32.exe 2144 Oqcnfjli.exe 2428 Ogmfbd32.exe 2444 Ojkboo32.exe 2704 Pphjgfqq.exe 2728 Pgobhcac.exe 1940 Pfbccp32.exe 2116 Pjmodopf.exe 1680 Pbiciana.exe 1392 Pfdpip32.exe 2108 Pmnhfjmg.exe 2092 Pfflopdh.exe 336 Peiljl32.exe 3008 Pmqdkj32.exe 1332 Pfiidobe.exe 3064 Pigeqkai.exe 1980 Ppamme32.exe 1632 Pbpjiphi.exe 852 Penfelgm.exe 836 Qhmbagfa.exe 1796 Qnfjna32.exe 2940 Qbbfopeg.exe 2584 Qdccfh32.exe 2504 Qhooggdn.exe 2400 Qljkhe32.exe 2508 Qnigda32.exe 1552 Qmlgonbe.exe 2720 Qagcpljo.exe 2320 Qecoqk32.exe 1740 Ahakmf32.exe 1636 Ajphib32.exe 1516 Aajpelhl.exe 2236 Ahchbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 1320 Mkmfhacp.exe 1320 Mkmfhacp.exe 2028 Mdejaf32.exe 2028 Mdejaf32.exe 2596 Mkobnqan.exe 2596 Mkobnqan.exe 2932 Naikkk32.exe 2932 Naikkk32.exe 2736 Ndgggf32.exe 2736 Ndgggf32.exe 2384 Ngfcca32.exe 2384 Ngfcca32.exe 2120 Nnplpl32.exe 2120 Nnplpl32.exe 344 Npnhlg32.exe 344 Npnhlg32.exe 2644 Ncmdhb32.exe 2644 Ncmdhb32.exe 2648 Nfkpdn32.exe 2648 Nfkpdn32.exe 1944 Nleiqhcg.exe 1944 Nleiqhcg.exe 2308 Nocemcbj.exe 2308 Nocemcbj.exe 1620 Nfmmin32.exe 1620 Nfmmin32.exe 2840 Nhlifi32.exe 2840 Nhlifi32.exe 2096 Nofabc32.exe 2096 Nofabc32.exe 2264 Nbdnoo32.exe 2264 Nbdnoo32.exe 1252 Nhnfkigh.exe 1252 Nhnfkigh.exe 980 Nmjblg32.exe 980 Nmjblg32.exe 1548 Nohnhc32.exe 1548 Nohnhc32.exe 896 Ofbfdmeb.exe 896 Ofbfdmeb.exe 452 Ohqbqhde.exe 452 Ohqbqhde.exe 3048 Okoomd32.exe 3048 Okoomd32.exe 1840 Onmkio32.exe 1840 Onmkio32.exe 752 Ofdcjm32.exe 752 Ofdcjm32.exe 2804 Ogfpbeim.exe 2804 Ogfpbeim.exe 1264 Oomhcbjp.exe 1264 Oomhcbjp.exe 1596 Odjpkihg.exe 1596 Odjpkihg.exe 2572 Oiellh32.exe 2572 Oiellh32.exe 2060 Onbddoog.exe 2060 Onbddoog.exe 2544 Oqqapjnk.exe 2544 Oqqapjnk.exe 2612 Oelmai32.exe 2612 Oelmai32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gclcefmh.dll Ccdlbf32.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Ojkboo32.exe File created C:\Windows\SysWOW64\Oelmai32.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Ojieip32.exe Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Pfflopdh.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Mpefbknb.dll Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Ennaieib.exe Ejbfhfaj.exe File created C:\Windows\SysWOW64\Hjlobf32.dll Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File opened for modification C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Poaljn32.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Qdoneabg.dll Bnpmipql.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cjndop32.exe File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File created C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Pienahqb.dll Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Penfelgm.exe Pbpjiphi.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Afmonbqk.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Balijo32.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Enkece32.exe Elmigj32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Fphafl32.exe File created C:\Windows\SysWOW64\Gbfjhgfl.dll Ofbfdmeb.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Ckggkg32.dll Qnigda32.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Afmonbqk.exe File created C:\Windows\SysWOW64\Keledb32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Enkece32.exe File created C:\Windows\SysWOW64\Nofabc32.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Lbidmekh.dll Elmigj32.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Fbdqmghm.exe File opened for modification C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Afkbib32.exe Abpfhcje.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Balijo32.exe File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe File created C:\Windows\SysWOW64\Oomkin32.dll Pjmodopf.exe File created C:\Windows\SysWOW64\Lpbjlbfp.dll Enkece32.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ebinic32.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Onbddoog.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3500 3472 WerFault.exe 281 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peegic32.dll" Mdejaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnfkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nohnhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompoljfn.dll" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nleiqhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehencq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebmi32.dll" Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcoccqf.dll" Oiellh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1320 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 28 PID 2192 wrote to memory of 1320 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 28 PID 2192 wrote to memory of 1320 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 28 PID 2192 wrote to memory of 1320 2192 f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe 28 PID 1320 wrote to memory of 2028 1320 Mkmfhacp.exe 29 PID 1320 wrote to memory of 2028 1320 Mkmfhacp.exe 29 PID 1320 wrote to memory of 2028 1320 Mkmfhacp.exe 29 PID 1320 wrote to memory of 2028 1320 Mkmfhacp.exe 29 PID 2028 wrote to memory of 2596 2028 Mdejaf32.exe 30 PID 2028 wrote to memory of 2596 2028 Mdejaf32.exe 30 PID 2028 wrote to memory of 2596 2028 Mdejaf32.exe 30 PID 2028 wrote to memory of 2596 2028 Mdejaf32.exe 30 PID 2596 wrote to memory of 2932 2596 Mkobnqan.exe 31 PID 2596 wrote to memory of 2932 2596 Mkobnqan.exe 31 PID 2596 wrote to memory of 2932 2596 Mkobnqan.exe 31 PID 2596 wrote to memory of 2932 2596 Mkobnqan.exe 31 PID 2932 wrote to memory of 2736 2932 Naikkk32.exe 32 PID 2932 wrote to memory of 2736 2932 Naikkk32.exe 32 PID 2932 wrote to memory of 2736 2932 Naikkk32.exe 32 PID 2932 wrote to memory of 2736 2932 Naikkk32.exe 32 PID 2736 wrote to memory of 2384 2736 Ndgggf32.exe 33 PID 2736 wrote to memory of 2384 2736 Ndgggf32.exe 33 PID 2736 wrote to memory of 2384 2736 Ndgggf32.exe 33 PID 2736 wrote to memory of 2384 2736 Ndgggf32.exe 33 PID 2384 wrote to memory of 2120 2384 Ngfcca32.exe 34 PID 2384 wrote to memory of 2120 2384 Ngfcca32.exe 34 PID 2384 wrote to memory of 2120 2384 Ngfcca32.exe 34 PID 2384 wrote to memory of 2120 2384 Ngfcca32.exe 34 PID 2120 wrote to memory of 344 2120 Nnplpl32.exe 35 PID 2120 wrote to memory of 344 2120 Nnplpl32.exe 35 PID 2120 wrote to memory of 344 2120 Nnplpl32.exe 35 PID 2120 wrote to memory of 344 2120 Nnplpl32.exe 35 PID 344 wrote to memory of 2644 344 Npnhlg32.exe 36 PID 344 wrote to memory of 2644 344 Npnhlg32.exe 36 PID 344 wrote to memory of 2644 344 Npnhlg32.exe 36 PID 344 wrote to memory of 2644 344 Npnhlg32.exe 36 PID 2644 wrote to memory of 2648 2644 Ncmdhb32.exe 37 PID 2644 wrote to memory of 2648 2644 Ncmdhb32.exe 37 PID 2644 wrote to memory of 2648 2644 Ncmdhb32.exe 37 PID 2644 wrote to memory of 2648 2644 Ncmdhb32.exe 37 PID 2648 wrote to memory of 1944 2648 Nfkpdn32.exe 38 PID 2648 wrote to memory of 1944 2648 Nfkpdn32.exe 38 PID 2648 wrote to memory of 1944 2648 Nfkpdn32.exe 38 PID 2648 wrote to memory of 1944 2648 Nfkpdn32.exe 38 PID 1944 wrote to memory of 2308 1944 Nleiqhcg.exe 39 PID 1944 wrote to memory of 2308 1944 Nleiqhcg.exe 39 PID 1944 wrote to memory of 2308 1944 Nleiqhcg.exe 39 PID 1944 wrote to memory of 2308 1944 Nleiqhcg.exe 39 PID 2308 wrote to memory of 1620 2308 Nocemcbj.exe 40 PID 2308 wrote to memory of 1620 2308 Nocemcbj.exe 40 PID 2308 wrote to memory of 1620 2308 Nocemcbj.exe 40 PID 2308 wrote to memory of 1620 2308 Nocemcbj.exe 40 PID 1620 wrote to memory of 2840 1620 Nfmmin32.exe 41 PID 1620 wrote to memory of 2840 1620 Nfmmin32.exe 41 PID 1620 wrote to memory of 2840 1620 Nfmmin32.exe 41 PID 1620 wrote to memory of 2840 1620 Nfmmin32.exe 41 PID 2840 wrote to memory of 2096 2840 Nhlifi32.exe 42 PID 2840 wrote to memory of 2096 2840 Nhlifi32.exe 42 PID 2840 wrote to memory of 2096 2840 Nhlifi32.exe 42 PID 2840 wrote to memory of 2096 2840 Nhlifi32.exe 42 PID 2096 wrote to memory of 2264 2096 Nofabc32.exe 43 PID 2096 wrote to memory of 2264 2096 Nofabc32.exe 43 PID 2096 wrote to memory of 2264 2096 Nofabc32.exe 43 PID 2096 wrote to memory of 2264 2096 Nofabc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe"C:\Users\Admin\AppData\Local\Temp\f34a0fc8f8b00ae2d3de017af7173b0bd9b8ae95fee12693da288232b1e73bc2.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe33⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe34⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe37⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe38⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe39⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe41⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe45⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe46⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe49⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe55⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe56⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe57⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe61⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe62⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe63⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe68⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe69⤵PID:1368
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe71⤵PID:1688
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe72⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe74⤵PID:2748
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe76⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe77⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe78⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe79⤵PID:1892
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe80⤵PID:1328
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe81⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe82⤵
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe83⤵PID:824
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe84⤵PID:1220
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe85⤵PID:1804
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe86⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe88⤵PID:2600
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe89⤵PID:2420
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe90⤵PID:2580
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe91⤵PID:2860
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe92⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe94⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe95⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe96⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe97⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe98⤵PID:1480
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe99⤵PID:3036
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe104⤵PID:2892
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe105⤵PID:2628
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe106⤵PID:2448
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe107⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1272 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe112⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe114⤵PID:2920
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe115⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe117⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe118⤵PID:2296
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe119⤵PID:2292
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe120⤵PID:564
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe121⤵PID:1348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-