Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 19:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe
-
Size
608KB
-
MD5
4f157264eedc2fc7bd22a92348da5f25
-
SHA1
8a4de2f26e6ce7023b37e703d42a79316adc4dc6
-
SHA256
2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20
-
SHA512
de0a80f1401a5a543243fe2495b538caa8fe7c3314734d9a340c767e0052f5c306940688ba6d13636fd23fa1aeb401624a4b2e106cbc02d7592a1e49ea6422fc
-
SSDEEP
12288:bPOgkY660fIaDZkY660f8jTK/XhdAwlt01t:bZgsaDZgQjGkwlg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiholof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peanbblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjekfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckahkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkkfjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalfhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghcoqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcmbgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peoalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkafo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2596 Lhlqhb32.exe 1736 Lganiohl.exe 2336 Lgdjnofi.exe 2744 Loooca32.exe 2832 Moalhq32.exe 2140 Mcodno32.exe 2040 Madapkmp.exe 2576 Mgajhbkg.exe 2324 Ngfcca32.exe 2792 Ndjdlffl.exe 2604 Nocemcbj.exe 2128 Njiijlbp.exe 300 Nmjblg32.exe 2404 Nbfjdn32.exe 2296 Onphoo32.exe 320 Odjpkihg.exe 576 Ojieip32.exe 352 Oqcnfjli.exe 1780 Oenifh32.exe 2484 Ofpfnqjp.exe 1536 Ongnonkb.exe 1332 Pphjgfqq.exe 1952 Pjmodopf.exe 924 Paggai32.exe 2036 Pfdpip32.exe 2372 Piblek32.exe 2212 Pfflopdh.exe 1740 Pmqdkj32.exe 2428 Pnbacbac.exe 2828 Pigeqkai.exe 2084 Pbpjiphi.exe 2616 Penfelgm.exe 2636 Qeqbkkej.exe 2540 Qdccfh32.exe 2520 Qecoqk32.exe 2568 Ahakmf32.exe 2844 Ajphib32.exe 2776 Aplpai32.exe 2904 Adhlaggp.exe 2504 Ampqjm32.exe 2892 Apomfh32.exe 2224 Ambmpmln.exe 1296 Afkbib32.exe 1560 Amejeljk.exe 1028 Alhjai32.exe 992 Aepojo32.exe 852 Ahokfj32.exe 2348 Boiccdnf.exe 1616 Bagpopmj.exe 1868 Bhahlj32.exe 2360 Bkodhe32.exe 2996 Beehencq.exe 3004 Bloqah32.exe 1720 Bnpmipql.exe 2192 Begeknan.exe 2620 Bghabf32.exe 2712 Bopicc32.exe 2552 Bhhnli32.exe 2676 Bgknheej.exe 1456 Baqbenep.exe 1828 Bcaomf32.exe 2804 Cjlgiqbk.exe 616 Cljcelan.exe 1580 Cdakgibq.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 2596 Lhlqhb32.exe 2596 Lhlqhb32.exe 1736 Lganiohl.exe 1736 Lganiohl.exe 2336 Lgdjnofi.exe 2336 Lgdjnofi.exe 2744 Loooca32.exe 2744 Loooca32.exe 2832 Moalhq32.exe 2832 Moalhq32.exe 2140 Mcodno32.exe 2140 Mcodno32.exe 2040 Madapkmp.exe 2040 Madapkmp.exe 2576 Mgajhbkg.exe 2576 Mgajhbkg.exe 2324 Ngfcca32.exe 2324 Ngfcca32.exe 2792 Ndjdlffl.exe 2792 Ndjdlffl.exe 2604 Nocemcbj.exe 2604 Nocemcbj.exe 2128 Njiijlbp.exe 2128 Njiijlbp.exe 300 Nmjblg32.exe 300 Nmjblg32.exe 2404 Nbfjdn32.exe 2404 Nbfjdn32.exe 2296 Onphoo32.exe 2296 Onphoo32.exe 320 Odjpkihg.exe 320 Odjpkihg.exe 576 Ojieip32.exe 576 Ojieip32.exe 352 Oqcnfjli.exe 352 Oqcnfjli.exe 1780 Oenifh32.exe 1780 Oenifh32.exe 2484 Ofpfnqjp.exe 2484 Ofpfnqjp.exe 1536 Ongnonkb.exe 1536 Ongnonkb.exe 1332 Pphjgfqq.exe 1332 Pphjgfqq.exe 1952 Pjmodopf.exe 1952 Pjmodopf.exe 924 Paggai32.exe 924 Paggai32.exe 2036 Pfdpip32.exe 2036 Pfdpip32.exe 2372 Piblek32.exe 2372 Piblek32.exe 2212 Pfflopdh.exe 2212 Pfflopdh.exe 1740 Pmqdkj32.exe 1740 Pmqdkj32.exe 2428 Pnbacbac.exe 2428 Pnbacbac.exe 2828 Pigeqkai.exe 2828 Pigeqkai.exe 2084 Pbpjiphi.exe 2084 Pbpjiphi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhjapjmi.exe Hdnepk32.exe File created C:\Windows\SysWOW64\Eadphb32.dll Mlpneh32.exe File created C:\Windows\SysWOW64\Qqbecp32.exe Qndigd32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Process not Found File created C:\Windows\SysWOW64\Dcbnpgkh.exe Process not Found File created C:\Windows\SysWOW64\Gekfnoog.exe Process not Found File created C:\Windows\SysWOW64\Bmoado32.dll Incpoe32.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Abkhkgbb.exe Akqpom32.exe File created C:\Windows\SysWOW64\Gedpjdfh.dll Dgoopkgh.exe File created C:\Windows\SysWOW64\Eamilh32.exe Ekcaonhe.exe File opened for modification C:\Windows\SysWOW64\Ejkkfjkj.exe Egmojnlf.exe File created C:\Windows\SysWOW64\Lqejbiim.exe Lfpeeqig.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Process not Found File created C:\Windows\SysWOW64\Pjclpeak.dll Ngibaj32.exe File created C:\Windows\SysWOW64\Napoohch.dll Aeenochi.exe File created C:\Windows\SysWOW64\Fniamd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Faonom32.exe Process not Found File created C:\Windows\SysWOW64\Mpgobc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Process not Found File created C:\Windows\SysWOW64\Jhnlkifo.dll Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Knjegqif.exe Kklikejc.exe File created C:\Windows\SysWOW64\Mabphn32.exe Mfllkece.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lkncmmle.exe File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe Bocolb32.exe File created C:\Windows\SysWOW64\Nallalep.exe Process not Found File created C:\Windows\SysWOW64\Anogijnb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Fbmcbbki.exe Fcjcfe32.exe File created C:\Windows\SysWOW64\Paefhp32.dll Fmjgcipg.exe File created C:\Windows\SysWOW64\Oiakgcnl.exe Ocgbji32.exe File opened for modification C:\Windows\SysWOW64\Bbonei32.exe Bmbemb32.exe File created C:\Windows\SysWOW64\Onfoin32.exe Process not Found File created C:\Windows\SysWOW64\Djiqcmnn.dll Process not Found File created C:\Windows\SysWOW64\Hepmggig.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Ifbphh32.exe Process not Found File created C:\Windows\SysWOW64\Dneoankp.dll Process not Found File created C:\Windows\SysWOW64\Dhhmcidp.dll Ibckfa32.exe File created C:\Windows\SysWOW64\Ibbklamb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofmbnkhg.exe Oobjaqaj.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe Ogmhkmki.exe File created C:\Windows\SysWOW64\Fdeeaobo.dll Konndhmb.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Process not Found File created C:\Windows\SysWOW64\Hbmmlqlp.dll Process not Found File created C:\Windows\SysWOW64\Endgpgci.dll Iggned32.exe File opened for modification C:\Windows\SysWOW64\Joihjfnl.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Mdlkim32.dll Ebcjamoh.exe File created C:\Windows\SysWOW64\Dikjig32.dll Kkileele.exe File opened for modification C:\Windows\SysWOW64\Fhikme32.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Jepmgj32.exe Jkkija32.exe File created C:\Windows\SysWOW64\Ipfbma32.dll Kpcqnf32.exe File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Process not Found File created C:\Windows\SysWOW64\Mhbped32.exe Mcegmm32.exe File created C:\Windows\SysWOW64\Ohendqhd.exe Oalfhf32.exe File created C:\Windows\SysWOW64\Annjfl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Pkcpei32.exe Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Ogknoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ceeieced.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fiepea32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhcafa32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 1732 2564 Process not Found 1826 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqgle32.dll" Delmmigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemln32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqmla32.dll" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll" Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpjpn32.dll" Anahqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmgmbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elfaifaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lofoed32.dll" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll" Knklagmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peoalc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfhfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Aeenochi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbldmm32.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cckdlnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deojci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpbbdfik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kokjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihhlp32.dll" Oiakgcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipbmjcc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhebh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2596 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 28 PID 2160 wrote to memory of 2596 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 28 PID 2160 wrote to memory of 2596 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 28 PID 2160 wrote to memory of 2596 2160 2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe 28 PID 2596 wrote to memory of 1736 2596 Lhlqhb32.exe 29 PID 2596 wrote to memory of 1736 2596 Lhlqhb32.exe 29 PID 2596 wrote to memory of 1736 2596 Lhlqhb32.exe 29 PID 2596 wrote to memory of 1736 2596 Lhlqhb32.exe 29 PID 1736 wrote to memory of 2336 1736 Lganiohl.exe 30 PID 1736 wrote to memory of 2336 1736 Lganiohl.exe 30 PID 1736 wrote to memory of 2336 1736 Lganiohl.exe 30 PID 1736 wrote to memory of 2336 1736 Lganiohl.exe 30 PID 2336 wrote to memory of 2744 2336 Lgdjnofi.exe 31 PID 2336 wrote to memory of 2744 2336 Lgdjnofi.exe 31 PID 2336 wrote to memory of 2744 2336 Lgdjnofi.exe 31 PID 2336 wrote to memory of 2744 2336 Lgdjnofi.exe 31 PID 2744 wrote to memory of 2832 2744 Loooca32.exe 32 PID 2744 wrote to memory of 2832 2744 Loooca32.exe 32 PID 2744 wrote to memory of 2832 2744 Loooca32.exe 32 PID 2744 wrote to memory of 2832 2744 Loooca32.exe 32 PID 2832 wrote to memory of 2140 2832 Moalhq32.exe 33 PID 2832 wrote to memory of 2140 2832 Moalhq32.exe 33 PID 2832 wrote to memory of 2140 2832 Moalhq32.exe 33 PID 2832 wrote to memory of 2140 2832 Moalhq32.exe 33 PID 2140 wrote to memory of 2040 2140 Mcodno32.exe 34 PID 2140 wrote to memory of 2040 2140 Mcodno32.exe 34 PID 2140 wrote to memory of 2040 2140 Mcodno32.exe 34 PID 2140 wrote to memory of 2040 2140 Mcodno32.exe 34 PID 2040 wrote to memory of 2576 2040 Madapkmp.exe 35 PID 2040 wrote to memory of 2576 2040 Madapkmp.exe 35 PID 2040 wrote to memory of 2576 2040 Madapkmp.exe 35 PID 2040 wrote to memory of 2576 2040 Madapkmp.exe 35 PID 2576 wrote to memory of 2324 2576 Mgajhbkg.exe 36 PID 2576 wrote to memory of 2324 2576 Mgajhbkg.exe 36 PID 2576 wrote to memory of 2324 2576 Mgajhbkg.exe 36 PID 2576 wrote to memory of 2324 2576 Mgajhbkg.exe 36 PID 2324 wrote to memory of 2792 2324 Ngfcca32.exe 37 PID 2324 wrote to memory of 2792 2324 Ngfcca32.exe 37 PID 2324 wrote to memory of 2792 2324 Ngfcca32.exe 37 PID 2324 wrote to memory of 2792 2324 Ngfcca32.exe 37 PID 2792 wrote to memory of 2604 2792 Ndjdlffl.exe 38 PID 2792 wrote to memory of 2604 2792 Ndjdlffl.exe 38 PID 2792 wrote to memory of 2604 2792 Ndjdlffl.exe 38 PID 2792 wrote to memory of 2604 2792 Ndjdlffl.exe 38 PID 2604 wrote to memory of 2128 2604 Nocemcbj.exe 39 PID 2604 wrote to memory of 2128 2604 Nocemcbj.exe 39 PID 2604 wrote to memory of 2128 2604 Nocemcbj.exe 39 PID 2604 wrote to memory of 2128 2604 Nocemcbj.exe 39 PID 2128 wrote to memory of 300 2128 Njiijlbp.exe 40 PID 2128 wrote to memory of 300 2128 Njiijlbp.exe 40 PID 2128 wrote to memory of 300 2128 Njiijlbp.exe 40 PID 2128 wrote to memory of 300 2128 Njiijlbp.exe 40 PID 300 wrote to memory of 2404 300 Nmjblg32.exe 41 PID 300 wrote to memory of 2404 300 Nmjblg32.exe 41 PID 300 wrote to memory of 2404 300 Nmjblg32.exe 41 PID 300 wrote to memory of 2404 300 Nmjblg32.exe 41 PID 2404 wrote to memory of 2296 2404 Nbfjdn32.exe 42 PID 2404 wrote to memory of 2296 2404 Nbfjdn32.exe 42 PID 2404 wrote to memory of 2296 2404 Nbfjdn32.exe 42 PID 2404 wrote to memory of 2296 2404 Nbfjdn32.exe 42 PID 2296 wrote to memory of 320 2296 Onphoo32.exe 43 PID 2296 wrote to memory of 320 2296 Onphoo32.exe 43 PID 2296 wrote to memory of 320 2296 Onphoo32.exe 43 PID 2296 wrote to memory of 320 2296 Onphoo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe"C:\Users\Admin\AppData\Local\Temp\2eeb94b86034d8c0bc0c59d460782e463dd927a568c4c08b3f004bcf40fb3d20.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe35⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe36⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe37⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe38⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe40⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe41⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe42⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe43⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe44⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe45⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe46⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe47⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe48⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe49⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe50⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe51⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe52⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe53⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe54⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe55⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe56⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe59⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe60⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe61⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe63⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe64⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe65⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe66⤵PID:1640
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe67⤵PID:1788
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe68⤵PID:1704
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe69⤵PID:2992
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe70⤵PID:1140
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe71⤵PID:1196
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe72⤵PID:920
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe73⤵PID:308
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe74⤵PID:2136
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe75⤵PID:2420
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe77⤵PID:2720
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe78⤵PID:2624
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe79⤵PID:1328
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe80⤵PID:2796
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe81⤵PID:556
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe82⤵PID:1068
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe84⤵PID:1420
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe85⤵PID:876
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe86⤵PID:2496
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe87⤵PID:2292
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe88⤵PID:1312
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe89⤵PID:1932
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe90⤵PID:3028
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe91⤵PID:892
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe92⤵PID:2436
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe93⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe94⤵PID:2356
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe95⤵PID:2812
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe96⤵PID:2896
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe97⤵PID:2532
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe98⤵PID:2328
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe99⤵PID:3048
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe100⤵PID:2924
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe101⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe102⤵PID:1248
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe103⤵PID:1916
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe104⤵PID:1488
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe105⤵PID:2352
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe106⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe107⤵PID:1416
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe108⤵PID:1904
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe109⤵PID:2008
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe110⤵PID:2696
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe111⤵PID:1712
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe112⤵PID:2680
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe113⤵PID:1760
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe114⤵PID:2932
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe115⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe116⤵PID:1392
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe117⤵PID:1588
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe118⤵PID:724
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe119⤵PID:1928
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe120⤵PID:840
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe121⤵PID:2836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-