Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe
-
Size
92KB
-
MD5
0873d6f3047c04ef207b0e15b423d5f0
-
SHA1
22175bc4e8306b0148a5a1f0f666035ebb8b6f5f
-
SHA256
bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447
-
SHA512
d88855bc2bcdb7eb78260e6421d0c0ad4e76f7ac94b028a7f438ccb32166697e50abe647c720ecdf12ca253546508d3782360c4f081f901712b128895214a11e
-
SSDEEP
1536:VQx3VkHKuIMIx4BFtAmlEM2sq2OzBM3jLV3BGnMPJKEsztuJO:21aq640AmlEMlq28YjLlBRh1sN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbmjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elolelad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgdak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobpia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcckbeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obphdqkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgcindl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqojf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geogoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immojpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llljhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaopef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnndnbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfaief32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedofdnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geogoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifpnjeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekaofkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhgoeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbgmkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkooph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqonoank.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfohdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omejkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgfocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmaden32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmikcfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlemni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllodkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpopheph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahkaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnehmon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldlpeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmbclch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helbgklg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncnpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjioha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaflpfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfoiocj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbckhepf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedkegql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khglhepf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahqjpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdnef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkdekad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkdekad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmmghea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakmbllp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiccbjhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkhbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oggjkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkcpd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1476 Mkahbo32.exe 764 Ofgennhp.exe 888 Pbpbhola.exe 956 Poipco32.exe 952 Ppmipg32.exe 980 Aaghnnab.exe 580 Bqfhei32.exe 1600 Bfgjioha.exe 976 Cbeqno32.exe 1876 Eehbdm32.exe 1544 Flbgpkop.exe 1616 Fihdoo32.exe 856 Hbebhdik.exe 364 Immojpjj.exe 1308 Jbckhepf.exe 892 Klkkpn32.exe 1464 Kahdhegj.exe 1540 Ldkipp32.exe 836 Mkenkmlp.exe 1520 Mclfmk32.exe 1088 Omippc32.exe 1372 Oggjkp32.exe 1472 Onabhjap.exe 1588 Oapodeac.exe 968 Pjhcmk32.exe 1744 Pefnhhpm.exe 1808 Plcckbeg.exe 792 Ahqjpb32.exe 972 Bpcdec32.exe 1964 Bdgfdf32.exe 588 Ecmikcfd.exe 1720 Fjogfbfd.exe 1084 Ggbggaak.exe 1180 Jghfegqj.exe 1008 Kejfho32.exe 900 Labpbc32.exe 1972 Mkbjkgkg.exe 1580 Njlqgckj.exe 1680 Ngkdekad.exe 1484 Pgmmin32.exe 1052 Plkfpmhc.exe 1676 Pnloah32.exe 1480 Pamhccbe.exe 1488 Almodp32.exe 1324 Bglipm32.exe 1144 Bhfhncni.exe 1940 Eiadhegg.exe 1724 Fjopllbh.exe 1764 Fjjcpp32.exe 672 Gakamijn.exe 380 Hhbicf32.exe 1672 Hnanambn.exe 2028 Inhdal32.exe 1512 Ifffknhn.exe 1736 Jedfci32.exe 692 Kmbgmkpd.exe 1640 Kpemdf32.exe 1628 Llljhj32.exe 1212 Mlemni32.exe 2036 Nkmfee32.exe 1172 Gpmkno32.exe 1732 Gbkgjk32.exe 1216 Hogajk32.exe 1708 Hgbfom32.exe -
Loads dropped DLL 64 IoCs
pid Process 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 1476 Mkahbo32.exe 1476 Mkahbo32.exe 764 Ofgennhp.exe 764 Ofgennhp.exe 888 Pbpbhola.exe 888 Pbpbhola.exe 956 Poipco32.exe 956 Poipco32.exe 952 Ppmipg32.exe 952 Ppmipg32.exe 980 Aaghnnab.exe 980 Aaghnnab.exe 580 Bqfhei32.exe 580 Bqfhei32.exe 1600 Bfgjioha.exe 1600 Bfgjioha.exe 976 Cbeqno32.exe 976 Cbeqno32.exe 1876 Eehbdm32.exe 1876 Eehbdm32.exe 1544 Flbgpkop.exe 1544 Flbgpkop.exe 1616 Fihdoo32.exe 1616 Fihdoo32.exe 856 Hbebhdik.exe 856 Hbebhdik.exe 364 Immojpjj.exe 364 Immojpjj.exe 1308 Jbckhepf.exe 1308 Jbckhepf.exe 892 Klkkpn32.exe 892 Klkkpn32.exe 1464 Kahdhegj.exe 1464 Kahdhegj.exe 1540 Ldkipp32.exe 1540 Ldkipp32.exe 836 Mkenkmlp.exe 836 Mkenkmlp.exe 1520 Mclfmk32.exe 1520 Mclfmk32.exe 1088 Omippc32.exe 1088 Omippc32.exe 1372 Oggjkp32.exe 1372 Oggjkp32.exe 1472 Onabhjap.exe 1472 Onabhjap.exe 1588 Oapodeac.exe 1588 Oapodeac.exe 968 Pjhcmk32.exe 968 Pjhcmk32.exe 1744 Pefnhhpm.exe 1744 Pefnhhpm.exe 1808 Plcckbeg.exe 1808 Plcckbeg.exe 792 Ahqjpb32.exe 792 Ahqjpb32.exe 972 Bpcdec32.exe 972 Bpcdec32.exe 1964 Bdgfdf32.exe 1964 Bdgfdf32.exe 588 Ecmikcfd.exe 588 Ecmikcfd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nbioaafb.dll Njlqgckj.exe File created C:\Windows\SysWOW64\Bdkaifjp.exe Bbmemjjl.exe File created C:\Windows\SysWOW64\Dcgbcmbo.exe Cgnehmon.exe File created C:\Windows\SysWOW64\Abfmjdig.dll Nldlpeei.exe File created C:\Windows\SysWOW64\Hhognf32.exe Helbgklg.exe File created C:\Windows\SysWOW64\Hoikbelg.dll Cddall32.exe File created C:\Windows\SysWOW64\Aageff32.dll Fnaclj32.exe File created C:\Windows\SysWOW64\Ckjcbdnk.exe Cdqkej32.exe File created C:\Windows\SysWOW64\Pjahmk32.dll Gpgjjf32.exe File created C:\Windows\SysWOW64\Kmocme32.exe Jbgbjm32.exe File created C:\Windows\SysWOW64\Cqgnnaeg.dll Lpdellbh.exe File created C:\Windows\SysWOW64\Onpnge32.exe Nlgkonkj.exe File created C:\Windows\SysWOW64\Eedngfjo.dll Khglhepf.exe File created C:\Windows\SysWOW64\Pqajfm32.dll Gkfnda32.exe File created C:\Windows\SysWOW64\Joniam32.dll Anhbqd32.exe File created C:\Windows\SysWOW64\Qmpicf32.dll Joifna32.exe File opened for modification C:\Windows\SysWOW64\Albjhg32.exe Amkqak32.exe File created C:\Windows\SysWOW64\Lmmafd32.dll Hcbaoc32.exe File created C:\Windows\SysWOW64\Fafkebgi.exe Efeddfpb.exe File created C:\Windows\SysWOW64\Njjpqj32.dll Mokege32.exe File opened for modification C:\Windows\SysWOW64\Pmjbll32.exe Pdoqmgej.exe File created C:\Windows\SysWOW64\Fqamheog.exe Egdpdqll.exe File created C:\Windows\SysWOW64\Gkfnda32.exe Fokddaoj.exe File opened for modification C:\Windows\SysWOW64\Ifffknhn.exe Inhdal32.exe File created C:\Windows\SysWOW64\Nkmfee32.exe Mlemni32.exe File created C:\Windows\SysWOW64\Oocjeegq.dll Hegnnldk.exe File created C:\Windows\SysWOW64\Flfpmf32.exe Fjgdak32.exe File created C:\Windows\SysWOW64\Fplcie32.dll Njpjdo32.exe File created C:\Windows\SysWOW64\Bkdbnfhb.exe Aqoaaj32.exe File created C:\Windows\SysWOW64\Eakpke32.exe Ejagoklg.exe File created C:\Windows\SysWOW64\Kckhckaf.dll Lifdefdi.exe File created C:\Windows\SysWOW64\Ampphmdk.exe Pnfiladh.exe File opened for modification C:\Windows\SysWOW64\Mlemni32.exe Llljhj32.exe File opened for modification C:\Windows\SysWOW64\Gbomci32.exe Gppqgn32.exe File created C:\Windows\SysWOW64\Abfomkqd.exe Abcbglbg.exe File opened for modification C:\Windows\SysWOW64\Nmlgbb32.exe Mooqkidk.exe File created C:\Windows\SysWOW64\Kjeghlio.exe Kplfhnmp.exe File created C:\Windows\SysWOW64\Bgbobheo.exe Beabkp32.exe File created C:\Windows\SysWOW64\Chjkpiaj.exe Cfkndnbf.exe File created C:\Windows\SysWOW64\Dcmngefn.exe Dnniio32.exe File opened for modification C:\Windows\SysWOW64\Klkkpn32.exe Jbckhepf.exe File created C:\Windows\SysWOW64\Kplkil32.exe Jepmcnol.exe File created C:\Windows\SysWOW64\Lkooph32.exe Lllodkfa.exe File created C:\Windows\SysWOW64\Innheejj.dll Bhgocmim.exe File opened for modification C:\Windows\SysWOW64\Bgglodoo.exe Bpmdbj32.exe File created C:\Windows\SysWOW64\Dgkkpk32.dll Miapod32.exe File created C:\Windows\SysWOW64\Ocnjalle.exe Nckami32.exe File opened for modification C:\Windows\SysWOW64\Enmafd32.exe Dncnpf32.exe File opened for modification C:\Windows\SysWOW64\Mhaali32.exe Lanbqjhg.exe File created C:\Windows\SysWOW64\Ijnnncip.exe Ihfkfl32.exe File opened for modification C:\Windows\SysWOW64\Pnfiladh.exe Oklndgob.exe File created C:\Windows\SysWOW64\Gcjjldgm.dll Hnanambn.exe File opened for modification C:\Windows\SysWOW64\Lllodkfa.exe Lcdjlf32.exe File opened for modification C:\Windows\SysWOW64\Fdhocdjd.exe Fajbgikp.exe File created C:\Windows\SysWOW64\Nnoieclh.exe Nkpmihmd.exe File opened for modification C:\Windows\SysWOW64\Enkfjjfc.exe Elljnngp.exe File created C:\Windows\SysWOW64\Ihhjdd32.exe Iopfkohj.exe File created C:\Windows\SysWOW64\Opppnj32.exe Nogmfbdp.exe File created C:\Windows\SysWOW64\Pheqljdf.exe Omejkm32.exe File created C:\Windows\SysWOW64\Mplljf32.dll Jijcic32.exe File created C:\Windows\SysWOW64\Kcdafl32.exe Kqfejq32.exe File opened for modification C:\Windows\SysWOW64\Anolglde.exe Akqpkqeb.exe File created C:\Windows\SysWOW64\Hfnjkikl.exe Hqqabbme.exe File created C:\Windows\SysWOW64\Jdolhl32.dll Kjeghlio.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flbgpkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkaphg32.dll" Phhbajdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joglaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igojek32.dll" Pmhgoeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egaalk32.dll" Ppmipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbhaib32.dll" Epmdkjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbgoodgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeddfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbjqjih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdnoh32.dll" Khmpngma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnomplel.dll" Lnfaekmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokddaoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfgjioha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnloah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeopqcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmofaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkhbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjahmk32.dll" Gpgjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphccd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjogfbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhdal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigomdgm.dll" Bbmemjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifllkl32.dll" Mmjnnokp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjebajij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejofgnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmaqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhlmjjpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcngod32.dll" Kbpcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qginmijd.dll" Nombmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belipqcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgjdk32.dll" Kabocn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pheqljdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefnhhpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnamnhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlikof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhaali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fafkebgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccckp32.dll" Onldmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nogmfbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhijaelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlhkfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlamem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqmhcgci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojlbc32.dll" Bqonoank.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fecbbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhgocmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfdqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkdjdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opppnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcncnmgd.dll" Ddlqpjja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllodkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjkkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomqmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklndgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kepmekim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjnhf32.dll" Mhaali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekaofkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcaibko.dll" Edfcfibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjife32.dll" Hjpandie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkgbbmg.dll" Pqembbfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emahdnkm.dll" Blddgkmf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1476 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 26 PID 1388 wrote to memory of 1476 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 26 PID 1388 wrote to memory of 1476 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 26 PID 1388 wrote to memory of 1476 1388 bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe 26 PID 1476 wrote to memory of 764 1476 Mkahbo32.exe 27 PID 1476 wrote to memory of 764 1476 Mkahbo32.exe 27 PID 1476 wrote to memory of 764 1476 Mkahbo32.exe 27 PID 1476 wrote to memory of 764 1476 Mkahbo32.exe 27 PID 764 wrote to memory of 888 764 Ofgennhp.exe 28 PID 764 wrote to memory of 888 764 Ofgennhp.exe 28 PID 764 wrote to memory of 888 764 Ofgennhp.exe 28 PID 764 wrote to memory of 888 764 Ofgennhp.exe 28 PID 888 wrote to memory of 956 888 Pbpbhola.exe 29 PID 888 wrote to memory of 956 888 Pbpbhola.exe 29 PID 888 wrote to memory of 956 888 Pbpbhola.exe 29 PID 888 wrote to memory of 956 888 Pbpbhola.exe 29 PID 956 wrote to memory of 952 956 Poipco32.exe 30 PID 956 wrote to memory of 952 956 Poipco32.exe 30 PID 956 wrote to memory of 952 956 Poipco32.exe 30 PID 956 wrote to memory of 952 956 Poipco32.exe 30 PID 952 wrote to memory of 980 952 Ppmipg32.exe 31 PID 952 wrote to memory of 980 952 Ppmipg32.exe 31 PID 952 wrote to memory of 980 952 Ppmipg32.exe 31 PID 952 wrote to memory of 980 952 Ppmipg32.exe 31 PID 980 wrote to memory of 580 980 Aaghnnab.exe 32 PID 980 wrote to memory of 580 980 Aaghnnab.exe 32 PID 980 wrote to memory of 580 980 Aaghnnab.exe 32 PID 980 wrote to memory of 580 980 Aaghnnab.exe 32 PID 580 wrote to memory of 1600 580 Bqfhei32.exe 33 PID 580 wrote to memory of 1600 580 Bqfhei32.exe 33 PID 580 wrote to memory of 1600 580 Bqfhei32.exe 33 PID 580 wrote to memory of 1600 580 Bqfhei32.exe 33 PID 1600 wrote to memory of 976 1600 Bfgjioha.exe 34 PID 1600 wrote to memory of 976 1600 Bfgjioha.exe 34 PID 1600 wrote to memory of 976 1600 Bfgjioha.exe 34 PID 1600 wrote to memory of 976 1600 Bfgjioha.exe 34 PID 976 wrote to memory of 1876 976 Cbeqno32.exe 35 PID 976 wrote to memory of 1876 976 Cbeqno32.exe 35 PID 976 wrote to memory of 1876 976 Cbeqno32.exe 35 PID 976 wrote to memory of 1876 976 Cbeqno32.exe 35 PID 1876 wrote to memory of 1544 1876 Eehbdm32.exe 36 PID 1876 wrote to memory of 1544 1876 Eehbdm32.exe 36 PID 1876 wrote to memory of 1544 1876 Eehbdm32.exe 36 PID 1876 wrote to memory of 1544 1876 Eehbdm32.exe 36 PID 1544 wrote to memory of 1616 1544 Flbgpkop.exe 37 PID 1544 wrote to memory of 1616 1544 Flbgpkop.exe 37 PID 1544 wrote to memory of 1616 1544 Flbgpkop.exe 37 PID 1544 wrote to memory of 1616 1544 Flbgpkop.exe 37 PID 1616 wrote to memory of 856 1616 Fihdoo32.exe 38 PID 1616 wrote to memory of 856 1616 Fihdoo32.exe 38 PID 1616 wrote to memory of 856 1616 Fihdoo32.exe 38 PID 1616 wrote to memory of 856 1616 Fihdoo32.exe 38 PID 856 wrote to memory of 364 856 Hbebhdik.exe 39 PID 856 wrote to memory of 364 856 Hbebhdik.exe 39 PID 856 wrote to memory of 364 856 Hbebhdik.exe 39 PID 856 wrote to memory of 364 856 Hbebhdik.exe 39 PID 364 wrote to memory of 1308 364 Immojpjj.exe 40 PID 364 wrote to memory of 1308 364 Immojpjj.exe 40 PID 364 wrote to memory of 1308 364 Immojpjj.exe 40 PID 364 wrote to memory of 1308 364 Immojpjj.exe 40 PID 1308 wrote to memory of 892 1308 Jbckhepf.exe 41 PID 1308 wrote to memory of 892 1308 Jbckhepf.exe 41 PID 1308 wrote to memory of 892 1308 Jbckhepf.exe 41 PID 1308 wrote to memory of 892 1308 Jbckhepf.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe"C:\Users\Admin\AppData\Local\Temp\bd69b1c7d6f5983a2d8b1f68fbb2675cd4899e0260edb79ddb01275836a70447.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Mkahbo32.exeC:\Windows\system32\Mkahbo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Ofgennhp.exeC:\Windows\system32\Ofgennhp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Pbpbhola.exeC:\Windows\system32\Pbpbhola.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Poipco32.exeC:\Windows\system32\Poipco32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Ppmipg32.exeC:\Windows\system32\Ppmipg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Aaghnnab.exeC:\Windows\system32\Aaghnnab.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Bqfhei32.exeC:\Windows\system32\Bqfhei32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Bfgjioha.exeC:\Windows\system32\Bfgjioha.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Cbeqno32.exeC:\Windows\system32\Cbeqno32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Eehbdm32.exeC:\Windows\system32\Eehbdm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Flbgpkop.exeC:\Windows\system32\Flbgpkop.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Fihdoo32.exeC:\Windows\system32\Fihdoo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Hbebhdik.exeC:\Windows\system32\Hbebhdik.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Immojpjj.exeC:\Windows\system32\Immojpjj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Jbckhepf.exeC:\Windows\system32\Jbckhepf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Klkkpn32.exeC:\Windows\system32\Klkkpn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Kahdhegj.exeC:\Windows\system32\Kahdhegj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Ldkipp32.exeC:\Windows\system32\Ldkipp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Mkenkmlp.exeC:\Windows\system32\Mkenkmlp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Mclfmk32.exeC:\Windows\system32\Mclfmk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Omippc32.exeC:\Windows\system32\Omippc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Oggjkp32.exeC:\Windows\system32\Oggjkp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Onabhjap.exeC:\Windows\system32\Onabhjap.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Oapodeac.exeC:\Windows\system32\Oapodeac.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Pjhcmk32.exeC:\Windows\system32\Pjhcmk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Pefnhhpm.exeC:\Windows\system32\Pefnhhpm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Plcckbeg.exeC:\Windows\system32\Plcckbeg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Ahqjpb32.exeC:\Windows\system32\Ahqjpb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Bpcdec32.exeC:\Windows\system32\Bpcdec32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Bdgfdf32.exeC:\Windows\system32\Bdgfdf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ecmikcfd.exeC:\Windows\system32\Ecmikcfd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Fjogfbfd.exeC:\Windows\system32\Fjogfbfd.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ggbggaak.exeC:\Windows\system32\Ggbggaak.exe34⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Jghfegqj.exeC:\Windows\system32\Jghfegqj.exe35⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kejfho32.exeC:\Windows\system32\Kejfho32.exe36⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Labpbc32.exeC:\Windows\system32\Labpbc32.exe37⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Mkbjkgkg.exeC:\Windows\system32\Mkbjkgkg.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Njlqgckj.exeC:\Windows\system32\Njlqgckj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Ngkdekad.exeC:\Windows\system32\Ngkdekad.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pgmmin32.exeC:\Windows\system32\Pgmmin32.exe41⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Plkfpmhc.exeC:\Windows\system32\Plkfpmhc.exe42⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Pnloah32.exeC:\Windows\system32\Pnloah32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Pamhccbe.exeC:\Windows\system32\Pamhccbe.exe44⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Almodp32.exeC:\Windows\system32\Almodp32.exe45⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Bglipm32.exeC:\Windows\system32\Bglipm32.exe46⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Bhfhncni.exeC:\Windows\system32\Bhfhncni.exe47⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Eiadhegg.exeC:\Windows\system32\Eiadhegg.exe48⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Fjopllbh.exeC:\Windows\system32\Fjopllbh.exe49⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Fjjcpp32.exeC:\Windows\system32\Fjjcpp32.exe50⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Gakamijn.exeC:\Windows\system32\Gakamijn.exe51⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Hhbicf32.exeC:\Windows\system32\Hhbicf32.exe52⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Hnanambn.exeC:\Windows\system32\Hnanambn.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Inhdal32.exeC:\Windows\system32\Inhdal32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ifffknhn.exeC:\Windows\system32\Ifffknhn.exe55⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jedfci32.exeC:\Windows\system32\Jedfci32.exe56⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Kmbgmkpd.exeC:\Windows\system32\Kmbgmkpd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kpemdf32.exeC:\Windows\system32\Kpemdf32.exe58⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Llljhj32.exeC:\Windows\system32\Llljhj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Mlemni32.exeC:\Windows\system32\Mlemni32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Nkmfee32.exeC:\Windows\system32\Nkmfee32.exe61⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Gpmkno32.exeC:\Windows\system32\Gpmkno32.exe62⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Gbkgjk32.exeC:\Windows\system32\Gbkgjk32.exe63⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Hogajk32.exeC:\Windows\system32\Hogajk32.exe64⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Hgbfom32.exeC:\Windows\system32\Hgbfom32.exe65⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hagjlfkq.exeC:\Windows\system32\Hagjlfkq.exe66⤵PID:740
-
C:\Windows\SysWOW64\Ieqffh32.exeC:\Windows\system32\Ieqffh32.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Ikmnno32.exeC:\Windows\system32\Ikmnno32.exe68⤵PID:1960
-
C:\Windows\SysWOW64\Idfbgemp.exeC:\Windows\system32\Idfbgemp.exe69⤵PID:1624
-
C:\Windows\SysWOW64\Jqamge32.exeC:\Windows\system32\Jqamge32.exe70⤵PID:1000
-
C:\Windows\SysWOW64\Joifna32.exeC:\Windows\system32\Joifna32.exe71⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Jbgbjm32.exeC:\Windows\system32\Jbgbjm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Kmocme32.exeC:\Windows\system32\Kmocme32.exe73⤵PID:1812
-
C:\Windows\SysWOW64\Kompiq32.exeC:\Windows\system32\Kompiq32.exe74⤵PID:1996
-
C:\Windows\SysWOW64\Kbllellb.exeC:\Windows\system32\Kbllellb.exe75⤵PID:1068
-
C:\Windows\SysWOW64\Kcabhcnk.exeC:\Windows\system32\Kcabhcnk.exe76⤵PID:1476
-
C:\Windows\SysWOW64\Lahoggkb.exeC:\Windows\system32\Lahoggkb.exe77⤵PID:952
-
C:\Windows\SysWOW64\Leonkj32.exeC:\Windows\system32\Leonkj32.exe78⤵PID:980
-
C:\Windows\SysWOW64\Mdmnbefi.exeC:\Windows\system32\Mdmnbefi.exe79⤵PID:1600
-
C:\Windows\SysWOW64\Phhbajdi.exeC:\Windows\system32\Phhbajdi.exe80⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Amkqak32.exeC:\Windows\system32\Amkqak32.exe81⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Albjhg32.exeC:\Windows\system32\Albjhg32.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Bjjdoc32.exeC:\Windows\system32\Bjjdoc32.exe83⤵PID:1876
-
C:\Windows\SysWOW64\Bidjkpoc.exeC:\Windows\system32\Bidjkpoc.exe84⤵PID:932
-
C:\Windows\SysWOW64\Cddall32.exeC:\Windows\system32\Cddall32.exe85⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Cgcnhhdm.exeC:\Windows\system32\Cgcnhhdm.exe86⤵PID:960
-
C:\Windows\SysWOW64\Difcob32.exeC:\Windows\system32\Difcob32.exe87⤵PID:1112
-
C:\Windows\SysWOW64\Effgjbme.exeC:\Windows\system32\Effgjbme.exe88⤵PID:1388
-
C:\Windows\SysWOW64\Ffajnf32.exeC:\Windows\system32\Ffajnf32.exe89⤵PID:1620
-
C:\Windows\SysWOW64\Ganqkapp.exeC:\Windows\system32\Ganqkapp.exe90⤵PID:1740
-
C:\Windows\SysWOW64\Gppqgn32.exeC:\Windows\system32\Gppqgn32.exe91⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Gbomci32.exeC:\Windows\system32\Gbomci32.exe92⤵PID:364
-
C:\Windows\SysWOW64\Hmaqjf32.exeC:\Windows\system32\Hmaqjf32.exe93⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Iedlog32.exeC:\Windows\system32\Iedlog32.exe94⤵PID:580
-
C:\Windows\SysWOW64\Imkcpd32.exeC:\Windows\system32\Imkcpd32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Ilndkaib.exeC:\Windows\system32\Ilndkaib.exe96⤵PID:1464
-
C:\Windows\SysWOW64\Iolpgmhe.exeC:\Windows\system32\Iolpgmhe.exe97⤵PID:1540
-
C:\Windows\SysWOW64\Jcmeckli.exeC:\Windows\system32\Jcmeckli.exe98⤵PID:836
-
C:\Windows\SysWOW64\Jekaofkm.exeC:\Windows\system32\Jekaofkm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Jaflpfml.exeC:\Windows\system32\Jaflpfml.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Kdgeaa32.exeC:\Windows\system32\Kdgeaa32.exe101⤵PID:2012
-
C:\Windows\SysWOW64\Kclabnoe.exeC:\Windows\system32\Kclabnoe.exe102⤵PID:1336
-
C:\Windows\SysWOW64\Kkjclp32.exeC:\Windows\system32\Kkjclp32.exe103⤵PID:1564
-
C:\Windows\SysWOW64\Lojhhn32.exeC:\Windows\system32\Lojhhn32.exe104⤵PID:760
-
C:\Windows\SysWOW64\Lbiedi32.exeC:\Windows\system32\Lbiedi32.exe105⤵PID:1744
-
C:\Windows\SysWOW64\Lmdbjghq.exeC:\Windows\system32\Lmdbjghq.exe106⤵PID:268
-
C:\Windows\SysWOW64\Mmlhkfai.exeC:\Windows\system32\Mmlhkfai.exe107⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Meijdhma.exeC:\Windows\system32\Meijdhma.exe108⤵PID:1616
-
C:\Windows\SysWOW64\Mbmjnl32.exeC:\Windows\system32\Mbmjnl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Nhlplb32.exeC:\Windows\system32\Nhlplb32.exe110⤵PID:1808
-
C:\Windows\SysWOW64\Nkabim32.exeC:\Windows\system32\Nkabim32.exe111⤵PID:792
-
C:\Windows\SysWOW64\Nmpneh32.exeC:\Windows\system32\Nmpneh32.exe112⤵PID:764
-
C:\Windows\SysWOW64\Ohllkfkk.exeC:\Windows\system32\Ohllkfkk.exe113⤵PID:1752
-
C:\Windows\SysWOW64\Ooknbonb.exeC:\Windows\system32\Ooknbonb.exe114⤵PID:576
-
C:\Windows\SysWOW64\Pjihnl32.exeC:\Windows\system32\Pjihnl32.exe115⤵PID:1964
-
C:\Windows\SysWOW64\Plgdjh32.exeC:\Windows\system32\Plgdjh32.exe116⤵PID:520
-
C:\Windows\SysWOW64\Pfpicm32.exeC:\Windows\system32\Pfpicm32.exe117⤵PID:1936
-
C:\Windows\SysWOW64\Pfbeim32.exeC:\Windows\system32\Pfbeim32.exe118⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Pojjabqn.exeC:\Windows\system32\Pojjabqn.exe119⤵PID:1084
-
C:\Windows\SysWOW64\Qfgodlfh.exeC:\Windows\system32\Qfgodlfh.exe120⤵PID:1180
-
C:\Windows\SysWOW64\Adqephfk.exeC:\Windows\system32\Adqephfk.exe121⤵PID:1008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-