Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 00:00
Static task
static1
Behavioral task
behavioral1
Sample
350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe
-
Size
64KB
-
MD5
7c97cd5530dc844164ab5aac674f74eb
-
SHA1
8d0161652f007edbea8e8cefb3a8938eba92df86
-
SHA256
350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe
-
SHA512
ae3a4067c92f8730fd4c7761c23e15de645b219bdfeb506c6b97d2eaf480535db0cd85be52f52d476b6a6d47ace345dbe8180e0fa3d47e08ce97367b5584bc9e
-
SSDEEP
1536:YHnjJExQyk9nbK6Bmvf5SuE8YuEbg7JNTwyLd:YHnNQDvs05Susbg7HTFJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdcmmja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldnhnhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddlak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmecdknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenlbabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphacpab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakfghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogdid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahhnoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieogedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnbefi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngceam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqajnlgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdigb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgplhfgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnapiahn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdjhdgkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnafe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbnkgci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnaiodi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badlknfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdcmmja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlcpicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fklnlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijimemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlhaolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkolg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijmnajb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qofolc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhqnbnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idccil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekdaocj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmocme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdhdhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhkdcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdhdhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnepbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjegdbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfghek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdomclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqofak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnqfeoeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmcjqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmqnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpgai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmpoaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnhhdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldclkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icojkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbjkgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdplhjhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfifaae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnaiodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkidbqp.exe -
Executes dropped EXE 64 IoCs
pid Process 1976 Bhkjkm32.exe 936 Gqbpeb32.exe 1148 Hccignfl.exe 1436 Hdceaq32.exe 1224 Higgpc32.exe 1784 Ipclbm32.exe 1776 Inmbni32.exe 548 Ijdccj32.exe 1864 Jfmqnk32.exe 836 Jebnogbf.exe 748 Jhcfqb32.exe 2020 Jhecfb32.exe 756 Kmdhdhji.exe 1284 Khliga32.exe 432 Kcfjgo32.exe 1688 Kgdcmmja.exe 308 Mdecpe32.exe 788 Mkahbo32.exe 784 Nmjkkf32.exe 852 Nanmji32.exe 612 Nbnidl32.exe 1924 Ofpomonh.exe 1972 Omlcpicb.exe 1584 Oejeik32.exe 1704 Olfjldde.exe 1980 Pbpbhola.exe 1984 Pmnmdl32.exe 1940 Qmecdknc.exe 1532 Qofolc32.exe 1268 Acgeha32.exe 1096 Bneocn32.exe 1360 Cbqgcpkc.exe 616 Fickdopl.exe 336 Fcnlbddj.exe 1184 Fklnlf32.exe 1684 Gnjjhb32.exe 1364 Gnapiahn.exe 2036 Gjhqnbnb.exe 556 Hjjmcalp.exe 1548 Hcbbmg32.exe 948 Hbjkcc32.exe 1956 Hdhhoo32.exe 808 Hdkdeobf.exe 1636 Hkemah32.exe 1948 Ijjjbe32.exe 1480 Imhfoq32.exe 1048 Igpgai32.exe 1960 Jncemglb.exe 780 Jemmia32.exe 1692 Jlgefljl.exe 1612 Jhpcqlnn.exe 1372 Jjalbgko.exe 2008 Lijomf32.exe 1588 Mjdace32.exe 584 Mldjepcc.exe 960 Ngceam32.exe 1936 Ndgeja32.exe 1528 Okjcepkf.exe 1324 Oipadd32.exe 844 Obheminn.exe 1500 Oibnjc32.exe 1240 Onofbj32.exe 1304 Pfodalmh.exe 1760 Pbhalmqi.exe -
Loads dropped DLL 64 IoCs
pid Process 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 1976 Bhkjkm32.exe 1976 Bhkjkm32.exe 936 Gqbpeb32.exe 936 Gqbpeb32.exe 1148 Hccignfl.exe 1148 Hccignfl.exe 1436 Hdceaq32.exe 1436 Hdceaq32.exe 1224 Higgpc32.exe 1224 Higgpc32.exe 1784 Ipclbm32.exe 1784 Ipclbm32.exe 1776 Inmbni32.exe 1776 Inmbni32.exe 548 Ijdccj32.exe 548 Ijdccj32.exe 1864 Jfmqnk32.exe 1864 Jfmqnk32.exe 836 Jebnogbf.exe 836 Jebnogbf.exe 748 Jhcfqb32.exe 748 Jhcfqb32.exe 2020 Jhecfb32.exe 2020 Jhecfb32.exe 756 Kmdhdhji.exe 756 Kmdhdhji.exe 1284 Khliga32.exe 1284 Khliga32.exe 432 Kcfjgo32.exe 432 Kcfjgo32.exe 1688 Kgdcmmja.exe 1688 Kgdcmmja.exe 308 Mdecpe32.exe 308 Mdecpe32.exe 788 Mkahbo32.exe 788 Mkahbo32.exe 784 Nmjkkf32.exe 784 Nmjkkf32.exe 852 Nanmji32.exe 852 Nanmji32.exe 612 Nbnidl32.exe 612 Nbnidl32.exe 1924 Ofpomonh.exe 1924 Ofpomonh.exe 1972 Omlcpicb.exe 1972 Omlcpicb.exe 1584 Oejeik32.exe 1584 Oejeik32.exe 1704 Olfjldde.exe 1704 Olfjldde.exe 1980 Pbpbhola.exe 1980 Pbpbhola.exe 1984 Pmnmdl32.exe 1984 Pmnmdl32.exe 1940 Qmecdknc.exe 1940 Qmecdknc.exe 1532 Qofolc32.exe 1532 Qofolc32.exe 1268 Acgeha32.exe 1268 Acgeha32.exe 1096 Bneocn32.exe 1096 Bneocn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cehgnajb.dll Jqopaeqa.exe File opened for modification C:\Windows\SysWOW64\Oejeik32.exe Omlcpicb.exe File opened for modification C:\Windows\SysWOW64\Bekoqm32.exe Ablbda32.exe File opened for modification C:\Windows\SysWOW64\Pbpbhola.exe Olfjldde.exe File created C:\Windows\SysWOW64\Qofolc32.exe Qmecdknc.exe File opened for modification C:\Windows\SysWOW64\Hbjkcc32.exe Hcbbmg32.exe File created C:\Windows\SysWOW64\Jmmnal32.exe Jgnide32.exe File created C:\Windows\SysWOW64\Pqipmb32.dll Ldnhnhhi.exe File created C:\Windows\SysWOW64\Gfjjhp32.dll Dicgjcan.exe File created C:\Windows\SysWOW64\Gfhbfe32.dll Jhecfb32.exe File created C:\Windows\SysWOW64\Oipadd32.exe Okjcepkf.exe File created C:\Windows\SysWOW64\Phfijkkm.dll Llfgjl32.exe File opened for modification C:\Windows\SysWOW64\Mbhojd32.exe Llljhj32.exe File created C:\Windows\SysWOW64\Cmjiobnm.exe Cklmcgoi.exe File opened for modification C:\Windows\SysWOW64\Mhlmcjqk.exe Memagnah.exe File opened for modification C:\Windows\SysWOW64\Pjmoqc32.exe Pqekhndb.exe File opened for modification C:\Windows\SysWOW64\Ablbda32.exe Anqfdc32.exe File created C:\Windows\SysWOW64\Bdmcjd32.dll Bdbhgi32.exe File created C:\Windows\SysWOW64\Okbdpp32.dll Nlofon32.exe File opened for modification C:\Windows\SysWOW64\Jofjhacf.exe Jmhnlfdc.exe File created C:\Windows\SysWOW64\Gnjjhb32.exe Fklnlf32.exe File created C:\Windows\SysWOW64\Jemmia32.exe Jncemglb.exe File created C:\Windows\SysWOW64\Ennfffac.exe Efgnehqa.exe File created C:\Windows\SysWOW64\Dicgjcan.exe Dgejngbk.exe File opened for modification C:\Windows\SysWOW64\Higgpc32.exe Hdceaq32.exe File created C:\Windows\SysWOW64\Lfoolppa.dll Kmdhdhji.exe File opened for modification C:\Windows\SysWOW64\Llfgjl32.exe Lelomadk.exe File opened for modification C:\Windows\SysWOW64\Ldqech32.exe Labigl32.exe File created C:\Windows\SysWOW64\Apoogk32.dll Memagnah.exe File created C:\Windows\SysWOW64\Cfdbhmid.exe Ccffkaip.exe File created C:\Windows\SysWOW64\Kqaifh32.exe Knbmjm32.exe File created C:\Windows\SysWOW64\Dpjjqcnk.dll Fcjccj32.exe File created C:\Windows\SysWOW64\Jjalbgko.exe Jhpcqlnn.exe File opened for modification C:\Windows\SysWOW64\Mibggnpi.exe Mbhojd32.exe File opened for modification C:\Windows\SysWOW64\Hcbbmg32.exe Hjjmcalp.exe File created C:\Windows\SysWOW64\Iohlchhj.dll Ccffkaip.exe File created C:\Windows\SysWOW64\Jakgedea.dll Pfdpedqg.exe File created C:\Windows\SysWOW64\Fnbkphpi.exe Fcmgcp32.exe File created C:\Windows\SysWOW64\Dlgibb32.dll Cpnbgj32.exe File created C:\Windows\SysWOW64\Ioohcihh.dll Nbnidl32.exe File opened for modification C:\Windows\SysWOW64\Hjjmcalp.exe Gjhqnbnb.exe File opened for modification C:\Windows\SysWOW64\Jemmia32.exe Jncemglb.exe File created C:\Windows\SysWOW64\Kfbqefch.dll Lelomadk.exe File created C:\Windows\SysWOW64\Djhpeb32.exe Difcob32.exe File created C:\Windows\SysWOW64\Idhomd32.exe Ieqffh32.exe File created C:\Windows\SysWOW64\Hndbqodd.dll Opfgli32.exe File created C:\Windows\SysWOW64\Eqphkpid.exe Dlflan32.exe File opened for modification C:\Windows\SysWOW64\Bhahhnoc.exe Blenhnmd.exe File created C:\Windows\SysWOW64\Aiobhd32.exe Afqfli32.exe File opened for modification C:\Windows\SysWOW64\Fppbob32.exe Fnqfeoeh.exe File opened for modification C:\Windows\SysWOW64\Llljhj32.exe Lmijlmlg.exe File created C:\Windows\SysWOW64\Badbfahg.dll Pcajni32.exe File opened for modification C:\Windows\SysWOW64\Opfgli32.exe Oneojnpe.exe File created C:\Windows\SysWOW64\Ngifjl32.dll Alnamhpq.exe File created C:\Windows\SysWOW64\Mkgfoonf.exe Mdmnbefi.exe File created C:\Windows\SysWOW64\Nhfimg32.exe Nehmql32.exe File created C:\Windows\SysWOW64\Cpnbgj32.exe Bbjbne32.exe File created C:\Windows\SysWOW64\Kcbjag32.dll Fcnlbddj.exe File created C:\Windows\SysWOW64\Bhfhncni.exe Bpigca32.exe File created C:\Windows\SysWOW64\Nobckcge.dll Gblnda32.exe File created C:\Windows\SysWOW64\Ggehpn32.dll Jcfodphj.exe File created C:\Windows\SysWOW64\Chnagkpe.exe Cachja32.exe File opened for modification C:\Windows\SysWOW64\Cbqgcpkc.exe Bneocn32.exe File opened for modification C:\Windows\SysWOW64\Lijomf32.exe Jjalbgko.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3476 3380 WerFault.exe 324 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdceaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echaimam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiiiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmoqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afceja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdkdeobf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffeaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdeokmkn.dll" Bfqece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnamhpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihlagcn.dll" Dakokpbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnmdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjcepkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlflan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjalbgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmadpd32.dll" Bekoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkgomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnijbnnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhfimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiobhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamlgm32.dll" Bhfhncni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biphpijn.dll" Ejdfkggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqopaeqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbine32.dll" Fklnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojmapap.dll" Acjjqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icojkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahnih32.dll" Fnqfeoeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbmdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khliga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnmdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clommpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdfkggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpiiljje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijmnajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinddkhg.dll" Bpmpoaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhapah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbqgcpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbkphpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehjpp32.dll" Mhlmcjqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmgbaonk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcaek32.dll" Gphacpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncjoffd.dll" Jjgdjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nanmji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfjldde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccfeeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpbhola.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgggcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Badlknfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haeknnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhpcqlnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhdqjfm.dll" Heapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkahbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemmia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkqihbqe.dll" 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepin32.dll" Ijjjbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lelomadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkibfkgl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1976 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 26 PID 1944 wrote to memory of 1976 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 26 PID 1944 wrote to memory of 1976 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 26 PID 1944 wrote to memory of 1976 1944 350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe 26 PID 1976 wrote to memory of 936 1976 Bhkjkm32.exe 27 PID 1976 wrote to memory of 936 1976 Bhkjkm32.exe 27 PID 1976 wrote to memory of 936 1976 Bhkjkm32.exe 27 PID 1976 wrote to memory of 936 1976 Bhkjkm32.exe 27 PID 936 wrote to memory of 1148 936 Gqbpeb32.exe 28 PID 936 wrote to memory of 1148 936 Gqbpeb32.exe 28 PID 936 wrote to memory of 1148 936 Gqbpeb32.exe 28 PID 936 wrote to memory of 1148 936 Gqbpeb32.exe 28 PID 1148 wrote to memory of 1436 1148 Hccignfl.exe 29 PID 1148 wrote to memory of 1436 1148 Hccignfl.exe 29 PID 1148 wrote to memory of 1436 1148 Hccignfl.exe 29 PID 1148 wrote to memory of 1436 1148 Hccignfl.exe 29 PID 1436 wrote to memory of 1224 1436 Hdceaq32.exe 30 PID 1436 wrote to memory of 1224 1436 Hdceaq32.exe 30 PID 1436 wrote to memory of 1224 1436 Hdceaq32.exe 30 PID 1436 wrote to memory of 1224 1436 Hdceaq32.exe 30 PID 1224 wrote to memory of 1784 1224 Higgpc32.exe 31 PID 1224 wrote to memory of 1784 1224 Higgpc32.exe 31 PID 1224 wrote to memory of 1784 1224 Higgpc32.exe 31 PID 1224 wrote to memory of 1784 1224 Higgpc32.exe 31 PID 1784 wrote to memory of 1776 1784 Ipclbm32.exe 32 PID 1784 wrote to memory of 1776 1784 Ipclbm32.exe 32 PID 1784 wrote to memory of 1776 1784 Ipclbm32.exe 32 PID 1784 wrote to memory of 1776 1784 Ipclbm32.exe 32 PID 1776 wrote to memory of 548 1776 Inmbni32.exe 33 PID 1776 wrote to memory of 548 1776 Inmbni32.exe 33 PID 1776 wrote to memory of 548 1776 Inmbni32.exe 33 PID 1776 wrote to memory of 548 1776 Inmbni32.exe 33 PID 548 wrote to memory of 1864 548 Ijdccj32.exe 34 PID 548 wrote to memory of 1864 548 Ijdccj32.exe 34 PID 548 wrote to memory of 1864 548 Ijdccj32.exe 34 PID 548 wrote to memory of 1864 548 Ijdccj32.exe 34 PID 1864 wrote to memory of 836 1864 Jfmqnk32.exe 35 PID 1864 wrote to memory of 836 1864 Jfmqnk32.exe 35 PID 1864 wrote to memory of 836 1864 Jfmqnk32.exe 35 PID 1864 wrote to memory of 836 1864 Jfmqnk32.exe 35 PID 836 wrote to memory of 748 836 Jebnogbf.exe 36 PID 836 wrote to memory of 748 836 Jebnogbf.exe 36 PID 836 wrote to memory of 748 836 Jebnogbf.exe 36 PID 836 wrote to memory of 748 836 Jebnogbf.exe 36 PID 748 wrote to memory of 2020 748 Jhcfqb32.exe 37 PID 748 wrote to memory of 2020 748 Jhcfqb32.exe 37 PID 748 wrote to memory of 2020 748 Jhcfqb32.exe 37 PID 748 wrote to memory of 2020 748 Jhcfqb32.exe 37 PID 2020 wrote to memory of 756 2020 Jhecfb32.exe 38 PID 2020 wrote to memory of 756 2020 Jhecfb32.exe 38 PID 2020 wrote to memory of 756 2020 Jhecfb32.exe 38 PID 2020 wrote to memory of 756 2020 Jhecfb32.exe 38 PID 756 wrote to memory of 1284 756 Kmdhdhji.exe 39 PID 756 wrote to memory of 1284 756 Kmdhdhji.exe 39 PID 756 wrote to memory of 1284 756 Kmdhdhji.exe 39 PID 756 wrote to memory of 1284 756 Kmdhdhji.exe 39 PID 1284 wrote to memory of 432 1284 Khliga32.exe 40 PID 1284 wrote to memory of 432 1284 Khliga32.exe 40 PID 1284 wrote to memory of 432 1284 Khliga32.exe 40 PID 1284 wrote to memory of 432 1284 Khliga32.exe 40 PID 432 wrote to memory of 1688 432 Kcfjgo32.exe 41 PID 432 wrote to memory of 1688 432 Kcfjgo32.exe 41 PID 432 wrote to memory of 1688 432 Kcfjgo32.exe 41 PID 432 wrote to memory of 1688 432 Kcfjgo32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe"C:\Users\Admin\AppData\Local\Temp\350800de31cc1bba31ad8c2541dee5aaef3975ae886967c4bb50ca3e90925bbe.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Bhkjkm32.exeC:\Windows\system32\Bhkjkm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Gqbpeb32.exeC:\Windows\system32\Gqbpeb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Hccignfl.exeC:\Windows\system32\Hccignfl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Hdceaq32.exeC:\Windows\system32\Hdceaq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Higgpc32.exeC:\Windows\system32\Higgpc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Ipclbm32.exeC:\Windows\system32\Ipclbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Inmbni32.exeC:\Windows\system32\Inmbni32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ijdccj32.exeC:\Windows\system32\Ijdccj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Jfmqnk32.exeC:\Windows\system32\Jfmqnk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Jebnogbf.exeC:\Windows\system32\Jebnogbf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Jhcfqb32.exeC:\Windows\system32\Jhcfqb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Jhecfb32.exeC:\Windows\system32\Jhecfb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Kmdhdhji.exeC:\Windows\system32\Kmdhdhji.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Khliga32.exeC:\Windows\system32\Khliga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Kcfjgo32.exeC:\Windows\system32\Kcfjgo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Kgdcmmja.exeC:\Windows\system32\Kgdcmmja.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Mdecpe32.exeC:\Windows\system32\Mdecpe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Mkahbo32.exeC:\Windows\system32\Mkahbo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Nmjkkf32.exeC:\Windows\system32\Nmjkkf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Nanmji32.exeC:\Windows\system32\Nanmji32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Nbnidl32.exeC:\Windows\system32\Nbnidl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Ofpomonh.exeC:\Windows\system32\Ofpomonh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Omlcpicb.exeC:\Windows\system32\Omlcpicb.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Oejeik32.exeC:\Windows\system32\Oejeik32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Olfjldde.exeC:\Windows\system32\Olfjldde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Pbpbhola.exeC:\Windows\system32\Pbpbhola.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pmnmdl32.exeC:\Windows\system32\Pmnmdl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Qmecdknc.exeC:\Windows\system32\Qmecdknc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Qofolc32.exeC:\Windows\system32\Qofolc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Acgeha32.exeC:\Windows\system32\Acgeha32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Bneocn32.exeC:\Windows\system32\Bneocn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Cbqgcpkc.exeC:\Windows\system32\Cbqgcpkc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Fickdopl.exeC:\Windows\system32\Fickdopl.exe34⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Fcnlbddj.exeC:\Windows\system32\Fcnlbddj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Fklnlf32.exeC:\Windows\system32\Fklnlf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Gnjjhb32.exeC:\Windows\system32\Gnjjhb32.exe37⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Gnapiahn.exeC:\Windows\system32\Gnapiahn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Gjhqnbnb.exeC:\Windows\system32\Gjhqnbnb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Hjjmcalp.exeC:\Windows\system32\Hjjmcalp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Hcbbmg32.exeC:\Windows\system32\Hcbbmg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Hbjkcc32.exeC:\Windows\system32\Hbjkcc32.exe42⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Hdhhoo32.exeC:\Windows\system32\Hdhhoo32.exe43⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hdkdeobf.exeC:\Windows\system32\Hdkdeobf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Hkemah32.exeC:\Windows\system32\Hkemah32.exe45⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ijjjbe32.exeC:\Windows\system32\Ijjjbe32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Imhfoq32.exeC:\Windows\system32\Imhfoq32.exe47⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Igpgai32.exeC:\Windows\system32\Igpgai32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jncemglb.exeC:\Windows\system32\Jncemglb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Jemmia32.exeC:\Windows\system32\Jemmia32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Jlgefljl.exeC:\Windows\system32\Jlgefljl.exe51⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jhpcqlnn.exeC:\Windows\system32\Jhpcqlnn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Jjalbgko.exeC:\Windows\system32\Jjalbgko.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Lijomf32.exeC:\Windows\system32\Lijomf32.exe54⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mjdace32.exeC:\Windows\system32\Mjdace32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mldjepcc.exeC:\Windows\system32\Mldjepcc.exe56⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Ngceam32.exeC:\Windows\system32\Ngceam32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ndgeja32.exeC:\Windows\system32\Ndgeja32.exe58⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Okjcepkf.exeC:\Windows\system32\Okjcepkf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Oipadd32.exeC:\Windows\system32\Oipadd32.exe60⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Obheminn.exeC:\Windows\system32\Obheminn.exe61⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Oibnjc32.exeC:\Windows\system32\Oibnjc32.exe62⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Onofbj32.exeC:\Windows\system32\Onofbj32.exe63⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Pfodalmh.exeC:\Windows\system32\Pfodalmh.exe64⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Pbhalmqi.exeC:\Windows\system32\Pbhalmqi.exe65⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Pibjighf.exeC:\Windows\system32\Pibjighf.exe66⤵PID:1260
-
C:\Windows\SysWOW64\Qocllm32.exeC:\Windows\system32\Qocllm32.exe67⤵PID:1712
-
C:\Windows\SysWOW64\Acjjqp32.exeC:\Windows\system32\Acjjqp32.exe68⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Biilhi32.exeC:\Windows\system32\Biilhi32.exe69⤵PID:1524
-
C:\Windows\SysWOW64\Bcaqao32.exeC:\Windows\system32\Bcaqao32.exe70⤵PID:1920
-
C:\Windows\SysWOW64\Bhcbeeel.exeC:\Windows\system32\Bhcbeeel.exe71⤵PID:1764
-
C:\Windows\SysWOW64\Bomkao32.exeC:\Windows\system32\Bomkao32.exe72⤵PID:1128
-
C:\Windows\SysWOW64\Cdlpoein.exeC:\Windows\system32\Cdlpoein.exe73⤵PID:1568
-
C:\Windows\SysWOW64\Ccffkaip.exeC:\Windows\system32\Ccffkaip.exe74⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Cfdbhmid.exeC:\Windows\system32\Cfdbhmid.exe75⤵PID:1740
-
C:\Windows\SysWOW64\Ckakpcgk.exeC:\Windows\system32\Ckakpcgk.exe76⤵PID:524
-
C:\Windows\SysWOW64\Dccfeeno.exeC:\Windows\system32\Dccfeeno.exe77⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Dnijbnnd.exeC:\Windows\system32\Dnijbnnd.exe78⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Fdjhdgkb.exeC:\Windows\system32\Fdjhdgkb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Haeknnfo.exeC:\Windows\system32\Haeknnfo.exe80⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Hlceik32.exeC:\Windows\system32\Hlceik32.exe81⤵PID:2032
-
C:\Windows\SysWOW64\Icojkd32.exeC:\Windows\system32\Icojkd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Idccil32.exeC:\Windows\system32\Idccil32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Igapeh32.exeC:\Windows\system32\Igapeh32.exe84⤵PID:2056
-
C:\Windows\SysWOW64\Jqajnlgj.exeC:\Windows\system32\Jqajnlgj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Jnnafe32.exeC:\Windows\system32\Jnnafe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Jfdigb32.exeC:\Windows\system32\Jfdigb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Kpmnphfj.exeC:\Windows\system32\Kpmnphfj.exe88⤵PID:2136
-
C:\Windows\SysWOW64\Khkojj32.exeC:\Windows\system32\Khkojj32.exe89⤵PID:2144
-
C:\Windows\SysWOW64\Llckdlnj.exeC:\Windows\system32\Llckdlnj.exe90⤵PID:2152
-
C:\Windows\SysWOW64\Lelomadk.exeC:\Windows\system32\Lelomadk.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Llfgjl32.exeC:\Windows\system32\Llfgjl32.exe92⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Lenlbabh.exeC:\Windows\system32\Lenlbabh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Mhaajl32.exeC:\Windows\system32\Mhaajl32.exe94⤵PID:2260
-
C:\Windows\SysWOW64\Mkbjkgkg.exeC:\Windows\system32\Mkbjkgkg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Malbha32.exeC:\Windows\system32\Malbha32.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Mnepbb32.exeC:\Windows\system32\Mnepbb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Nlofon32.exeC:\Windows\system32\Nlofon32.exe98⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Ofbnkgci.exeC:\Windows\system32\Ofbnkgci.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Pmcliqen.exeC:\Windows\system32\Pmcliqen.exe100⤵PID:2364
-
C:\Windows\SysWOW64\Pijmnajb.exeC:\Windows\system32\Pijmnajb.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Pmalbdim.exeC:\Windows\system32\Pmalbdim.exe102⤵PID:2384
-
C:\Windows\SysWOW64\Qihlgeoq.exeC:\Windows\system32\Qihlgeoq.exe103⤵PID:2392
-
C:\Windows\SysWOW64\Qaodhbpc.exeC:\Windows\system32\Qaodhbpc.exe104⤵PID:2400
-
C:\Windows\SysWOW64\Qdmqdnog.exeC:\Windows\system32\Qdmqdnog.exe105⤵PID:2408
-
C:\Windows\SysWOW64\Qflmqinj.exeC:\Windows\system32\Qflmqinj.exe106⤵PID:2416
-
C:\Windows\SysWOW64\Qijimemn.exeC:\Windows\system32\Qijimemn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Alheipla.exeC:\Windows\system32\Alheipla.exe108⤵PID:2432
-
C:\Windows\SysWOW64\Afqfli32.exeC:\Windows\system32\Afqfli32.exe109⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Aiobhd32.exeC:\Windows\system32\Aiobhd32.exe110⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Aajglffd.exeC:\Windows\system32\Aajglffd.exe111⤵PID:2456
-
C:\Windows\SysWOW64\Bobaaj32.exeC:\Windows\system32\Bobaaj32.exe112⤵PID:2464
-
C:\Windows\SysWOW64\Bkibfkgl.exeC:\Windows\system32\Bkibfkgl.exe113⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Bpigca32.exeC:\Windows\system32\Bpigca32.exe114⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Bhfhncni.exeC:\Windows\system32\Bhfhncni.exe115⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bpmpoaol.exeC:\Windows\system32\Bpmpoaol.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Fiaqgh32.exeC:\Windows\system32\Fiaqgh32.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Fmmlhgal.exeC:\Windows\system32\Fmmlhgal.exe118⤵PID:2672
-
C:\Windows\SysWOW64\Fpkidbqp.exeC:\Windows\system32\Fpkidbqp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Ffeaqm32.exeC:\Windows\system32\Ffeaqm32.exe120⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Fnqfeoeh.exeC:\Windows\system32\Fnqfeoeh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-