Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
192s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 02:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe
-
Size
71KB
-
MD5
dde0fd6207db1a16ec790dff7fc8d0fe
-
SHA1
b66ccf60a605fac3ef3c997a8d72315f5495c17f
-
SHA256
f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f
-
SHA512
1c70aaeb0d3dc873e145cc93a54d4af370bf0d3cdc3cd5bc9f8208e64c5a4a7f88a1bb1e2d7179e95e66adcf666da60261e6d3d0e5b87f1fc187fc57267cab81
-
SSDEEP
1536:QBg2vv/Px4BMB6Nv2OT91v8wsih6ONvUlvfMOHo3RQZK1P+ATT:0vMMB6Nv2kUws+6ONv2o3eIP+A3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfobjdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohfcmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbipdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cibnfpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fchigcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piiekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodikecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfadoaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcdfdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfaij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbgdcapi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmbeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdciej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqhclqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocodbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eohedi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alemjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccehgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfonhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giogonlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqjdon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epckkeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcfqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklmoccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjlcgnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfiif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekddck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcblgbfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nndhpqma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlpjhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alifee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegkfpah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmneebeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhdjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajfoea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjqjoolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnnjco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajgfboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgpock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mojaceln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfbp32.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Kgjjndeq.exe 2472 Ohjkcile.exe 2952 Ocfiif32.exe 2740 Omnmal32.exe 1628 Ojbnkp32.exe 1796 Oqlfhjch.exe 752 Pigklmqc.exe 1256 Pfnhkq32.exe 1540 Pkjqcg32.exe 2312 Pqgilnji.exe 1696 Pkmmigjo.exe 2304 Pajeanhf.exe 1872 Palbgn32.exe 1824 Apclnj32.exe 2368 Amglgn32.exe 1516 Acadchoo.exe 1084 Amjiln32.exe 880 Almihjlj.exe 1400 Abgaeddg.exe 1384 Aeenapck.exe 2872 Alofnj32.exe 2020 Abinjdad.exe 2708 Aegkfpah.exe 2696 Bjfpdf32.exe 2564 Bmelpa32.exe 1188 Beldao32.exe 1580 Bfmqigba.exe 2784 Bjiljf32.exe 2712 Bmgifa32.exe 2656 Bpfebmia.exe 2940 Bhmmcjjd.exe 2552 Binikb32.exe 368 Bphaglgo.exe 2812 Bbfnchfb.exe 1804 Bknfeege.exe 2684 Blobmm32.exe 472 Bmnofp32.exe 856 Bpmkbl32.exe 1396 Cggcofkf.exe 1388 Cpohhk32.exe 1352 Ccnddg32.exe 1884 Ciglaa32.exe 2920 Chjmmnnb.exe 1684 Codeih32.exe 2172 Cdamao32.exe 888 Chmibmlo.exe 2308 Cniajdkg.exe 1512 Ceqjla32.exe 1756 Ckmbdh32.exe 960 Cnlnpd32.exe 1640 Cdfgmnpa.exe 388 Chabmm32.exe 1180 Cjboeenh.exe 860 Dajgfboj.exe 2036 Dhleaq32.exe 2680 Dofnnkfg.exe 3024 Dbejjfek.exe 1316 Dhobgp32.exe 1776 Dcdfdi32.exe 2852 Dbggpfci.exe 2396 Ehaolpke.exe 2988 Ekpkhkji.exe 2412 Efeoedjo.exe 2392 Egflml32.exe -
Loads dropped DLL 64 IoCs
pid Process 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 1752 Kgjjndeq.exe 1752 Kgjjndeq.exe 2472 Ohjkcile.exe 2472 Ohjkcile.exe 2952 Ocfiif32.exe 2952 Ocfiif32.exe 2740 Omnmal32.exe 2740 Omnmal32.exe 1628 Ojbnkp32.exe 1628 Ojbnkp32.exe 1796 Oqlfhjch.exe 1796 Oqlfhjch.exe 752 Pigklmqc.exe 752 Pigklmqc.exe 1256 Pfnhkq32.exe 1256 Pfnhkq32.exe 1540 Pkjqcg32.exe 1540 Pkjqcg32.exe 2312 Pqgilnji.exe 2312 Pqgilnji.exe 1696 Pkmmigjo.exe 1696 Pkmmigjo.exe 2304 Pajeanhf.exe 2304 Pajeanhf.exe 1872 Palbgn32.exe 1872 Palbgn32.exe 1824 Apclnj32.exe 1824 Apclnj32.exe 2368 Amglgn32.exe 2368 Amglgn32.exe 1516 Acadchoo.exe 1516 Acadchoo.exe 1084 Amjiln32.exe 1084 Amjiln32.exe 880 Almihjlj.exe 880 Almihjlj.exe 1400 Abgaeddg.exe 1400 Abgaeddg.exe 1384 Aeenapck.exe 1384 Aeenapck.exe 2872 Alofnj32.exe 2872 Alofnj32.exe 2020 Abinjdad.exe 2020 Abinjdad.exe 2708 Aegkfpah.exe 2708 Aegkfpah.exe 2696 Bjfpdf32.exe 2696 Bjfpdf32.exe 2564 Bmelpa32.exe 2564 Bmelpa32.exe 1188 Beldao32.exe 1188 Beldao32.exe 1580 Bfmqigba.exe 1580 Bfmqigba.exe 2784 Bjiljf32.exe 2784 Bjiljf32.exe 2712 Bmgifa32.exe 2712 Bmgifa32.exe 2656 Bpfebmia.exe 2656 Bpfebmia.exe 2940 Bhmmcjjd.exe 2940 Bhmmcjjd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmhmmnpq.dll Fqhclqnc.exe File opened for modification C:\Windows\SysWOW64\Nfhpjaba.exe Ncjcnfcn.exe File created C:\Windows\SysWOW64\Oamaan32.exe Omaepoml.exe File created C:\Windows\SysWOW64\Edljfd32.exe Dmbbjjhj.exe File opened for modification C:\Windows\SysWOW64\Edjjph32.exe Ekaegbnd.exe File opened for modification C:\Windows\SysWOW64\Jpnfdbig.exe Jidngh32.exe File created C:\Windows\SysWOW64\Ajpbbhno.dll Cgogbano.exe File created C:\Windows\SysWOW64\Ehnpph32.exe Efmchp32.exe File created C:\Windows\SysWOW64\Fkhkha32.exe Fcacfd32.exe File opened for modification C:\Windows\SysWOW64\Chjmmnnb.exe Ciglaa32.exe File created C:\Windows\SysWOW64\Plneoace.exe Phbinc32.exe File created C:\Windows\SysWOW64\Dmmiiaba.dll Fkhkha32.exe File created C:\Windows\SysWOW64\Oecpeqdo.exe Olklmk32.exe File opened for modification C:\Windows\SysWOW64\Eadejede.exe Epchbm32.exe File created C:\Windows\SysWOW64\Gimkklpe.dll Pkjqcg32.exe File opened for modification C:\Windows\SysWOW64\Cniajdkg.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Dhobgp32.exe Dbejjfek.exe File opened for modification C:\Windows\SysWOW64\Oclpdf32.exe Olehbh32.exe File created C:\Windows\SysWOW64\Jdhmel32.exe Jmaedolh.exe File opened for modification C:\Windows\SysWOW64\Bhmmcjjd.exe Bpfebmia.exe File opened for modification C:\Windows\SysWOW64\Efeoedjo.exe Ekpkhkji.exe File created C:\Windows\SysWOW64\Dkjcik32.dll Jqakompl.exe File created C:\Windows\SysWOW64\Agjahooi.exe Appikd32.exe File created C:\Windows\SysWOW64\Efmchp32.exe Epckkeek.exe File created C:\Windows\SysWOW64\Qofnfp32.dll Plneoace.exe File opened for modification C:\Windows\SysWOW64\Odnjbibf.exe Opbnbj32.exe File created C:\Windows\SysWOW64\Pcgphlkf.dll Oecpeqdo.exe File created C:\Windows\SysWOW64\Abaegjfb.dll Edjjph32.exe File created C:\Windows\SysWOW64\Mqkked32.exe Bjqjoolp.exe File created C:\Windows\SysWOW64\Ecpehoae.dll Pleqkb32.exe File created C:\Windows\SysWOW64\Negaeied.dll Pboihm32.exe File opened for modification C:\Windows\SysWOW64\Pkjqcg32.exe Pfnhkq32.exe File opened for modification C:\Windows\SysWOW64\Bmelpa32.exe Bjfpdf32.exe File created C:\Windows\SysWOW64\Bpfebmia.exe Bmgifa32.exe File opened for modification C:\Windows\SysWOW64\Jqakompl.exe Jgiffg32.exe File created C:\Windows\SysWOW64\Ehlqao32.exe Dcohih32.exe File opened for modification C:\Windows\SysWOW64\Alemjfpc.exe Aekenl32.exe File created C:\Windows\SysWOW64\Ajkjij32.exe Acabmpem.exe File opened for modification C:\Windows\SysWOW64\Bmgifa32.exe Bjiljf32.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Cdamao32.exe File created C:\Windows\SysWOW64\Kfqpmc32.exe Jkklpk32.exe File created C:\Windows\SysWOW64\Dccgpf32.exe Dadkdj32.exe File created C:\Windows\SysWOW64\Efkfbp32.exe Edljfd32.exe File created C:\Windows\SysWOW64\Paagkq32.exe Pnfkjb32.exe File created C:\Windows\SysWOW64\Afmack32.exe Agjahooi.exe File opened for modification C:\Windows\SysWOW64\Ahlnpg32.exe Afmack32.exe File created C:\Windows\SysWOW64\Cfagmn32.exe Cgogbano.exe File created C:\Windows\SysWOW64\Ilfjcpff.dll Dadkdj32.exe File created C:\Windows\SysWOW64\Bemnhgen.dll Kfqpmc32.exe File created C:\Windows\SysWOW64\Ekfaij32.exe Edmilpld.exe File created C:\Windows\SysWOW64\Kahmln32.dll Mookod32.exe File opened for modification C:\Windows\SysWOW64\Hphljkfk.exe Hnjonpgg.exe File created C:\Windows\SysWOW64\Opbnbj32.exe Ooabjbdn.exe File created C:\Windows\SysWOW64\Hnkmnpef.exe Ggaeae32.exe File opened for modification C:\Windows\SysWOW64\Hjbncqkj.exe Hchfff32.exe File created C:\Windows\SysWOW64\Kplfmfmf.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Ofbajq32.dll Lfbibfmi.exe File created C:\Windows\SysWOW64\Nimcallo.exe Nodikecl.exe File created C:\Windows\SysWOW64\Odknmi32.exe Oamaan32.exe File opened for modification C:\Windows\SysWOW64\Pdnfalea.exe Paojeafn.exe File opened for modification C:\Windows\SysWOW64\Pmgnan32.exe Pjhaec32.exe File created C:\Windows\SysWOW64\Fchigcab.exe Fpjmkhbo.exe File created C:\Windows\SysWOW64\Oiiakm32.dll Cjboeenh.exe File opened for modification C:\Windows\SysWOW64\Pkebig32.exe Poldnf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oakdkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odiagj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehpjmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qohfcmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblbj32.dll" Dbejjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akjhcimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Celnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjjidlo.dll" Gdciej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmgnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhgkp32.dll" Jaoblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll" Mffgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdngpe32.dll" Giogonlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mqkked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedonn32.dll" Pbmlbmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnipid32.dll" Dmpedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahllk32.dll" Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddjmaebi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll" Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiledbch.dll" Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll" Jbjejojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkapla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffecbq32.dll" Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggkben32.dll" Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goompeid.dll" Hdakej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieebfp32.dll" Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ediaanpp.dll" Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppknhnn.dll" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkloo32.dll" Ebfqbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodikecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkcmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdnfalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aekenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljaqha32.dll" Ckeffdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjejojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejgkg32.dll" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqonjmbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efmchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbpkc32.dll" Bejiehfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Majfcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdpepejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngnoa32.dll" Mkconepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pleqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfagmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckeffdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkleo32.dll" Ceqjla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidnhdck.dll" Laccdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paagkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll" Aegkfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognifi32.dll" Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inknaqhd.dll" Kbdmboqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bheqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fedinobh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1752 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 29 PID 2628 wrote to memory of 1752 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 29 PID 2628 wrote to memory of 1752 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 29 PID 2628 wrote to memory of 1752 2628 f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe 29 PID 1752 wrote to memory of 2472 1752 Kgjjndeq.exe 30 PID 1752 wrote to memory of 2472 1752 Kgjjndeq.exe 30 PID 1752 wrote to memory of 2472 1752 Kgjjndeq.exe 30 PID 1752 wrote to memory of 2472 1752 Kgjjndeq.exe 30 PID 2472 wrote to memory of 2952 2472 Ohjkcile.exe 31 PID 2472 wrote to memory of 2952 2472 Ohjkcile.exe 31 PID 2472 wrote to memory of 2952 2472 Ohjkcile.exe 31 PID 2472 wrote to memory of 2952 2472 Ohjkcile.exe 31 PID 2952 wrote to memory of 2740 2952 Ocfiif32.exe 32 PID 2952 wrote to memory of 2740 2952 Ocfiif32.exe 32 PID 2952 wrote to memory of 2740 2952 Ocfiif32.exe 32 PID 2952 wrote to memory of 2740 2952 Ocfiif32.exe 32 PID 2740 wrote to memory of 1628 2740 Omnmal32.exe 33 PID 2740 wrote to memory of 1628 2740 Omnmal32.exe 33 PID 2740 wrote to memory of 1628 2740 Omnmal32.exe 33 PID 2740 wrote to memory of 1628 2740 Omnmal32.exe 33 PID 1628 wrote to memory of 1796 1628 Ojbnkp32.exe 34 PID 1628 wrote to memory of 1796 1628 Ojbnkp32.exe 34 PID 1628 wrote to memory of 1796 1628 Ojbnkp32.exe 34 PID 1628 wrote to memory of 1796 1628 Ojbnkp32.exe 34 PID 1796 wrote to memory of 752 1796 Oqlfhjch.exe 35 PID 1796 wrote to memory of 752 1796 Oqlfhjch.exe 35 PID 1796 wrote to memory of 752 1796 Oqlfhjch.exe 35 PID 1796 wrote to memory of 752 1796 Oqlfhjch.exe 35 PID 752 wrote to memory of 1256 752 Pigklmqc.exe 36 PID 752 wrote to memory of 1256 752 Pigklmqc.exe 36 PID 752 wrote to memory of 1256 752 Pigklmqc.exe 36 PID 752 wrote to memory of 1256 752 Pigklmqc.exe 36 PID 1256 wrote to memory of 1540 1256 Pfnhkq32.exe 37 PID 1256 wrote to memory of 1540 1256 Pfnhkq32.exe 37 PID 1256 wrote to memory of 1540 1256 Pfnhkq32.exe 37 PID 1256 wrote to memory of 1540 1256 Pfnhkq32.exe 37 PID 1540 wrote to memory of 2312 1540 Pkjqcg32.exe 38 PID 1540 wrote to memory of 2312 1540 Pkjqcg32.exe 38 PID 1540 wrote to memory of 2312 1540 Pkjqcg32.exe 38 PID 1540 wrote to memory of 2312 1540 Pkjqcg32.exe 38 PID 2312 wrote to memory of 1696 2312 Pqgilnji.exe 39 PID 2312 wrote to memory of 1696 2312 Pqgilnji.exe 39 PID 2312 wrote to memory of 1696 2312 Pqgilnji.exe 39 PID 2312 wrote to memory of 1696 2312 Pqgilnji.exe 39 PID 1696 wrote to memory of 2304 1696 Pkmmigjo.exe 40 PID 1696 wrote to memory of 2304 1696 Pkmmigjo.exe 40 PID 1696 wrote to memory of 2304 1696 Pkmmigjo.exe 40 PID 1696 wrote to memory of 2304 1696 Pkmmigjo.exe 40 PID 2304 wrote to memory of 1872 2304 Pajeanhf.exe 41 PID 2304 wrote to memory of 1872 2304 Pajeanhf.exe 41 PID 2304 wrote to memory of 1872 2304 Pajeanhf.exe 41 PID 2304 wrote to memory of 1872 2304 Pajeanhf.exe 41 PID 1872 wrote to memory of 1824 1872 Palbgn32.exe 42 PID 1872 wrote to memory of 1824 1872 Palbgn32.exe 42 PID 1872 wrote to memory of 1824 1872 Palbgn32.exe 42 PID 1872 wrote to memory of 1824 1872 Palbgn32.exe 42 PID 1824 wrote to memory of 2368 1824 Apclnj32.exe 43 PID 1824 wrote to memory of 2368 1824 Apclnj32.exe 43 PID 1824 wrote to memory of 2368 1824 Apclnj32.exe 43 PID 1824 wrote to memory of 2368 1824 Apclnj32.exe 43 PID 2368 wrote to memory of 1516 2368 Amglgn32.exe 44 PID 2368 wrote to memory of 1516 2368 Amglgn32.exe 44 PID 2368 wrote to memory of 1516 2368 Amglgn32.exe 44 PID 2368 wrote to memory of 1516 2368 Amglgn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe"C:\Users\Admin\AppData\Local\Temp\f2f9af168a820e533edcac38d4a75ca6738b63d4e7666625b5b37558a298073f.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe33⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe34⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe37⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe38⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe39⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe40⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe41⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe42⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe44⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe45⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe48⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe50⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe51⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe52⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe53⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe56⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe62⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe65⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe66⤵PID:1704
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe67⤵PID:268
-
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe69⤵PID:340
-
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe70⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe73⤵PID:2360
-
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe74⤵PID:328
-
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe75⤵PID:1020
-
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe77⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe80⤵PID:2252
-
C:\Windows\SysWOW64\Fldabn32.exeC:\Windows\system32\Fldabn32.exe81⤵PID:2328
-
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe82⤵PID:1924
-
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe84⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe87⤵PID:2716
-
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe88⤵PID:2792
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe89⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe90⤵
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe92⤵PID:2276
-
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe94⤵PID:2476
-
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe95⤵PID:2224
-
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe96⤵PID:2520
-
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe97⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe98⤵
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe99⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe100⤵PID:1336
-
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe101⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Jaoblk32.exeC:\Windows\system32\Jaoblk32.exe102⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe103⤵PID:2880
-
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe104⤵PID:2376
-
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe105⤵PID:1732
-
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Jfadoaih.exeC:\Windows\system32\Jfadoaih.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe108⤵PID:2824
-
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe109⤵PID:1724
-
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe110⤵PID:2888
-
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe111⤵PID:332
-
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe112⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1112 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe114⤵PID:3056
-
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe115⤵PID:2636
-
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe116⤵PID:964
-
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe117⤵PID:1664
-
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe118⤵PID:1080
-
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe119⤵PID:2380
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe121⤵PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-