Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe
Resource
win10v2004-20240426-en
General
-
Target
64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe
-
Size
296KB
-
MD5
125c5d96523dcce76bb86b3555ee998c
-
SHA1
c536403f357a000d1ecc973c3e05b01af1fa2e83
-
SHA256
64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8
-
SHA512
559a3ff6bcaf9067cfbb31e838cfdec4b9036e4fb415f7350c4f6a71a79fba83ce7137fdbb5f1ef5195ed85167d3c5cf89fa08fd6215f4ab70005e6b23b4d146
-
SSDEEP
3072:M9XPiYYfD7/SYNi0uARA1+6NhZ6P0c9fpxg6pg:MJ4fDbXkNPKG6g
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igkdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpfkqb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Ocomlemo.exe 2920 Ojieip32.exe 2592 Ongnonkb.exe 2660 Paejki32.exe 2476 Paggai32.exe 2928 Pcfcmd32.exe 2604 Pjpkjond.exe 1272 Pmnhfjmg.exe 2748 Pchpbded.exe 2332 Pmqdkj32.exe 276 Pigeqkai.exe 1940 Ppamme32.exe 1488 Pbpjiphi.exe 1924 Qhmbagfa.exe 540 Qaefjm32.exe 1644 Qhooggdn.exe 2404 Qjmkcbcb.exe 2304 Qmlgonbe.exe 1584 Amndem32.exe 944 Aplpai32.exe 3036 Ahchbf32.exe 592 Affhncfc.exe 2832 Ampqjm32.exe 3004 Apomfh32.exe 872 Afiecb32.exe 1928 Aigaon32.exe 2988 Alenki32.exe 2924 Admemg32.exe 2568 Aenbdoii.exe 2468 Aiinen32.exe 2432 Alhjai32.exe 2900 Abbbnchb.exe 1632 Aepojo32.exe 2700 Ahokfj32.exe 2208 Bpfcgg32.exe 2556 Bagpopmj.exe 2356 Blmdlhmp.exe 1228 Bkodhe32.exe 2416 Beehencq.exe 1284 Bdhhqk32.exe 588 Bhcdaibd.exe 1800 Begeknan.exe 2132 Bdjefj32.exe 2076 Bghabf32.exe 1668 Bkdmcdoe.exe 808 Bnbjopoi.exe 552 Bpafkknm.exe 3060 Bhhnli32.exe 2204 Bkfjhd32.exe 2020 Bjijdadm.exe 1532 Baqbenep.exe 2636 Bpcbqk32.exe 2768 Bcaomf32.exe 2816 Ckignd32.exe 2388 Cngcjo32.exe 2500 Cpeofk32.exe 2472 Cgpgce32.exe 2812 Cjndop32.exe 2312 Cllpkl32.exe 1300 Coklgg32.exe 2704 Cgbdhd32.exe 1676 Cjpqdp32.exe 300 Clomqk32.exe 1736 Comimg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 2756 Ocomlemo.exe 2756 Ocomlemo.exe 2920 Ojieip32.exe 2920 Ojieip32.exe 2592 Ongnonkb.exe 2592 Ongnonkb.exe 2660 Paejki32.exe 2660 Paejki32.exe 2476 Paggai32.exe 2476 Paggai32.exe 2928 Pcfcmd32.exe 2928 Pcfcmd32.exe 2604 Pjpkjond.exe 2604 Pjpkjond.exe 1272 Pmnhfjmg.exe 1272 Pmnhfjmg.exe 2748 Pchpbded.exe 2748 Pchpbded.exe 2332 Pmqdkj32.exe 2332 Pmqdkj32.exe 276 Pigeqkai.exe 276 Pigeqkai.exe 1940 Ppamme32.exe 1940 Ppamme32.exe 1488 Pbpjiphi.exe 1488 Pbpjiphi.exe 1924 Qhmbagfa.exe 1924 Qhmbagfa.exe 540 Qaefjm32.exe 540 Qaefjm32.exe 1644 Qhooggdn.exe 1644 Qhooggdn.exe 2404 Qjmkcbcb.exe 2404 Qjmkcbcb.exe 2304 Qmlgonbe.exe 2304 Qmlgonbe.exe 1584 Amndem32.exe 1584 Amndem32.exe 944 Aplpai32.exe 944 Aplpai32.exe 3036 Ahchbf32.exe 3036 Ahchbf32.exe 592 Affhncfc.exe 592 Affhncfc.exe 2832 Ampqjm32.exe 2832 Ampqjm32.exe 3004 Apomfh32.exe 3004 Apomfh32.exe 872 Afiecb32.exe 872 Afiecb32.exe 1928 Aigaon32.exe 1928 Aigaon32.exe 2988 Alenki32.exe 2988 Alenki32.exe 2924 Admemg32.exe 2924 Admemg32.exe 2568 Aenbdoii.exe 2568 Aenbdoii.exe 2468 Aiinen32.exe 2468 Aiinen32.exe 2432 Alhjai32.exe 2432 Alhjai32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Omdneebf.exe Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Cldooj32.exe Ckccgane.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mpdnkb32.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pefijfii.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dodonf32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Naoniipe.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Ojolhk32.exe Ngpolo32.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Fehjeo32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Gkddnkjk.dll Aigaon32.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Kfegbj32.exe Kgbggnhc.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Edpmjj32.exe File created C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File created C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Ffnphf32.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jgidao32.exe File created C:\Windows\SysWOW64\Keanebkb.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Dfmdho32.exe Cldooj32.exe File created C:\Windows\SysWOW64\Niifne32.dll Cobbhfhg.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Mpbaebdd.exe Mmceigep.exe File created C:\Windows\SysWOW64\Pklhlael.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Kjqipbka.dll Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Mnjdbp32.dll Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Hokefmej.dll Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Jfqahgpg.exe Jmhmpb32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Beehencq.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Mggpgmof.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Albjlcao.exe File created C:\Windows\SysWOW64\Egoife32.exe Edpmjj32.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Eojnkg32.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File created C:\Windows\SysWOW64\Jadhjcfk.dll Pigeqkai.exe File created C:\Windows\SysWOW64\Qahefm32.dll Ghfbqn32.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Ojieip32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Eijcpoac.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4696 4692 WerFault.exe 429 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkodhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhaff32.dll" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Okgnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnafl32.dll" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fioeja32.dll" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjnfniii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkppbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpphap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meccii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2756 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 28 PID 2096 wrote to memory of 2756 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 28 PID 2096 wrote to memory of 2756 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 28 PID 2096 wrote to memory of 2756 2096 64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe 28 PID 2756 wrote to memory of 2920 2756 Ocomlemo.exe 29 PID 2756 wrote to memory of 2920 2756 Ocomlemo.exe 29 PID 2756 wrote to memory of 2920 2756 Ocomlemo.exe 29 PID 2756 wrote to memory of 2920 2756 Ocomlemo.exe 29 PID 2920 wrote to memory of 2592 2920 Ojieip32.exe 30 PID 2920 wrote to memory of 2592 2920 Ojieip32.exe 30 PID 2920 wrote to memory of 2592 2920 Ojieip32.exe 30 PID 2920 wrote to memory of 2592 2920 Ojieip32.exe 30 PID 2592 wrote to memory of 2660 2592 Ongnonkb.exe 31 PID 2592 wrote to memory of 2660 2592 Ongnonkb.exe 31 PID 2592 wrote to memory of 2660 2592 Ongnonkb.exe 31 PID 2592 wrote to memory of 2660 2592 Ongnonkb.exe 31 PID 2660 wrote to memory of 2476 2660 Paejki32.exe 32 PID 2660 wrote to memory of 2476 2660 Paejki32.exe 32 PID 2660 wrote to memory of 2476 2660 Paejki32.exe 32 PID 2660 wrote to memory of 2476 2660 Paejki32.exe 32 PID 2476 wrote to memory of 2928 2476 Paggai32.exe 33 PID 2476 wrote to memory of 2928 2476 Paggai32.exe 33 PID 2476 wrote to memory of 2928 2476 Paggai32.exe 33 PID 2476 wrote to memory of 2928 2476 Paggai32.exe 33 PID 2928 wrote to memory of 2604 2928 Pcfcmd32.exe 34 PID 2928 wrote to memory of 2604 2928 Pcfcmd32.exe 34 PID 2928 wrote to memory of 2604 2928 Pcfcmd32.exe 34 PID 2928 wrote to memory of 2604 2928 Pcfcmd32.exe 34 PID 2604 wrote to memory of 1272 2604 Pjpkjond.exe 35 PID 2604 wrote to memory of 1272 2604 Pjpkjond.exe 35 PID 2604 wrote to memory of 1272 2604 Pjpkjond.exe 35 PID 2604 wrote to memory of 1272 2604 Pjpkjond.exe 35 PID 1272 wrote to memory of 2748 1272 Pmnhfjmg.exe 36 PID 1272 wrote to memory of 2748 1272 Pmnhfjmg.exe 36 PID 1272 wrote to memory of 2748 1272 Pmnhfjmg.exe 36 PID 1272 wrote to memory of 2748 1272 Pmnhfjmg.exe 36 PID 2748 wrote to memory of 2332 2748 Pchpbded.exe 37 PID 2748 wrote to memory of 2332 2748 Pchpbded.exe 37 PID 2748 wrote to memory of 2332 2748 Pchpbded.exe 37 PID 2748 wrote to memory of 2332 2748 Pchpbded.exe 37 PID 2332 wrote to memory of 276 2332 Pmqdkj32.exe 38 PID 2332 wrote to memory of 276 2332 Pmqdkj32.exe 38 PID 2332 wrote to memory of 276 2332 Pmqdkj32.exe 38 PID 2332 wrote to memory of 276 2332 Pmqdkj32.exe 38 PID 276 wrote to memory of 1940 276 Pigeqkai.exe 39 PID 276 wrote to memory of 1940 276 Pigeqkai.exe 39 PID 276 wrote to memory of 1940 276 Pigeqkai.exe 39 PID 276 wrote to memory of 1940 276 Pigeqkai.exe 39 PID 1940 wrote to memory of 1488 1940 Ppamme32.exe 40 PID 1940 wrote to memory of 1488 1940 Ppamme32.exe 40 PID 1940 wrote to memory of 1488 1940 Ppamme32.exe 40 PID 1940 wrote to memory of 1488 1940 Ppamme32.exe 40 PID 1488 wrote to memory of 1924 1488 Pbpjiphi.exe 41 PID 1488 wrote to memory of 1924 1488 Pbpjiphi.exe 41 PID 1488 wrote to memory of 1924 1488 Pbpjiphi.exe 41 PID 1488 wrote to memory of 1924 1488 Pbpjiphi.exe 41 PID 1924 wrote to memory of 540 1924 Qhmbagfa.exe 42 PID 1924 wrote to memory of 540 1924 Qhmbagfa.exe 42 PID 1924 wrote to memory of 540 1924 Qhmbagfa.exe 42 PID 1924 wrote to memory of 540 1924 Qhmbagfa.exe 42 PID 540 wrote to memory of 1644 540 Qaefjm32.exe 43 PID 540 wrote to memory of 1644 540 Qaefjm32.exe 43 PID 540 wrote to memory of 1644 540 Qaefjm32.exe 43 PID 540 wrote to memory of 1644 540 Qaefjm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe"C:\Users\Admin\AppData\Local\Temp\64b27c62f723a1c96b2b01c5c7dd4d29765bd1634f0a7971069f39e14cdeb7e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe33⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe34⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe35⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe36⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe37⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe41⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe47⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe48⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe49⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe55⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe56⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe58⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe59⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe62⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe63⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe65⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe66⤵PID:1432
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe69⤵PID:2144
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe70⤵PID:1204
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe71⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe75⤵PID:1308
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe76⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe77⤵PID:2628
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe78⤵PID:800
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe79⤵PID:1744
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe80⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe81⤵PID:2868
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe82⤵PID:2796
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe83⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe84⤵PID:1952
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe85⤵PID:308
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe86⤵PID:2240
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe87⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe89⤵PID:2348
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe92⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe93⤵PID:2672
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe94⤵PID:484
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe95⤵PID:1932
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe96⤵PID:1648
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe97⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe98⤵PID:1972
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe99⤵PID:2972
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe100⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe102⤵PID:2560
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe104⤵PID:2488
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe105⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe106⤵PID:2864
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe110⤵PID:2720
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe111⤵PID:3064
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe112⤵PID:764
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe113⤵PID:1784
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe114⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe115⤵PID:2964
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe116⤵PID:1144
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe117⤵PID:1776
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe119⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe120⤵PID:2252
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe121⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe122⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-