Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07/07/2024, 05:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45f7158aa6abdd03b317a01ed4959320N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
45f7158aa6abdd03b317a01ed4959320N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
45f7158aa6abdd03b317a01ed4959320N.exe
-
Size
71KB
-
MD5
45f7158aa6abdd03b317a01ed4959320
-
SHA1
a1e5375d18fff7f98115e1bea74319ff1aa7efea
-
SHA256
325e5b9d9435c769faad4c6866e619c004814005f198747eff7638c196f43e27
-
SHA512
f88ba4b47789bd10b7a4d6ea5ee2eca55242b9f02ab66a3f34bc2de22addf07c3b857fff90de90855bc0c2b38c2ff8ae4e643902a3af4a820bbbc018034efcbd
-
SSDEEP
1536:TULPzoC909Bfgqx1E5xnaXo2Ld7RZObZUS:TuPkCKHPT5dClUS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffoihepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfdpfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejnme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjafbfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjlpclc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diklpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhiglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjopnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndahokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijgemok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpkhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkigbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmhjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnbfjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimckl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legohm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbggqfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfklgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpllg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceeaikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippkni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpfcnoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojdlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmqpinlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjlfjoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkidclbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmahjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldpfnij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgmch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceeaikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhalag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apglgfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhclfphg.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 Flhkhnel.exe 988 Fillabde.exe 2324 Fokaoh32.exe 2860 Fpojlp32.exe 2744 Figoefkf.exe 1660 Gmegkd32.exe 2640 Gngdadoj.exe 2304 Ginefe32.exe 552 Geeekf32.exe 2680 Gheola32.exe 2868 Hnbgdh32.exe 1992 Hgkknm32.exe 1752 Hkidclbb.exe 2416 Hqemlbqi.exe 2400 Hqhiab32.exe 2724 Hnljkf32.exe 2224 Imaglc32.exe 668 Iihgadhl.exe 1780 Ieohfemq.exe 268 Ieaekdkn.exe 1348 Ibeeeijg.exe 2808 Ikmjnnah.exe 2588 Jeenfd32.exe 560 Jkpfcnoe.exe 864 Jalolemm.exe 1100 Jmcpqfba.exe 688 Jgidnobg.exe 1688 Jaahgd32.exe 2320 Jlkigbef.exe 2852 Jecnpg32.exe 2636 Kpkocpjj.exe 2828 Kjdpcnfi.exe 2628 Khhpmbeb.exe 2300 Kdoaackf.exe 2336 Kmgekh32.exe 2076 Lhmjha32.exe 2008 Lknbjlnn.exe 1544 Licpki32.exe 1592 Lejppj32.exe 1744 Lcnqin32.exe 1536 Mhmfgdch.exe 1680 Mpmdff32.exe 2824 Mnqdpj32.exe 1812 Njgeel32.exe 948 Nodnmb32.exe 1712 Nogjbbma.exe 2252 Nfqbol32.exe 1616 Ncdciq32.exe 2128 Nhalag32.exe 2568 Nkphmc32.exe 1728 Nbjpjm32.exe 1672 Onqaonnc.exe 2904 Odjikh32.exe 2884 Oncndnlq.exe 2716 Oemfahcn.exe 2856 Onejjm32.exe 2684 Ofqonp32.exe 2488 Oafclh32.exe 2612 Ogpkhb32.exe 2932 Ommdqi32.exe 2956 Obilip32.exe 856 Picdejbg.exe 1372 Ppnmbd32.exe 2432 Pfgeoo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 45f7158aa6abdd03b317a01ed4959320N.exe 2152 45f7158aa6abdd03b317a01ed4959320N.exe 2708 Flhkhnel.exe 2708 Flhkhnel.exe 988 Fillabde.exe 988 Fillabde.exe 2324 Fokaoh32.exe 2324 Fokaoh32.exe 2860 Fpojlp32.exe 2860 Fpojlp32.exe 2744 Figoefkf.exe 2744 Figoefkf.exe 1660 Gmegkd32.exe 1660 Gmegkd32.exe 2640 Gngdadoj.exe 2640 Gngdadoj.exe 2304 Ginefe32.exe 2304 Ginefe32.exe 552 Geeekf32.exe 552 Geeekf32.exe 2680 Gheola32.exe 2680 Gheola32.exe 2868 Hnbgdh32.exe 2868 Hnbgdh32.exe 1992 Hgkknm32.exe 1992 Hgkknm32.exe 1752 Hkidclbb.exe 1752 Hkidclbb.exe 2416 Hqemlbqi.exe 2416 Hqemlbqi.exe 2400 Hqhiab32.exe 2400 Hqhiab32.exe 2724 Hnljkf32.exe 2724 Hnljkf32.exe 2224 Imaglc32.exe 2224 Imaglc32.exe 668 Iihgadhl.exe 668 Iihgadhl.exe 1780 Ieohfemq.exe 1780 Ieohfemq.exe 268 Ieaekdkn.exe 268 Ieaekdkn.exe 1348 Ibeeeijg.exe 1348 Ibeeeijg.exe 2808 Ikmjnnah.exe 2808 Ikmjnnah.exe 2588 Jeenfd32.exe 2588 Jeenfd32.exe 560 Jkpfcnoe.exe 560 Jkpfcnoe.exe 864 Jalolemm.exe 864 Jalolemm.exe 1100 Jmcpqfba.exe 1100 Jmcpqfba.exe 688 Jgidnobg.exe 688 Jgidnobg.exe 1688 Jaahgd32.exe 1688 Jaahgd32.exe 2320 Jlkigbef.exe 2320 Jlkigbef.exe 2852 Jecnpg32.exe 2852 Jecnpg32.exe 2636 Kpkocpjj.exe 2636 Kpkocpjj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apglgfde.exe Aimckl32.exe File created C:\Windows\SysWOW64\Gpihog32.exe Ghndjd32.exe File created C:\Windows\SysWOW64\Gcpdip32.exe Gjgpqjqa.exe File created C:\Windows\SysWOW64\Mdfljg32.dll Mlikkbga.exe File created C:\Windows\SysWOW64\Omfjkg32.dll Nekbjf32.exe File created C:\Windows\SysWOW64\Mcjohgkb.dll Oiqaed32.exe File created C:\Windows\SysWOW64\Kfnpgg32.exe Kaagnp32.exe File opened for modification C:\Windows\SysWOW64\Oqdioaqf.exe Ojjqbg32.exe File created C:\Windows\SysWOW64\Ognakk32.exe Oqdioaqf.exe File opened for modification C:\Windows\SysWOW64\Gmegkd32.exe Figoefkf.exe File created C:\Windows\SysWOW64\Aogpmcmb.exe Aijgemok.exe File opened for modification C:\Windows\SysWOW64\Diklpn32.exe Dflpdb32.exe File created C:\Windows\SysWOW64\Nnogai32.dll Mmojcceo.exe File created C:\Windows\SysWOW64\Oaolne32.exe Okecak32.exe File opened for modification C:\Windows\SysWOW64\Baannfim.exe Bfliqmjg.exe File created C:\Windows\SysWOW64\Dmocok32.dll Efaiobkc.exe File created C:\Windows\SysWOW64\Feklja32.exe Fpncbjqj.exe File created C:\Windows\SysWOW64\Ldodne32.dll Bhlmef32.exe File created C:\Windows\SysWOW64\Pjlbld32.exe Pcajpjoi.exe File created C:\Windows\SysWOW64\Lcnqin32.exe Lejppj32.exe File opened for modification C:\Windows\SysWOW64\Cblniaii.exe Chdjpl32.exe File created C:\Windows\SysWOW64\Belcck32.exe Blcokf32.exe File created C:\Windows\SysWOW64\Gepogh32.dll Dcdjgbed.exe File created C:\Windows\SysWOW64\Nbmhfdnh.exe Nkfpefme.exe File created C:\Windows\SysWOW64\Linppb32.dll Pgdcjjom.exe File opened for modification C:\Windows\SysWOW64\Pmmppm32.exe Pddlggin.exe File created C:\Windows\SysWOW64\Kmdbkbpn.exe Kclmbm32.exe File created C:\Windows\SysWOW64\Ckanhf32.dll Cgklma32.exe File created C:\Windows\SysWOW64\Nkpjfkhf.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Ckjpcjhi.dll Nkpjfkhf.exe File created C:\Windows\SysWOW64\Fhmcllgo.dll Ajibeg32.exe File created C:\Windows\SysWOW64\Acoacabb.dll Lknbjlnn.exe File opened for modification C:\Windows\SysWOW64\Mhmfgdch.exe Lcnqin32.exe File created C:\Windows\SysWOW64\Cnfnlk32.exe Chiedc32.exe File created C:\Windows\SysWOW64\Nkpbjn32.dll Lfkhed32.exe File opened for modification C:\Windows\SysWOW64\Nagobp32.exe Ngajeg32.exe File created C:\Windows\SysWOW64\Qmohco32.exe Qbidffao.exe File created C:\Windows\SysWOW64\Pddlggin.exe Pbcooo32.exe File created C:\Windows\SysWOW64\Hllffmbb.exe Hfanjcke.exe File created C:\Windows\SysWOW64\Ifajif32.exe Iogbllfc.exe File opened for modification C:\Windows\SysWOW64\Kfklgape.exe Kgfoee32.exe File created C:\Windows\SysWOW64\Condfo32.exe Chdlidjm.exe File created C:\Windows\SysWOW64\Gigjch32.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Gmbpic32.dll Bkefcc32.exe File created C:\Windows\SysWOW64\Dglmdppi.dll Dknehe32.exe File created C:\Windows\SysWOW64\Abgbihnk.dll Kjopnh32.exe File created C:\Windows\SysWOW64\Kgibeklf.exe Knqnmeff.exe File created C:\Windows\SysWOW64\Hdjchlqo.dll Kfnpgg32.exe File created C:\Windows\SysWOW64\Elacjp32.dll Pjafbfca.exe File opened for modification C:\Windows\SysWOW64\Blkgdmbp.exe Boggkicf.exe File created C:\Windows\SysWOW64\Mlhfno32.dll Cdmbiojc.exe File created C:\Windows\SysWOW64\Fimpcc32.exe Fodljn32.exe File created C:\Windows\SysWOW64\Ilfmedlj.dll Kbajci32.exe File opened for modification C:\Windows\SysWOW64\Pemdic32.exe Poplqm32.exe File opened for modification C:\Windows\SysWOW64\Chiedc32.exe Cclmlm32.exe File opened for modification C:\Windows\SysWOW64\Jfdigocb.exe Jpgaohej.exe File opened for modification C:\Windows\SysWOW64\Fodljn32.exe Eopbooqb.exe File opened for modification C:\Windows\SysWOW64\Khhpmbeb.exe Kjdpcnfi.exe File created C:\Windows\SysWOW64\Ajibeg32.exe Afgmldhe.exe File created C:\Windows\SysWOW64\Lhhgja32.dll Eopbooqb.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Kpkocpjj.exe File opened for modification C:\Windows\SysWOW64\Chfffk32.exe Cblniaii.exe File created C:\Windows\SysWOW64\Cqfdem32.exe Ckilmfke.exe File created C:\Windows\SysWOW64\Paifem32.dll Amalcd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2612 2256 WerFault.exe 541 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfeke32.dll" Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegpokc.dll" Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpnlnon.dll" Fmmjpoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmjfiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aimckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfggjde.dll" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlknocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnebgcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglpbp32.dll" Ppnmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdhqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmlj32.dll" Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppnmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnmhiij.dll" Fpijgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcekbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhfjaph.dll" Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcpcnqpo.dll" Lcllii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbggqfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqpaln32.dll" Licpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfqbol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciekbj32.dll" Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hidjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnagehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgapn32.dll" Dafchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmjpoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdpcnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdlmnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdmogal.dll" Cmkkhfmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faefim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnagehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhgfh32.dll" Hkoikcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcllii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbljalkg.dll" Qmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aneogc32.dll" Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lilehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhcfo32.dll" Fillabde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nodikecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljeeom32.dll" Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagfk32.dll" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joccei32.dll" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfhkhhb.dll" Enijcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjmchhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocdgg32.dll" Hllffmbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2708 2152 45f7158aa6abdd03b317a01ed4959320N.exe 29 PID 2152 wrote to memory of 2708 2152 45f7158aa6abdd03b317a01ed4959320N.exe 29 PID 2152 wrote to memory of 2708 2152 45f7158aa6abdd03b317a01ed4959320N.exe 29 PID 2152 wrote to memory of 2708 2152 45f7158aa6abdd03b317a01ed4959320N.exe 29 PID 2708 wrote to memory of 988 2708 Flhkhnel.exe 30 PID 2708 wrote to memory of 988 2708 Flhkhnel.exe 30 PID 2708 wrote to memory of 988 2708 Flhkhnel.exe 30 PID 2708 wrote to memory of 988 2708 Flhkhnel.exe 30 PID 988 wrote to memory of 2324 988 Fillabde.exe 31 PID 988 wrote to memory of 2324 988 Fillabde.exe 31 PID 988 wrote to memory of 2324 988 Fillabde.exe 31 PID 988 wrote to memory of 2324 988 Fillabde.exe 31 PID 2324 wrote to memory of 2860 2324 Fokaoh32.exe 32 PID 2324 wrote to memory of 2860 2324 Fokaoh32.exe 32 PID 2324 wrote to memory of 2860 2324 Fokaoh32.exe 32 PID 2324 wrote to memory of 2860 2324 Fokaoh32.exe 32 PID 2860 wrote to memory of 2744 2860 Fpojlp32.exe 33 PID 2860 wrote to memory of 2744 2860 Fpojlp32.exe 33 PID 2860 wrote to memory of 2744 2860 Fpojlp32.exe 33 PID 2860 wrote to memory of 2744 2860 Fpojlp32.exe 33 PID 2744 wrote to memory of 1660 2744 Figoefkf.exe 34 PID 2744 wrote to memory of 1660 2744 Figoefkf.exe 34 PID 2744 wrote to memory of 1660 2744 Figoefkf.exe 34 PID 2744 wrote to memory of 1660 2744 Figoefkf.exe 34 PID 1660 wrote to memory of 2640 1660 Gmegkd32.exe 35 PID 1660 wrote to memory of 2640 1660 Gmegkd32.exe 35 PID 1660 wrote to memory of 2640 1660 Gmegkd32.exe 35 PID 1660 wrote to memory of 2640 1660 Gmegkd32.exe 35 PID 2640 wrote to memory of 2304 2640 Gngdadoj.exe 36 PID 2640 wrote to memory of 2304 2640 Gngdadoj.exe 36 PID 2640 wrote to memory of 2304 2640 Gngdadoj.exe 36 PID 2640 wrote to memory of 2304 2640 Gngdadoj.exe 36 PID 2304 wrote to memory of 552 2304 Ginefe32.exe 37 PID 2304 wrote to memory of 552 2304 Ginefe32.exe 37 PID 2304 wrote to memory of 552 2304 Ginefe32.exe 37 PID 2304 wrote to memory of 552 2304 Ginefe32.exe 37 PID 552 wrote to memory of 2680 552 Geeekf32.exe 38 PID 552 wrote to memory of 2680 552 Geeekf32.exe 38 PID 552 wrote to memory of 2680 552 Geeekf32.exe 38 PID 552 wrote to memory of 2680 552 Geeekf32.exe 38 PID 2680 wrote to memory of 2868 2680 Gheola32.exe 39 PID 2680 wrote to memory of 2868 2680 Gheola32.exe 39 PID 2680 wrote to memory of 2868 2680 Gheola32.exe 39 PID 2680 wrote to memory of 2868 2680 Gheola32.exe 39 PID 2868 wrote to memory of 1992 2868 Hnbgdh32.exe 40 PID 2868 wrote to memory of 1992 2868 Hnbgdh32.exe 40 PID 2868 wrote to memory of 1992 2868 Hnbgdh32.exe 40 PID 2868 wrote to memory of 1992 2868 Hnbgdh32.exe 40 PID 1992 wrote to memory of 1752 1992 Hgkknm32.exe 41 PID 1992 wrote to memory of 1752 1992 Hgkknm32.exe 41 PID 1992 wrote to memory of 1752 1992 Hgkknm32.exe 41 PID 1992 wrote to memory of 1752 1992 Hgkknm32.exe 41 PID 1752 wrote to memory of 2416 1752 Hkidclbb.exe 42 PID 1752 wrote to memory of 2416 1752 Hkidclbb.exe 42 PID 1752 wrote to memory of 2416 1752 Hkidclbb.exe 42 PID 1752 wrote to memory of 2416 1752 Hkidclbb.exe 42 PID 2416 wrote to memory of 2400 2416 Hqemlbqi.exe 43 PID 2416 wrote to memory of 2400 2416 Hqemlbqi.exe 43 PID 2416 wrote to memory of 2400 2416 Hqemlbqi.exe 43 PID 2416 wrote to memory of 2400 2416 Hqemlbqi.exe 43 PID 2400 wrote to memory of 2724 2400 Hqhiab32.exe 44 PID 2400 wrote to memory of 2724 2400 Hqhiab32.exe 44 PID 2400 wrote to memory of 2724 2400 Hqhiab32.exe 44 PID 2400 wrote to memory of 2724 2400 Hqhiab32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f7158aa6abdd03b317a01ed4959320N.exe"C:\Users\Admin\AppData\Local\Temp\45f7158aa6abdd03b317a01ed4959320N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ginefe32.exeC:\Windows\system32\Ginefe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ikmjnnah.exeC:\Windows\system32\Ikmjnnah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe34⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe35⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe36⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe37⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe42⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe44⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nodnmb32.exeC:\Windows\system32\Nodnmb32.exe46⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe47⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe49⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe51⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe52⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe55⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe57⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe59⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe61⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Obilip32.exeC:\Windows\system32\Obilip32.exe62⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe63⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe65⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe66⤵PID:2296
-
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe67⤵PID:964
-
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe71⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Pddlggin.exeC:\Windows\system32\Pddlggin.exe72⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe74⤵PID:2836
-
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe75⤵PID:2112
-
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe76⤵PID:2700
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe77⤵PID:2608
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe78⤵PID:2516
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe79⤵PID:2520
-
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe80⤵PID:2372
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe82⤵PID:860
-
C:\Windows\SysWOW64\Aimckl32.exeC:\Windows\system32\Aimckl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe85⤵PID:2140
-
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe87⤵PID:1768
-
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe88⤵PID:1608
-
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Behnkm32.exeC:\Windows\system32\Behnkm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe91⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe93⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe94⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe95⤵PID:1988
-
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe96⤵PID:3028
-
C:\Windows\SysWOW64\Bgqqcd32.exeC:\Windows\system32\Bgqqcd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:824 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe99⤵PID:1816
-
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe100⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe101⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Chfffk32.exeC:\Windows\system32\Chfffk32.exe102⤵PID:1304
-
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe103⤵PID:968
-
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe104⤵PID:2848
-
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe105⤵PID:2624
-
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe106⤵PID:2792
-
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe107⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe109⤵PID:3016
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe111⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe112⤵PID:912
-
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe113⤵PID:2148
-
C:\Windows\SysWOW64\Dopkai32.exeC:\Windows\system32\Dopkai32.exe114⤵PID:3004
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe117⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe119⤵PID:604
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe120⤵PID:1340
-
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe121⤵
- Drops file in System32 directory
PID:236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-