Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe
-
Size
199KB
-
MD5
016c8b4d2402cc6c49552d81bffcbe59
-
SHA1
89e491ce8ac6d7d65ca4ec09154683d9ef86c587
-
SHA256
9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7
-
SHA512
6d8c2e242cf2c5a3b224af41ae536b1336b90ae0b5e5f6dbf627a6ff5567d0c49f66a796c17a17167cd81c93f670b45c44cd2e082a9f3a88c80ea98c709d6573
-
SSDEEP
6144:+yrB5Lj7pFSZSCZj81+jq4peBK034YOmFz1h:+gvLPqZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqfhbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabejlob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhqfbebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplogdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhlmgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkonco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldnhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkjkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe -
Executes dropped EXE 64 IoCs
pid Process 2948 Ifkojiim.exe 2628 Imeggc32.exe 2668 Ibapoj32.exe 2016 Jeplkf32.exe 2400 Jilhldfn.exe 2804 Jkjdhpea.exe 1504 Jbdlejmn.exe 2644 Jebiaelb.exe 344 Jgqemakf.exe 1528 Jjoailji.exe 1624 Jbfijjkl.exe 2352 Jcgfbb32.exe 1052 Jkonco32.exe 1992 Jakfkfpc.exe 2576 Jegble32.exe 804 Jfhocmnk.exe 1596 Jnofejom.exe 2280 Jmbgpg32.exe 2076 Jclomamd.exe 2932 Jfkkimlh.exe 1508 Jmdcfg32.exe 780 Kappfeln.exe 948 Kbalnnam.exe 2840 Kjhdokbo.exe 2856 Kikdkh32.exe 1552 Kljqgc32.exe 2600 Kfoedl32.exe 2528 Kmimafop.exe 2540 Kllmmc32.exe 2884 Kphimanc.exe 472 Kbfeimng.exe 2452 Kipnfged.exe 2288 Klnjbbdh.exe 1892 Komfnnck.exe 2276 Kakbjibo.exe 2172 Kegnkh32.exe 2924 Khekgc32.exe 2164 Klqfhbbe.exe 336 Koocdnai.exe 2116 Kanopipl.exe 2360 Keikqhhe.exe 844 Kdlkld32.exe 3032 Llccmb32.exe 1300 Loapim32.exe 320 Lekhfgfc.exe 1980 Ldnhad32.exe 2120 Lhjdbcef.exe 1280 Lfmdnp32.exe 2900 Lkhpnnej.exe 1488 Lmgmjjdn.exe 856 Lpeifeca.exe 880 Ldqegd32.exe 1384 Lgoacojo.exe 1524 Limmokib.exe 1884 Lmiipi32.exe 1628 Lpgele32.exe 2068 Ldcamcih.exe 3000 Lganiohl.exe 2364 Lkmjin32.exe 2740 Lmkfei32.exe 1420 Lpjbad32.exe 2356 Ldenbcge.exe 2072 Lchnnp32.exe 884 Lefkjkmc.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 2948 Ifkojiim.exe 2948 Ifkojiim.exe 2628 Imeggc32.exe 2628 Imeggc32.exe 2668 Ibapoj32.exe 2668 Ibapoj32.exe 2016 Jeplkf32.exe 2016 Jeplkf32.exe 2400 Jilhldfn.exe 2400 Jilhldfn.exe 2804 Jkjdhpea.exe 2804 Jkjdhpea.exe 1504 Jbdlejmn.exe 1504 Jbdlejmn.exe 2644 Jebiaelb.exe 2644 Jebiaelb.exe 344 Jgqemakf.exe 344 Jgqemakf.exe 1528 Jjoailji.exe 1528 Jjoailji.exe 1624 Jbfijjkl.exe 1624 Jbfijjkl.exe 2352 Jcgfbb32.exe 2352 Jcgfbb32.exe 1052 Jkonco32.exe 1052 Jkonco32.exe 1992 Jakfkfpc.exe 1992 Jakfkfpc.exe 2576 Jegble32.exe 2576 Jegble32.exe 804 Jfhocmnk.exe 804 Jfhocmnk.exe 1596 Jnofejom.exe 1596 Jnofejom.exe 2280 Jmbgpg32.exe 2280 Jmbgpg32.exe 2076 Jclomamd.exe 2076 Jclomamd.exe 2932 Jfkkimlh.exe 2932 Jfkkimlh.exe 1508 Jmdcfg32.exe 1508 Jmdcfg32.exe 780 Kappfeln.exe 780 Kappfeln.exe 948 Kbalnnam.exe 948 Kbalnnam.exe 2840 Kjhdokbo.exe 2840 Kjhdokbo.exe 2856 Kikdkh32.exe 2856 Kikdkh32.exe 1552 Kljqgc32.exe 1552 Kljqgc32.exe 2600 Kfoedl32.exe 2600 Kfoedl32.exe 2528 Kmimafop.exe 2528 Kmimafop.exe 2540 Kllmmc32.exe 2540 Kllmmc32.exe 2884 Kphimanc.exe 2884 Kphimanc.exe 472 Kbfeimng.exe 472 Kbfeimng.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Klealkpf.dll Ldnhad32.exe File created C:\Windows\SysWOW64\Afiecb32.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hogmmjfo.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Qmlgonbe.exe Qjmkcbcb.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Pggbla32.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Gghcajge.dll Mlgigdoh.exe File created C:\Windows\SysWOW64\Pafagk32.dll Doobajme.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Jjoailji.exe Jgqemakf.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Kfoedl32.exe Kljqgc32.exe File opened for modification C:\Windows\SysWOW64\Njdpomfe.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Pienahqb.dll Aenbdoii.exe File created C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Koocdnai.exe Klqfhbbe.exe File created C:\Windows\SysWOW64\Gkgaje32.dll Nmjblg32.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Anafhopc.exe File created C:\Windows\SysWOW64\Njmggi32.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Plnoej32.dll Dpbheh32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Ihdkao32.exe Iqmcpahh.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kgnnln32.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Khekgc32.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Ahikqd32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Oojknblb.exe File created C:\Windows\SysWOW64\Bloqah32.exe Bdhhqk32.exe File created C:\Windows\SysWOW64\Jehkodcm.exe Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Djhphncm.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Dhpiojfb.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Fmekoalh.exe File created C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Bjhjlg32.dll Mhlmgf32.exe File created C:\Windows\SysWOW64\Mkjica32.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Mgajhbkg.exe Mhnjle32.exe File created C:\Windows\SysWOW64\Nfkpdn32.exe Nghphaeo.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jqdipqbp.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Aemkjiem.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dojald32.exe File created C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Bfadgq32.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Lkiklhim.dll Magnek32.exe File opened for modification C:\Windows\SysWOW64\Ihankokm.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hcplhi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5420 5608 WerFault.exe 590 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npnhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpome32.dll" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqdgkecq.dll" Lollckbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oelmai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqncakcq.dll" Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Menakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negbaime.dll" Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmaj32.dll" Mhjpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feljlnoc.dll" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcmkmii.dll" Lganiohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loclnq32.dll" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbalnnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfioffab.dll" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjoho32.dll" Jclomamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjiammk.dll" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppoqge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgdbmmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2948 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 28 PID 2208 wrote to memory of 2948 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 28 PID 2208 wrote to memory of 2948 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 28 PID 2208 wrote to memory of 2948 2208 9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe 28 PID 2948 wrote to memory of 2628 2948 Ifkojiim.exe 29 PID 2948 wrote to memory of 2628 2948 Ifkojiim.exe 29 PID 2948 wrote to memory of 2628 2948 Ifkojiim.exe 29 PID 2948 wrote to memory of 2628 2948 Ifkojiim.exe 29 PID 2628 wrote to memory of 2668 2628 Imeggc32.exe 30 PID 2628 wrote to memory of 2668 2628 Imeggc32.exe 30 PID 2628 wrote to memory of 2668 2628 Imeggc32.exe 30 PID 2628 wrote to memory of 2668 2628 Imeggc32.exe 30 PID 2668 wrote to memory of 2016 2668 Ibapoj32.exe 31 PID 2668 wrote to memory of 2016 2668 Ibapoj32.exe 31 PID 2668 wrote to memory of 2016 2668 Ibapoj32.exe 31 PID 2668 wrote to memory of 2016 2668 Ibapoj32.exe 31 PID 2016 wrote to memory of 2400 2016 Jeplkf32.exe 32 PID 2016 wrote to memory of 2400 2016 Jeplkf32.exe 32 PID 2016 wrote to memory of 2400 2016 Jeplkf32.exe 32 PID 2016 wrote to memory of 2400 2016 Jeplkf32.exe 32 PID 2400 wrote to memory of 2804 2400 Jilhldfn.exe 33 PID 2400 wrote to memory of 2804 2400 Jilhldfn.exe 33 PID 2400 wrote to memory of 2804 2400 Jilhldfn.exe 33 PID 2400 wrote to memory of 2804 2400 Jilhldfn.exe 33 PID 2804 wrote to memory of 1504 2804 Jkjdhpea.exe 34 PID 2804 wrote to memory of 1504 2804 Jkjdhpea.exe 34 PID 2804 wrote to memory of 1504 2804 Jkjdhpea.exe 34 PID 2804 wrote to memory of 1504 2804 Jkjdhpea.exe 34 PID 1504 wrote to memory of 2644 1504 Jbdlejmn.exe 35 PID 1504 wrote to memory of 2644 1504 Jbdlejmn.exe 35 PID 1504 wrote to memory of 2644 1504 Jbdlejmn.exe 35 PID 1504 wrote to memory of 2644 1504 Jbdlejmn.exe 35 PID 2644 wrote to memory of 344 2644 Jebiaelb.exe 36 PID 2644 wrote to memory of 344 2644 Jebiaelb.exe 36 PID 2644 wrote to memory of 344 2644 Jebiaelb.exe 36 PID 2644 wrote to memory of 344 2644 Jebiaelb.exe 36 PID 344 wrote to memory of 1528 344 Jgqemakf.exe 37 PID 344 wrote to memory of 1528 344 Jgqemakf.exe 37 PID 344 wrote to memory of 1528 344 Jgqemakf.exe 37 PID 344 wrote to memory of 1528 344 Jgqemakf.exe 37 PID 1528 wrote to memory of 1624 1528 Jjoailji.exe 38 PID 1528 wrote to memory of 1624 1528 Jjoailji.exe 38 PID 1528 wrote to memory of 1624 1528 Jjoailji.exe 38 PID 1528 wrote to memory of 1624 1528 Jjoailji.exe 38 PID 1624 wrote to memory of 2352 1624 Jbfijjkl.exe 39 PID 1624 wrote to memory of 2352 1624 Jbfijjkl.exe 39 PID 1624 wrote to memory of 2352 1624 Jbfijjkl.exe 39 PID 1624 wrote to memory of 2352 1624 Jbfijjkl.exe 39 PID 2352 wrote to memory of 1052 2352 Jcgfbb32.exe 40 PID 2352 wrote to memory of 1052 2352 Jcgfbb32.exe 40 PID 2352 wrote to memory of 1052 2352 Jcgfbb32.exe 40 PID 2352 wrote to memory of 1052 2352 Jcgfbb32.exe 40 PID 1052 wrote to memory of 1992 1052 Jkonco32.exe 41 PID 1052 wrote to memory of 1992 1052 Jkonco32.exe 41 PID 1052 wrote to memory of 1992 1052 Jkonco32.exe 41 PID 1052 wrote to memory of 1992 1052 Jkonco32.exe 41 PID 1992 wrote to memory of 2576 1992 Jakfkfpc.exe 42 PID 1992 wrote to memory of 2576 1992 Jakfkfpc.exe 42 PID 1992 wrote to memory of 2576 1992 Jakfkfpc.exe 42 PID 1992 wrote to memory of 2576 1992 Jakfkfpc.exe 42 PID 2576 wrote to memory of 804 2576 Jegble32.exe 43 PID 2576 wrote to memory of 804 2576 Jegble32.exe 43 PID 2576 wrote to memory of 804 2576 Jegble32.exe 43 PID 2576 wrote to memory of 804 2576 Jegble32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe"C:\Users\Admin\AppData\Local\Temp\9232779377d12d5ece343b02f13702dbb4591cadf3aada89a9471edf6cd522d7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe33⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe34⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe35⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe36⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe40⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe41⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe43⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe44⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe45⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe46⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe48⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe49⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe51⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe52⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe53⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe54⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe55⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe56⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe58⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe61⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe62⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe64⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe66⤵PID:2556
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe67⤵PID:2368
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe70⤵PID:1656
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe71⤵PID:2040
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe72⤵PID:2640
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe73⤵PID:2808
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe74⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe75⤵PID:2964
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe76⤵PID:848
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe77⤵PID:1368
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe78⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe79⤵PID:1264
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe80⤵PID:2756
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe83⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe84⤵PID:688
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe87⤵PID:1120
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe88⤵PID:2536
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe89⤵PID:3064
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe90⤵PID:1828
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe91⤵PID:2660
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe92⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe93⤵PID:972
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe94⤵PID:1684
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe95⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe96⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe97⤵PID:2836
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe99⤵PID:836
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe100⤵PID:3024
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe101⤵PID:2988
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe102⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe104⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe105⤵PID:2440
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe106⤵PID:2464
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe107⤵PID:1344
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe108⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe109⤵PID:2100
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe110⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe111⤵PID:2036
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe112⤵PID:1256
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe113⤵PID:860
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe114⤵PID:2256
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe115⤵PID:1704
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe116⤵PID:2292
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe117⤵PID:916
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe118⤵PID:1532
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe120⤵PID:2760
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe121⤵PID:1064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-