Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
-
Size
2.7MB
-
MD5
b416747dad9dc25e626dbda39441d4ca
-
SHA1
0afe372295ba474bdb6b0ddc2757a319e2e91a22
-
SHA256
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1
-
SHA512
2c4f6c403ad51e5e44206364e83a8a7f1391dec35b526dfeb4447fbedbc55dddca9e9ae49c2755d786cc3e6d325dfaa6d11087f5f2e370e1a5616b39ec63ee13
-
SSDEEP
12288:bKvzDVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:bC5hqEfAL8WJm8MoC7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiigehkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oancnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icemmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgbjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaiiff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpeifeca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofejom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnepk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikdkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmhol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1076 Hfifff32.exe 2532 Haogkgoh.exe 2868 Hjkkojlc.exe 2604 Icemmopa.exe 2724 Impnldeo.exe 2620 Ibmfdkcf.exe 2516 Jbdlejmn.exe 2188 Jaiiff32.exe 1616 Jkonco32.exe 1576 Jmpjkggj.exe 1640 Jgenhp32.exe 2796 Jnofejom.exe 1520 Jpqclb32.exe 2840 Jfkkimlh.exe 2028 Jiigehkl.exe 2552 Kappfeln.exe 1424 Kcolba32.exe 2744 Kfmhol32.exe 412 Kikdkh32.exe 2244 Kmgpkfab.exe 1996 Kcahhq32.exe 2928 Kfoedl32.exe 900 Kmimafop.exe 2140 Kphimanc.exe 2888 Kedaeh32.exe 1016 Kpjfba32.exe 3036 Kibjkgca.exe 1964 Kjcgco32.exe 2772 Lhggmchi.exe 2876 Laplei32.exe 2632 Lkhpnnej.exe 2448 Lpeifeca.exe 2500 Lhlqhb32.exe 1480 Limmokib.exe 2032 Ladeqhjd.exe 3048 Lbfahp32.exe 2332 Lkmjin32.exe 1248 Lmkfei32.exe 2120 Lpjbad32.exe 1664 Lgdjnofi.exe 1144 Libgjj32.exe 1200 Lplogdmj.exe 2144 Loooca32.exe 2180 Meigpkka.exe 1568 Mlcple32.exe 2536 Moalhq32.exe 2576 Maphdl32.exe 2480 Mhjpaf32.exe 3168 Mlelaeqk.exe 3220 Eihfjo32.exe 3272 Epaogi32.exe 3324 Ejgcdb32.exe 3372 Epdkli32.exe 3420 Ebbgid32.exe 3468 Eeqdep32.exe 3524 Emhlfmgj.exe 3576 Epfhbign.exe 3624 Eecqjpee.exe 3684 Elmigj32.exe 3724 Eajaoq32.exe 3796 Eiaiqn32.exe 3864 Ejbfhfaj.exe 3920 Ealnephf.exe 3968 Fehjeo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 1076 Hfifff32.exe 1076 Hfifff32.exe 2532 Haogkgoh.exe 2532 Haogkgoh.exe 2868 Hjkkojlc.exe 2868 Hjkkojlc.exe 2604 Icemmopa.exe 2604 Icemmopa.exe 2724 Impnldeo.exe 2724 Impnldeo.exe 2620 Ibmfdkcf.exe 2620 Ibmfdkcf.exe 2516 Jbdlejmn.exe 2516 Jbdlejmn.exe 2188 Jaiiff32.exe 2188 Jaiiff32.exe 1616 Jkonco32.exe 1616 Jkonco32.exe 1576 Jmpjkggj.exe 1576 Jmpjkggj.exe 1640 Jgenhp32.exe 1640 Jgenhp32.exe 2796 Jnofejom.exe 2796 Jnofejom.exe 1520 Jpqclb32.exe 1520 Jpqclb32.exe 2840 Jfkkimlh.exe 2840 Jfkkimlh.exe 2028 Jiigehkl.exe 2028 Jiigehkl.exe 2552 Kappfeln.exe 2552 Kappfeln.exe 1424 Kcolba32.exe 1424 Kcolba32.exe 2744 Kfmhol32.exe 2744 Kfmhol32.exe 412 Kikdkh32.exe 412 Kikdkh32.exe 2244 Kmgpkfab.exe 2244 Kmgpkfab.exe 1996 Kcahhq32.exe 1996 Kcahhq32.exe 2928 Kfoedl32.exe 2928 Kfoedl32.exe 900 Kmimafop.exe 900 Kmimafop.exe 2140 Kphimanc.exe 2140 Kphimanc.exe 2888 Kedaeh32.exe 2888 Kedaeh32.exe 1016 Kpjfba32.exe 1016 Kpjfba32.exe 3036 Kibjkgca.exe 3036 Kibjkgca.exe 1964 Kjcgco32.exe 1964 Kjcgco32.exe 2772 Lhggmchi.exe 2772 Lhggmchi.exe 2876 Laplei32.exe 2876 Laplei32.exe 2632 Lkhpnnej.exe 2632 Lkhpnnej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Jnclnihj.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Kibjkgca.exe Kpjfba32.exe File created C:\Windows\SysWOW64\Meigpkka.exe Loooca32.exe File opened for modification C:\Windows\SysWOW64\Mhjpaf32.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Mlelaeqk.exe File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Kklcab32.dll Npagjpcd.exe File created C:\Windows\SysWOW64\Gikaio32.exe Gfmemc32.exe File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Blobjaba.exe Beejng32.exe File created C:\Windows\SysWOW64\Glaenq32.dll 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File created C:\Windows\SysWOW64\Mmjhjhkh.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Nkeelohh.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Ookmfk32.exe Ncbplk32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bppoqeja.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jdehon32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kjcpii32.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Ppfjfiam.dll Limmokib.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Pkfceo32.exe File opened for modification C:\Windows\SysWOW64\Fadminnn.exe Ffklhqao.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fnkjhb32.exe File created C:\Windows\SysWOW64\Njqaac32.dll Epaogi32.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Fekpnn32.exe Fbmcbbki.exe File opened for modification C:\Windows\SysWOW64\Moalhq32.exe Mlcple32.exe File created C:\Windows\SysWOW64\Ipgbjl32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Behgcf32.exe File created C:\Windows\SysWOW64\Moalhq32.exe Mlcple32.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qbbhgi32.exe File created C:\Windows\SysWOW64\Gmpgio32.exe Gnmgmbhb.exe File opened for modification C:\Windows\SysWOW64\Pgbafl32.exe Pokieo32.exe File opened for modification C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jfqahgpg.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Baakhm32.exe File created C:\Windows\SysWOW64\Odmoin32.dll Acfaeq32.exe File created C:\Windows\SysWOW64\Oiogaqdb.dll Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kpmlkp32.exe File created C:\Windows\SysWOW64\Gifhnpea.exe Gmpgio32.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cohigamf.exe File created C:\Windows\SysWOW64\Ipnndn32.dll Jdpndnei.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Mieeibkn.exe File created C:\Windows\SysWOW64\Oopfakpa.exe Oghopm32.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Gcnmkd32.dll Qgmdjp32.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Eiaiqn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4236 2224 WerFault.exe 349 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblihc32.dll" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcpii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiaak32.dll" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Iccbqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkkimlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfahp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcggqfg.dll" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfigjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcjoog.dll" Jbdlejmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcebp32.dll" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgodfkh.dll" Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihmc32.dll" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojimd32.dll" Mlcple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiakjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpefdl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1076 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 28 PID 2356 wrote to memory of 1076 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 28 PID 2356 wrote to memory of 1076 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 28 PID 2356 wrote to memory of 1076 2356 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 28 PID 1076 wrote to memory of 2532 1076 Hfifff32.exe 29 PID 1076 wrote to memory of 2532 1076 Hfifff32.exe 29 PID 1076 wrote to memory of 2532 1076 Hfifff32.exe 29 PID 1076 wrote to memory of 2532 1076 Hfifff32.exe 29 PID 2532 wrote to memory of 2868 2532 Haogkgoh.exe 30 PID 2532 wrote to memory of 2868 2532 Haogkgoh.exe 30 PID 2532 wrote to memory of 2868 2532 Haogkgoh.exe 30 PID 2532 wrote to memory of 2868 2532 Haogkgoh.exe 30 PID 2868 wrote to memory of 2604 2868 Hjkkojlc.exe 31 PID 2868 wrote to memory of 2604 2868 Hjkkojlc.exe 31 PID 2868 wrote to memory of 2604 2868 Hjkkojlc.exe 31 PID 2868 wrote to memory of 2604 2868 Hjkkojlc.exe 31 PID 2604 wrote to memory of 2724 2604 Icemmopa.exe 32 PID 2604 wrote to memory of 2724 2604 Icemmopa.exe 32 PID 2604 wrote to memory of 2724 2604 Icemmopa.exe 32 PID 2604 wrote to memory of 2724 2604 Icemmopa.exe 32 PID 2724 wrote to memory of 2620 2724 Impnldeo.exe 33 PID 2724 wrote to memory of 2620 2724 Impnldeo.exe 33 PID 2724 wrote to memory of 2620 2724 Impnldeo.exe 33 PID 2724 wrote to memory of 2620 2724 Impnldeo.exe 33 PID 2620 wrote to memory of 2516 2620 Ibmfdkcf.exe 34 PID 2620 wrote to memory of 2516 2620 Ibmfdkcf.exe 34 PID 2620 wrote to memory of 2516 2620 Ibmfdkcf.exe 34 PID 2620 wrote to memory of 2516 2620 Ibmfdkcf.exe 34 PID 2516 wrote to memory of 2188 2516 Jbdlejmn.exe 35 PID 2516 wrote to memory of 2188 2516 Jbdlejmn.exe 35 PID 2516 wrote to memory of 2188 2516 Jbdlejmn.exe 35 PID 2516 wrote to memory of 2188 2516 Jbdlejmn.exe 35 PID 2188 wrote to memory of 1616 2188 Jaiiff32.exe 36 PID 2188 wrote to memory of 1616 2188 Jaiiff32.exe 36 PID 2188 wrote to memory of 1616 2188 Jaiiff32.exe 36 PID 2188 wrote to memory of 1616 2188 Jaiiff32.exe 36 PID 1616 wrote to memory of 1576 1616 Jkonco32.exe 37 PID 1616 wrote to memory of 1576 1616 Jkonco32.exe 37 PID 1616 wrote to memory of 1576 1616 Jkonco32.exe 37 PID 1616 wrote to memory of 1576 1616 Jkonco32.exe 37 PID 1576 wrote to memory of 1640 1576 Jmpjkggj.exe 38 PID 1576 wrote to memory of 1640 1576 Jmpjkggj.exe 38 PID 1576 wrote to memory of 1640 1576 Jmpjkggj.exe 38 PID 1576 wrote to memory of 1640 1576 Jmpjkggj.exe 38 PID 1640 wrote to memory of 2796 1640 Jgenhp32.exe 39 PID 1640 wrote to memory of 2796 1640 Jgenhp32.exe 39 PID 1640 wrote to memory of 2796 1640 Jgenhp32.exe 39 PID 1640 wrote to memory of 2796 1640 Jgenhp32.exe 39 PID 2796 wrote to memory of 1520 2796 Jnofejom.exe 40 PID 2796 wrote to memory of 1520 2796 Jnofejom.exe 40 PID 2796 wrote to memory of 1520 2796 Jnofejom.exe 40 PID 2796 wrote to memory of 1520 2796 Jnofejom.exe 40 PID 1520 wrote to memory of 2840 1520 Jpqclb32.exe 41 PID 1520 wrote to memory of 2840 1520 Jpqclb32.exe 41 PID 1520 wrote to memory of 2840 1520 Jpqclb32.exe 41 PID 1520 wrote to memory of 2840 1520 Jpqclb32.exe 41 PID 2840 wrote to memory of 2028 2840 Jfkkimlh.exe 42 PID 2840 wrote to memory of 2028 2840 Jfkkimlh.exe 42 PID 2840 wrote to memory of 2028 2840 Jfkkimlh.exe 42 PID 2840 wrote to memory of 2028 2840 Jfkkimlh.exe 42 PID 2028 wrote to memory of 2552 2028 Jiigehkl.exe 43 PID 2028 wrote to memory of 2552 2028 Jiigehkl.exe 43 PID 2028 wrote to memory of 2552 2028 Jiigehkl.exe 43 PID 2028 wrote to memory of 2552 2028 Jiigehkl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe"C:\Users\Admin\AppData\Local\Temp\4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe38⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe39⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe41⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe42⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe43⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe47⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe49⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe53⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe54⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe55⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe56⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe59⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe60⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe61⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe63⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe65⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe67⤵PID:4068
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe69⤵PID:2388
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe70⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe71⤵PID:2904
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe72⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe74⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe75⤵PID:1364
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe76⤵
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe77⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe78⤵PID:2956
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe80⤵PID:2836
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe81⤵PID:2824
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe82⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe84⤵PID:3188
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe85⤵PID:1900
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe86⤵PID:3304
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe88⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe89⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe91⤵PID:3648
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3716 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3812 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe94⤵PID:3852
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe95⤵PID:3932
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe96⤵PID:4008
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe97⤵
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe98⤵PID:1904
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe99⤵PID:1204
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe100⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe101⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe102⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe103⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe105⤵PID:2856
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe106⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe107⤵PID:1636
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe109⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe110⤵PID:1440
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe111⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe112⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe113⤵
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe114⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe115⤵PID:3456
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe116⤵PID:3552
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe117⤵PID:2416
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3696 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe119⤵PID:3776
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe120⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:3996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-