Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 23:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe
-
Size
49KB
-
MD5
aed39bf6940d6eb177dc872a555945fc
-
SHA1
c0cb59e5cbf4d516ca2ed9ea95ed942d780b0678
-
SHA256
809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d
-
SHA512
fb1456758e11360909cdb63c6a81c84bd5873d5e9a51a7d70e7ffb252b16f4342737ac7f7d9b981a85ff20b832d3d87fd65a98390ef54121f4baf2259d2d7726
-
SSDEEP
768:EPH7S9Y9XlAorUuxAsz9TG26ZKuqTo+9roZ+X4WtRyYGyzZ/1H5J2Xdnh:EMYVAOp9oqMAoZfGRyYhTk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmfdkcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgmjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfencna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfciogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgpkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kllmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjfba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgmjjdn.exe -
Executes dropped EXE 64 IoCs
pid Process 1336 Hkhkcm32.exe 1296 Hbbcpg32.exe 2968 Hjmhdi32.exe 1964 Iqgqacam.exe 2712 Icemmopa.exe 2560 Ijoeji32.exe 2484 Inkakhpg.exe 2928 Iqimgc32.exe 2288 Iolmbpfe.exe 304 Ichico32.exe 112 Ijaapifk.exe 1152 Iidbke32.exe 1844 Iqljlb32.exe 1500 Ioojhpdb.exe 2964 Ibmfdkcf.exe 2760 Ijdnehci.exe 2136 Iigoqe32.exe 1644 Imbkadcl.exe 812 Ikekmq32.exe 1988 Iclcnnji.exe 1540 Ibocjk32.exe 1596 Ifkojiim.exe 1376 Ienoff32.exe 1032 Iiikfehq.exe 2464 Imeggc32.exe 2312 Ikggbpgd.exe 1720 Infdolgh.exe 2208 Ifmlpigj.exe 2804 Jeplkf32.exe 2700 Jgnhga32.exe 2564 Joepio32.exe 2612 Jnhqdkde.exe 2816 Jbdlejmn.exe 2744 Jagmpg32.exe 1704 Jinead32.exe 1868 Jgqemakf.exe 2740 Jjoailji.exe 1872 Jnkmjk32.exe 1312 Jaiiff32.exe 2972 Jedefejo.exe 2056 Jcgfbb32.exe 988 Jnmjok32.exe 2888 Jegble32.exe 1956 Jcjbgaog.exe 1136 Jfhocmnk.exe 1116 Jjdkdl32.exe 2340 Jmbgpg32.exe 2976 Jpqclb32.exe 2624 Jclomamd.exe 1284 Jghknp32.exe 2824 Jjfgjk32.exe 2692 Jiigehkl.exe 2676 Jmdcfg32.exe 2576 Kpcpbb32.exe 2832 Kcolba32.exe 1984 Kbalnnam.exe 2924 Kfmhol32.exe 1912 Kikdkh32.exe 2592 Kmgpkfab.exe 1680 Kljqgc32.exe 1432 Kpemgbqf.exe 1656 Kcahhq32.exe 1484 Kbcicmpj.exe 832 Kfoedl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 1336 Hkhkcm32.exe 1336 Hkhkcm32.exe 1296 Hbbcpg32.exe 1296 Hbbcpg32.exe 2968 Hjmhdi32.exe 2968 Hjmhdi32.exe 1964 Iqgqacam.exe 1964 Iqgqacam.exe 2712 Icemmopa.exe 2712 Icemmopa.exe 2560 Ijoeji32.exe 2560 Ijoeji32.exe 2484 Inkakhpg.exe 2484 Inkakhpg.exe 2928 Iqimgc32.exe 2928 Iqimgc32.exe 2288 Iolmbpfe.exe 2288 Iolmbpfe.exe 304 Ichico32.exe 304 Ichico32.exe 112 Ijaapifk.exe 112 Ijaapifk.exe 1152 Iidbke32.exe 1152 Iidbke32.exe 1844 Iqljlb32.exe 1844 Iqljlb32.exe 1500 Ioojhpdb.exe 1500 Ioojhpdb.exe 2964 Ibmfdkcf.exe 2964 Ibmfdkcf.exe 2760 Ijdnehci.exe 2760 Ijdnehci.exe 2136 Iigoqe32.exe 2136 Iigoqe32.exe 1644 Imbkadcl.exe 1644 Imbkadcl.exe 812 Ikekmq32.exe 812 Ikekmq32.exe 1988 Iclcnnji.exe 1988 Iclcnnji.exe 1540 Ibocjk32.exe 1540 Ibocjk32.exe 1596 Ifkojiim.exe 1596 Ifkojiim.exe 1376 Ienoff32.exe 1376 Ienoff32.exe 1032 Iiikfehq.exe 1032 Iiikfehq.exe 2464 Imeggc32.exe 2464 Imeggc32.exe 2312 Ikggbpgd.exe 2312 Ikggbpgd.exe 1720 Infdolgh.exe 1720 Infdolgh.exe 2208 Ifmlpigj.exe 2208 Ifmlpigj.exe 2804 Jeplkf32.exe 2804 Jeplkf32.exe 2700 Jgnhga32.exe 2700 Jgnhga32.exe 2564 Joepio32.exe 2564 Joepio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kikdkh32.exe Kfmhol32.exe File created C:\Windows\SysWOW64\Cjlled32.dll Komfnnck.exe File opened for modification C:\Windows\SysWOW64\Mhqfbebj.exe Mpjoqhah.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Jgdmei32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Nbipbe32.dll Kfoedl32.exe File opened for modification C:\Windows\SysWOW64\Kmimafop.exe Kinaqg32.exe File opened for modification C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Jjfgjk32.exe Jghknp32.exe File opened for modification C:\Windows\SysWOW64\Mlcple32.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Mqeihfll.dll Nlgefh32.exe File created C:\Windows\SysWOW64\Pjpkjond.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Kfoedl32.exe Kbcicmpj.exe File opened for modification C:\Windows\SysWOW64\Copfbfjj.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pipopl32.exe File created C:\Windows\SysWOW64\Gfhemi32.dll Bpfcgg32.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Fmiobd32.dll Ijdnehci.exe File opened for modification C:\Windows\SysWOW64\Qlhnbf32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Faagpp32.exe File created C:\Windows\SysWOW64\Jflmig32.dll Klnjbbdh.exe File opened for modification C:\Windows\SysWOW64\Mgfgdn32.exe Mcjkcplm.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Ajlppdeb.dll Fhffaj32.exe File created C:\Windows\SysWOW64\Hnmlje32.dll Hjmhdi32.exe File created C:\Windows\SysWOW64\Lmgmjjdn.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Adeplhib.exe File opened for modification C:\Windows\SysWOW64\Ikbifehk.dll Bdhhqk32.exe File created C:\Windows\SysWOW64\Lcdlii32.dll Jnmjok32.exe File created C:\Windows\SysWOW64\Edhban32.dll Kbhbom32.exe File opened for modification C:\Windows\SysWOW64\Iklefg32.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Lopekk32.dll Efppoc32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Jqhakknp.dll Imbkadcl.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Aenbdoii.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Kebepion.exe Kfoedl32.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Afiecb32.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Bbflib32.exe File created C:\Windows\SysWOW64\Pgpdbiho.dll Jmbgpg32.exe File created C:\Windows\SysWOW64\Kcahhq32.exe Kpemgbqf.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Hbbcpg32.exe Hkhkcm32.exe File created C:\Windows\SysWOW64\Kibjkgca.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Oojknblb.exe Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Kinaqg32.exe Kebepion.exe File created C:\Windows\SysWOW64\Klnjbbdh.exe Khcnad32.exe File opened for modification C:\Windows\SysWOW64\Oojknblb.exe Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Adhlaggp.exe Aplpai32.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Kbcicmpj.exe Kcahhq32.exe -
Program crash 1 IoCs
pid pid_target Process 7140 6684 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlgdf32.dll" Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjjld32.dll" Qhmbagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbifehk.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejkaapg.dll" Iclcnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgobd32.dll" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbipbe32.dll" Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeplkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll" Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkgk32.dll" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkilgnq.dll" Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhhqk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1336 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 28 PID 1044 wrote to memory of 1336 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 28 PID 1044 wrote to memory of 1336 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 28 PID 1044 wrote to memory of 1336 1044 809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe 28 PID 1336 wrote to memory of 1296 1336 Hkhkcm32.exe 29 PID 1336 wrote to memory of 1296 1336 Hkhkcm32.exe 29 PID 1336 wrote to memory of 1296 1336 Hkhkcm32.exe 29 PID 1336 wrote to memory of 1296 1336 Hkhkcm32.exe 29 PID 1296 wrote to memory of 2968 1296 Hbbcpg32.exe 30 PID 1296 wrote to memory of 2968 1296 Hbbcpg32.exe 30 PID 1296 wrote to memory of 2968 1296 Hbbcpg32.exe 30 PID 1296 wrote to memory of 2968 1296 Hbbcpg32.exe 30 PID 2968 wrote to memory of 1964 2968 Hjmhdi32.exe 31 PID 2968 wrote to memory of 1964 2968 Hjmhdi32.exe 31 PID 2968 wrote to memory of 1964 2968 Hjmhdi32.exe 31 PID 2968 wrote to memory of 1964 2968 Hjmhdi32.exe 31 PID 1964 wrote to memory of 2712 1964 Iqgqacam.exe 32 PID 1964 wrote to memory of 2712 1964 Iqgqacam.exe 32 PID 1964 wrote to memory of 2712 1964 Iqgqacam.exe 32 PID 1964 wrote to memory of 2712 1964 Iqgqacam.exe 32 PID 2712 wrote to memory of 2560 2712 Icemmopa.exe 33 PID 2712 wrote to memory of 2560 2712 Icemmopa.exe 33 PID 2712 wrote to memory of 2560 2712 Icemmopa.exe 33 PID 2712 wrote to memory of 2560 2712 Icemmopa.exe 33 PID 2560 wrote to memory of 2484 2560 Ijoeji32.exe 34 PID 2560 wrote to memory of 2484 2560 Ijoeji32.exe 34 PID 2560 wrote to memory of 2484 2560 Ijoeji32.exe 34 PID 2560 wrote to memory of 2484 2560 Ijoeji32.exe 34 PID 2484 wrote to memory of 2928 2484 Inkakhpg.exe 35 PID 2484 wrote to memory of 2928 2484 Inkakhpg.exe 35 PID 2484 wrote to memory of 2928 2484 Inkakhpg.exe 35 PID 2484 wrote to memory of 2928 2484 Inkakhpg.exe 35 PID 2928 wrote to memory of 2288 2928 Iqimgc32.exe 36 PID 2928 wrote to memory of 2288 2928 Iqimgc32.exe 36 PID 2928 wrote to memory of 2288 2928 Iqimgc32.exe 36 PID 2928 wrote to memory of 2288 2928 Iqimgc32.exe 36 PID 2288 wrote to memory of 304 2288 Iolmbpfe.exe 37 PID 2288 wrote to memory of 304 2288 Iolmbpfe.exe 37 PID 2288 wrote to memory of 304 2288 Iolmbpfe.exe 37 PID 2288 wrote to memory of 304 2288 Iolmbpfe.exe 37 PID 304 wrote to memory of 112 304 Ichico32.exe 38 PID 304 wrote to memory of 112 304 Ichico32.exe 38 PID 304 wrote to memory of 112 304 Ichico32.exe 38 PID 304 wrote to memory of 112 304 Ichico32.exe 38 PID 112 wrote to memory of 1152 112 Ijaapifk.exe 39 PID 112 wrote to memory of 1152 112 Ijaapifk.exe 39 PID 112 wrote to memory of 1152 112 Ijaapifk.exe 39 PID 112 wrote to memory of 1152 112 Ijaapifk.exe 39 PID 1152 wrote to memory of 1844 1152 Iidbke32.exe 40 PID 1152 wrote to memory of 1844 1152 Iidbke32.exe 40 PID 1152 wrote to memory of 1844 1152 Iidbke32.exe 40 PID 1152 wrote to memory of 1844 1152 Iidbke32.exe 40 PID 1844 wrote to memory of 1500 1844 Iqljlb32.exe 41 PID 1844 wrote to memory of 1500 1844 Iqljlb32.exe 41 PID 1844 wrote to memory of 1500 1844 Iqljlb32.exe 41 PID 1844 wrote to memory of 1500 1844 Iqljlb32.exe 41 PID 1500 wrote to memory of 2964 1500 Ioojhpdb.exe 42 PID 1500 wrote to memory of 2964 1500 Ioojhpdb.exe 42 PID 1500 wrote to memory of 2964 1500 Ioojhpdb.exe 42 PID 1500 wrote to memory of 2964 1500 Ioojhpdb.exe 42 PID 2964 wrote to memory of 2760 2964 Ibmfdkcf.exe 43 PID 2964 wrote to memory of 2760 2964 Ibmfdkcf.exe 43 PID 2964 wrote to memory of 2760 2964 Ibmfdkcf.exe 43 PID 2964 wrote to memory of 2760 2964 Ibmfdkcf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe"C:\Users\Admin\AppData\Local\Temp\809348792c8e82ca2adae0c644fe54567316714c8e4b3dc8cc18255fdd3c274d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe33⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe34⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe36⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe37⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe38⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe39⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe40⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe41⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe45⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe46⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe47⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe49⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe50⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe55⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe57⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe59⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe66⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe67⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe68⤵PID:2960
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe70⤵PID:320
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe71⤵PID:2120
-
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe72⤵PID:2996
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe73⤵PID:2684
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe74⤵PID:2572
-
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe75⤵PID:2332
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe76⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe77⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe79⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe80⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe81⤵PID:1480
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe83⤵PID:532
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe84⤵PID:2272
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe85⤵PID:1608
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe86⤵PID:2604
-
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe87⤵PID:2716
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe88⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe89⤵PID:1784
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe90⤵PID:1740
-
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe91⤵PID:1428
-
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe92⤵PID:2516
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe93⤵PID:1324
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe95⤵PID:3044
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe96⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe97⤵PID:1852
-
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe98⤵PID:1820
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe99⤵PID:2688
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe101⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:444 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe103⤵PID:2252
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe104⤵PID:3012
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe105⤵PID:2944
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe106⤵PID:2072
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe107⤵PID:2020
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe108⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe109⤵PID:1900
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe110⤵PID:2204
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe111⤵PID:1960
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe112⤵PID:572
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe113⤵PID:1724
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe114⤵PID:1652
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe115⤵PID:1876
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe116⤵PID:3056
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe117⤵PID:3032
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe118⤵PID:2644
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe120⤵PID:1564
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-