Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe
-
Size
64KB
-
MD5
7ada4c396e4e15774513a41a75c440eb
-
SHA1
2b8b9d12cdbd28ae863e6d48f6a9f45b809b8111
-
SHA256
cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355
-
SHA512
b1a158f403de80f2ea5555d48ff4b8ae9810c20f7f11e6f8ff12e0f33860e98722c7d3163c36d1ef5cec741d5bb471ff37d44691e6dff40a07bd7524f57d10ea
-
SSDEEP
1536:mw3cNIrCCUqC0anmTQNSW7Va2LrtCYrum8SPE:mwMN+dUqXanmENSaphVT8SE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhpnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladeqhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdajkkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdlejmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjimd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjiin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe -
Executes dropped EXE 64 IoCs
pid Process 2740 Inhdehbj.exe 2620 Iqgqacam.exe 2808 Ifdiijpe.exe 2920 Inkakhpg.exe 2416 Ichico32.exe 2464 Iffeoj32.exe 2684 Iidbke32.exe 2764 Ioojhpdb.exe 644 Ifhbdj32.exe 1436 Iigoqe32.exe 1324 Ikekmq32.exe 2488 Iclcnnji.exe 852 Ifkojiim.exe 2248 Imeggc32.exe 2828 Ioccco32.exe 536 Ibapoj32.exe 1420 Jilhldfn.exe 3000 Jgnhga32.exe 1064 Joepio32.exe 1964 Jbdlejmn.exe 1516 Jebiaelb.exe 2292 Jgqemakf.exe 1320 Jklanp32.exe 1680 Jjoailji.exe 2092 Jbfijjkl.exe 2964 Jedefejo.exe 2624 Jkonco32.exe 2692 Jmpjkggj.exe 2580 Jgenhp32.exe 2000 Jjdkdl32.exe 2452 Jnofejom.exe 2884 Jclomamd.exe 2408 Jjfgjk32.exe 2640 Jiigehkl.exe 1244 Kappfeln.exe 2312 Kjhdokbo.exe 1560 Kikdkh32.exe 1152 Kljqgc32.exe 1176 Kpemgbqf.exe 2208 Kfoedl32.exe 2072 Kfoedl32.exe 2252 Kebepion.exe 268 Knjiin32.exe 784 Kbfeimng.exe 1756 Kfaajlfp.exe 1952 Kipnfged.exe 2960 Khcnad32.exe 1556 Kbhbom32.exe 816 Kegnkh32.exe 2260 Khekgc32.exe 1536 Kjcgco32.exe 2512 Kbkodl32.exe 2528 Kanopipl.exe 2696 Kdlkld32.exe 2532 Llccmb32.exe 2936 Loapim32.exe 2716 Laplei32.exe 2712 Lhjdbcef.exe 1568 Lfmdnp32.exe 2460 Lkhpnnej.exe 1612 Lodlom32.exe 2228 Lmgmjjdn.exe 2236 Labhkh32.exe 2824 Lpeifeca.exe -
Loads dropped DLL 64 IoCs
pid Process 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 2740 Inhdehbj.exe 2740 Inhdehbj.exe 2620 Iqgqacam.exe 2620 Iqgqacam.exe 2808 Ifdiijpe.exe 2808 Ifdiijpe.exe 2920 Inkakhpg.exe 2920 Inkakhpg.exe 2416 Ichico32.exe 2416 Ichico32.exe 2464 Iffeoj32.exe 2464 Iffeoj32.exe 2684 Iidbke32.exe 2684 Iidbke32.exe 2764 Ioojhpdb.exe 2764 Ioojhpdb.exe 644 Ifhbdj32.exe 644 Ifhbdj32.exe 1436 Iigoqe32.exe 1436 Iigoqe32.exe 1324 Ikekmq32.exe 1324 Ikekmq32.exe 2488 Iclcnnji.exe 2488 Iclcnnji.exe 852 Ifkojiim.exe 852 Ifkojiim.exe 2248 Imeggc32.exe 2248 Imeggc32.exe 2828 Ioccco32.exe 2828 Ioccco32.exe 536 Ibapoj32.exe 536 Ibapoj32.exe 1420 Jilhldfn.exe 1420 Jilhldfn.exe 3000 Jgnhga32.exe 3000 Jgnhga32.exe 1064 Joepio32.exe 1064 Joepio32.exe 1964 Jbdlejmn.exe 1964 Jbdlejmn.exe 1516 Jebiaelb.exe 1516 Jebiaelb.exe 2292 Jgqemakf.exe 2292 Jgqemakf.exe 1320 Jklanp32.exe 1320 Jklanp32.exe 1680 Jjoailji.exe 1680 Jjoailji.exe 2092 Jbfijjkl.exe 2092 Jbfijjkl.exe 2964 Jedefejo.exe 2964 Jedefejo.exe 2624 Jkonco32.exe 2624 Jkonco32.exe 2692 Jmpjkggj.exe 2692 Jmpjkggj.exe 2580 Jgenhp32.exe 2580 Jgenhp32.exe 2000 Jjdkdl32.exe 2000 Jjdkdl32.exe 2452 Jnofejom.exe 2452 Jnofejom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iclcnnji.exe Ikekmq32.exe File opened for modification C:\Windows\SysWOW64\Joepio32.exe Jgnhga32.exe File created C:\Windows\SysWOW64\Dbdijd32.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Dhmcfkme.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Eihfjo32.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Jbgbni32.exe Joifam32.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File opened for modification C:\Windows\SysWOW64\Ognnoaka.dll Cljcelan.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lihmjejl.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Lkkmdn32.exe Ldqegd32.exe File created C:\Windows\SysWOW64\Njdpomfe.exe Ncjgbcoi.exe File opened for modification C:\Windows\SysWOW64\Nfkpdn32.exe Nghphaeo.exe File opened for modification C:\Windows\SysWOW64\Omloag32.exe Odegpj32.exe File opened for modification C:\Windows\SysWOW64\Pminkk32.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dmafennb.exe File created C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Ofpfnqjp.exe Ogmfbd32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Afmonbqk.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Bmnkpm32.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Naoniipe.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File created C:\Windows\SysWOW64\Nhabimad.dll Jbdlejmn.exe File created C:\Windows\SysWOW64\Bnhgoq32.dll Nccjhafn.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Maphdl32.exe Moalhq32.exe File created C:\Windows\SysWOW64\Okoomd32.exe Omloag32.exe File created C:\Windows\SysWOW64\Gbhfilfi.dll Cfeddafl.exe File created C:\Windows\SysWOW64\Omeope32.dll Chhjkl32.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Biicik32.exe File created C:\Windows\SysWOW64\Jedefejo.exe Jbfijjkl.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Pijbfj32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File created C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Jkonco32.exe Jedefejo.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Aplifb32.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dcadac32.exe File created C:\Windows\SysWOW64\Kegnkh32.exe Kbhbom32.exe File created C:\Windows\SysWOW64\Ojiich32.dll Oghlgdgk.exe File created C:\Windows\SysWOW64\Ndkakief.dll Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Iokfhi32.exe Ikpjgkjq.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File created C:\Windows\SysWOW64\Fogilika.dll Dgjclbdi.exe File created C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Njdfjjia.dll Oelmai32.exe File created C:\Windows\SysWOW64\Hleajblp.dll Aiinen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7952 7928 WerFault.exe 778 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkbdlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgclfje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjfgjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildamhjd.dll" Npnhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinopgfb.dll" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodeppm.dll" Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laplei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khneoedc.dll" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jbllihbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioojhpdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imeggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjiammk.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" Aiinen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfegbj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2740 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 28 PID 2932 wrote to memory of 2740 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 28 PID 2932 wrote to memory of 2740 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 28 PID 2932 wrote to memory of 2740 2932 cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe 28 PID 2740 wrote to memory of 2620 2740 Inhdehbj.exe 29 PID 2740 wrote to memory of 2620 2740 Inhdehbj.exe 29 PID 2740 wrote to memory of 2620 2740 Inhdehbj.exe 29 PID 2740 wrote to memory of 2620 2740 Inhdehbj.exe 29 PID 2620 wrote to memory of 2808 2620 Iqgqacam.exe 30 PID 2620 wrote to memory of 2808 2620 Iqgqacam.exe 30 PID 2620 wrote to memory of 2808 2620 Iqgqacam.exe 30 PID 2620 wrote to memory of 2808 2620 Iqgqacam.exe 30 PID 2808 wrote to memory of 2920 2808 Ifdiijpe.exe 31 PID 2808 wrote to memory of 2920 2808 Ifdiijpe.exe 31 PID 2808 wrote to memory of 2920 2808 Ifdiijpe.exe 31 PID 2808 wrote to memory of 2920 2808 Ifdiijpe.exe 31 PID 2920 wrote to memory of 2416 2920 Inkakhpg.exe 32 PID 2920 wrote to memory of 2416 2920 Inkakhpg.exe 32 PID 2920 wrote to memory of 2416 2920 Inkakhpg.exe 32 PID 2920 wrote to memory of 2416 2920 Inkakhpg.exe 32 PID 2416 wrote to memory of 2464 2416 Ichico32.exe 33 PID 2416 wrote to memory of 2464 2416 Ichico32.exe 33 PID 2416 wrote to memory of 2464 2416 Ichico32.exe 33 PID 2416 wrote to memory of 2464 2416 Ichico32.exe 33 PID 2464 wrote to memory of 2684 2464 Iffeoj32.exe 34 PID 2464 wrote to memory of 2684 2464 Iffeoj32.exe 34 PID 2464 wrote to memory of 2684 2464 Iffeoj32.exe 34 PID 2464 wrote to memory of 2684 2464 Iffeoj32.exe 34 PID 2684 wrote to memory of 2764 2684 Iidbke32.exe 35 PID 2684 wrote to memory of 2764 2684 Iidbke32.exe 35 PID 2684 wrote to memory of 2764 2684 Iidbke32.exe 35 PID 2684 wrote to memory of 2764 2684 Iidbke32.exe 35 PID 2764 wrote to memory of 644 2764 Ioojhpdb.exe 36 PID 2764 wrote to memory of 644 2764 Ioojhpdb.exe 36 PID 2764 wrote to memory of 644 2764 Ioojhpdb.exe 36 PID 2764 wrote to memory of 644 2764 Ioojhpdb.exe 36 PID 644 wrote to memory of 1436 644 Ifhbdj32.exe 37 PID 644 wrote to memory of 1436 644 Ifhbdj32.exe 37 PID 644 wrote to memory of 1436 644 Ifhbdj32.exe 37 PID 644 wrote to memory of 1436 644 Ifhbdj32.exe 37 PID 1436 wrote to memory of 1324 1436 Iigoqe32.exe 38 PID 1436 wrote to memory of 1324 1436 Iigoqe32.exe 38 PID 1436 wrote to memory of 1324 1436 Iigoqe32.exe 38 PID 1436 wrote to memory of 1324 1436 Iigoqe32.exe 38 PID 1324 wrote to memory of 2488 1324 Ikekmq32.exe 39 PID 1324 wrote to memory of 2488 1324 Ikekmq32.exe 39 PID 1324 wrote to memory of 2488 1324 Ikekmq32.exe 39 PID 1324 wrote to memory of 2488 1324 Ikekmq32.exe 39 PID 2488 wrote to memory of 852 2488 Iclcnnji.exe 40 PID 2488 wrote to memory of 852 2488 Iclcnnji.exe 40 PID 2488 wrote to memory of 852 2488 Iclcnnji.exe 40 PID 2488 wrote to memory of 852 2488 Iclcnnji.exe 40 PID 852 wrote to memory of 2248 852 Ifkojiim.exe 41 PID 852 wrote to memory of 2248 852 Ifkojiim.exe 41 PID 852 wrote to memory of 2248 852 Ifkojiim.exe 41 PID 852 wrote to memory of 2248 852 Ifkojiim.exe 41 PID 2248 wrote to memory of 2828 2248 Imeggc32.exe 42 PID 2248 wrote to memory of 2828 2248 Imeggc32.exe 42 PID 2248 wrote to memory of 2828 2248 Imeggc32.exe 42 PID 2248 wrote to memory of 2828 2248 Imeggc32.exe 42 PID 2828 wrote to memory of 536 2828 Ioccco32.exe 43 PID 2828 wrote to memory of 536 2828 Ioccco32.exe 43 PID 2828 wrote to memory of 536 2828 Ioccco32.exe 43 PID 2828 wrote to memory of 536 2828 Ioccco32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe"C:\Users\Admin\AppData\Local\Temp\cb5f8af31f68c65e0b2a50a87baa1bd22cfc53c651c303f7d1b12d7fa1305355.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe35⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe36⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe37⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe38⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe39⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe40⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe43⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe45⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe46⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe48⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe51⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe52⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe53⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe54⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe55⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe57⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe60⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe62⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe63⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe64⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe65⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe67⤵PID:348
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe68⤵PID:1672
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe70⤵PID:1060
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe71⤵PID:1540
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe72⤵PID:2956
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe74⤵PID:2476
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe75⤵PID:1592
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe76⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe78⤵PID:1256
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe79⤵PID:1056
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe80⤵PID:1960
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe81⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe83⤵PID:1136
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe84⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe85⤵PID:2984
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe86⤵PID:1532
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe87⤵PID:2676
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe88⤵PID:2672
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe89⤵PID:2644
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe90⤵PID:2304
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe91⤵PID:1752
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe92⤵PID:1668
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe93⤵PID:1728
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe95⤵PID:2308
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe96⤵PID:1112
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe97⤵PID:1368
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe98⤵PID:716
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe99⤵PID:2564
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe100⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe102⤵PID:352
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe103⤵PID:2768
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe104⤵PID:1768
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe105⤵PID:2224
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe106⤵PID:2044
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe107⤵PID:1940
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe108⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe109⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe110⤵PID:1604
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe111⤵PID:1304
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe112⤵PID:2560
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe113⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe114⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe115⤵PID:2736
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe116⤵PID:1624
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe117⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe118⤵PID:1264
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe119⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe120⤵PID:2220
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-