Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe
-
Size
135KB
-
MD5
49011b2588318f94623e7ca8caa0facb
-
SHA1
953e12c65630edb765d6e3fe4881bc1077604d26
-
SHA256
9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112
-
SHA512
d6f541a09b4d674cf0ac3094188aad7fba805de5833ff0d050451c492dd2d906e44c81e0d0c211625019e343ea9c5119ebbebeae996fb9d0f5de7b0e1e70e38b
-
SSDEEP
3072:US+WKvz2b4T3K8Qr5+ViKGe7Yfs0a0Uoi:R+WKvz2b4T3K9cViK4fs0l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfahp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimafop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccjhafn.exe -
Executes dropped EXE 64 IoCs
pid Process 1980 Inhdehbj.exe 2612 Icemmopa.exe 2560 Ijoeji32.exe 1936 Imnafd32.exe 2508 Iqimgc32.exe 2576 Ichico32.exe 884 Iidbke32.exe 2672 Impnldeo.exe 1584 Ioojhpdb.exe 1784 Ibmfdkcf.exe 1452 Ijdnehci.exe 1416 Iigoqe32.exe 2832 Ikekmq32.exe 2944 Ibocjk32.exe 2208 Ifkojiim.exe 380 Iiikfehq.exe 640 Ikggbpgd.exe 1812 Ioccco32.exe 396 Ibapoj32.exe 408 Jilhldfn.exe 2124 Jilhldfn.exe 1692 Jkjdhpea.exe 748 Joepio32.exe 744 Jagmpg32.exe 1904 Jebiaelb.exe 2008 Jgqemakf.exe 3008 Jjoailji.exe 2580 Jbfijjkl.exe 2492 Jedefejo.exe 2500 Jgcabqic.exe 1260 Jmpjkggj.exe 2748 Jegble32.exe 1768 Jfhocmnk.exe 2416 Jjdkdl32.exe 1244 Jmbgpg32.exe 2040 Jpqclb32.exe 2932 Jclomamd.exe 1864 Jfkkimlh.exe 756 Jjfgjk32.exe 2816 Jmdcfg32.exe 1172 Kappfeln.exe 556 Kfmhol32.exe 1248 Kikdkh32.exe 1820 Kljqgc32.exe 1672 Kcahhq32.exe 2156 Kfoedl32.exe 2868 Kinaqg32.exe 1400 Kmimafop.exe 2616 Kllmmc32.exe 2484 Kphimanc.exe 2880 Knjiin32.exe 2872 Kfaajlfp.exe 1676 Kedaeh32.exe 1204 Kipnfged.exe 3016 Klnjbbdh.exe 2380 Kpjfba32.exe 860 Kegnkh32.exe 1432 Kibjkgca.exe 2296 Khekgc32.exe 2568 Koocdnai.exe 2828 Kbkodl32.exe 2796 Keikqhhe.exe 3004 Lhggmchi.exe 2420 Llccmb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 1980 Inhdehbj.exe 1980 Inhdehbj.exe 2612 Icemmopa.exe 2612 Icemmopa.exe 2560 Ijoeji32.exe 2560 Ijoeji32.exe 1936 Imnafd32.exe 1936 Imnafd32.exe 2508 Iqimgc32.exe 2508 Iqimgc32.exe 2576 Ichico32.exe 2576 Ichico32.exe 884 Iidbke32.exe 884 Iidbke32.exe 2672 Impnldeo.exe 2672 Impnldeo.exe 1584 Ioojhpdb.exe 1584 Ioojhpdb.exe 1784 Ibmfdkcf.exe 1784 Ibmfdkcf.exe 1452 Ijdnehci.exe 1452 Ijdnehci.exe 1416 Iigoqe32.exe 1416 Iigoqe32.exe 2832 Ikekmq32.exe 2832 Ikekmq32.exe 2944 Ibocjk32.exe 2944 Ibocjk32.exe 2208 Ifkojiim.exe 2208 Ifkojiim.exe 380 Iiikfehq.exe 380 Iiikfehq.exe 640 Ikggbpgd.exe 640 Ikggbpgd.exe 1812 Ioccco32.exe 1812 Ioccco32.exe 396 Ibapoj32.exe 396 Ibapoj32.exe 408 Jilhldfn.exe 408 Jilhldfn.exe 2124 Jilhldfn.exe 2124 Jilhldfn.exe 1692 Jkjdhpea.exe 1692 Jkjdhpea.exe 748 Joepio32.exe 748 Joepio32.exe 744 Jagmpg32.exe 744 Jagmpg32.exe 1904 Jebiaelb.exe 1904 Jebiaelb.exe 2008 Jgqemakf.exe 2008 Jgqemakf.exe 3008 Jjoailji.exe 3008 Jjoailji.exe 2580 Jbfijjkl.exe 2580 Jbfijjkl.exe 2492 Jedefejo.exe 2492 Jedefejo.exe 2500 Jgcabqic.exe 2500 Jgcabqic.exe 1260 Jmpjkggj.exe 1260 Jmpjkggj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Madapkmp.exe Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Nkmbgdfl.exe File created C:\Windows\SysWOW64\Gqpnhgek.dll Oelmai32.exe File created C:\Windows\SysWOW64\Gfhemi32.dll Bpfcgg32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Gonahjjd.dll Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Ombapedi.exe Ohfeog32.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mhqfbebj.exe File created C:\Windows\SysWOW64\Eaepofcm.dll Mkobnqan.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Llkbap32.exe Lhpfqama.exe File created C:\Windows\SysWOW64\Knjbnh32.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mdmmfa32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dhjgal32.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Naoniipe.exe Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Ihankokm.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Bhlhkl32.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Bjlcgibn.dll Inqcif32.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Maoajf32.exe Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Oqmmpd32.exe Ombapedi.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Adjigg32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ioijbj32.exe File created C:\Windows\SysWOW64\Logbhl32.exe Lpdbloof.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Najdnj32.exe File created C:\Windows\SysWOW64\Pmmokmik.dll Ocimgp32.exe File created C:\Windows\SysWOW64\Benfcheg.dll Mgfgdn32.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cljcelan.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Kgoboqcm.dll Ojolhk32.exe File created C:\Windows\SysWOW64\Lqhkemqo.dll Jfhocmnk.exe File opened for modification C:\Windows\SysWOW64\Kljqgc32.exe Kikdkh32.exe File created C:\Windows\SysWOW64\Pjgjmd32.dll Ogjimd32.exe File created C:\Windows\SysWOW64\Kqmoql32.dll Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dngoibmo.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Jgnamk32.exe Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Nneloe32.dll Oklkmnbp.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ofhick32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Kmimafop.exe Kinaqg32.exe File opened for modification C:\Windows\SysWOW64\Pigeqkai.exe Pelipl32.exe File opened for modification C:\Windows\SysWOW64\Jfcfmmpb.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lihmjejl.exe File created C:\Windows\SysWOW64\Njcmkmii.dll Lganiohl.exe File created C:\Windows\SysWOW64\Abmjii32.dll Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File created C:\Windows\SysWOW64\Jqfffqpm.exe Jmjjea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8504 8900 WerFault.exe 971 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhocmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Miooigfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacpn32.dll" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efaibbij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Idhopq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Amejeljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecjlhb.dll" Knjiin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlqhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpidpbna.dll" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofgpn32.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klnjbbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jfekcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1980 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 28 PID 1732 wrote to memory of 1980 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 28 PID 1732 wrote to memory of 1980 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 28 PID 1732 wrote to memory of 1980 1732 9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe 28 PID 1980 wrote to memory of 2612 1980 Inhdehbj.exe 29 PID 1980 wrote to memory of 2612 1980 Inhdehbj.exe 29 PID 1980 wrote to memory of 2612 1980 Inhdehbj.exe 29 PID 1980 wrote to memory of 2612 1980 Inhdehbj.exe 29 PID 2612 wrote to memory of 2560 2612 Icemmopa.exe 30 PID 2612 wrote to memory of 2560 2612 Icemmopa.exe 30 PID 2612 wrote to memory of 2560 2612 Icemmopa.exe 30 PID 2612 wrote to memory of 2560 2612 Icemmopa.exe 30 PID 2560 wrote to memory of 1936 2560 Ijoeji32.exe 31 PID 2560 wrote to memory of 1936 2560 Ijoeji32.exe 31 PID 2560 wrote to memory of 1936 2560 Ijoeji32.exe 31 PID 2560 wrote to memory of 1936 2560 Ijoeji32.exe 31 PID 1936 wrote to memory of 2508 1936 Imnafd32.exe 32 PID 1936 wrote to memory of 2508 1936 Imnafd32.exe 32 PID 1936 wrote to memory of 2508 1936 Imnafd32.exe 32 PID 1936 wrote to memory of 2508 1936 Imnafd32.exe 32 PID 2508 wrote to memory of 2576 2508 Iqimgc32.exe 33 PID 2508 wrote to memory of 2576 2508 Iqimgc32.exe 33 PID 2508 wrote to memory of 2576 2508 Iqimgc32.exe 33 PID 2508 wrote to memory of 2576 2508 Iqimgc32.exe 33 PID 2576 wrote to memory of 884 2576 Ichico32.exe 34 PID 2576 wrote to memory of 884 2576 Ichico32.exe 34 PID 2576 wrote to memory of 884 2576 Ichico32.exe 34 PID 2576 wrote to memory of 884 2576 Ichico32.exe 34 PID 884 wrote to memory of 2672 884 Iidbke32.exe 35 PID 884 wrote to memory of 2672 884 Iidbke32.exe 35 PID 884 wrote to memory of 2672 884 Iidbke32.exe 35 PID 884 wrote to memory of 2672 884 Iidbke32.exe 35 PID 2672 wrote to memory of 1584 2672 Impnldeo.exe 36 PID 2672 wrote to memory of 1584 2672 Impnldeo.exe 36 PID 2672 wrote to memory of 1584 2672 Impnldeo.exe 36 PID 2672 wrote to memory of 1584 2672 Impnldeo.exe 36 PID 1584 wrote to memory of 1784 1584 Ioojhpdb.exe 37 PID 1584 wrote to memory of 1784 1584 Ioojhpdb.exe 37 PID 1584 wrote to memory of 1784 1584 Ioojhpdb.exe 37 PID 1584 wrote to memory of 1784 1584 Ioojhpdb.exe 37 PID 1784 wrote to memory of 1452 1784 Ibmfdkcf.exe 38 PID 1784 wrote to memory of 1452 1784 Ibmfdkcf.exe 38 PID 1784 wrote to memory of 1452 1784 Ibmfdkcf.exe 38 PID 1784 wrote to memory of 1452 1784 Ibmfdkcf.exe 38 PID 1452 wrote to memory of 1416 1452 Ijdnehci.exe 39 PID 1452 wrote to memory of 1416 1452 Ijdnehci.exe 39 PID 1452 wrote to memory of 1416 1452 Ijdnehci.exe 39 PID 1452 wrote to memory of 1416 1452 Ijdnehci.exe 39 PID 1416 wrote to memory of 2832 1416 Iigoqe32.exe 40 PID 1416 wrote to memory of 2832 1416 Iigoqe32.exe 40 PID 1416 wrote to memory of 2832 1416 Iigoqe32.exe 40 PID 1416 wrote to memory of 2832 1416 Iigoqe32.exe 40 PID 2832 wrote to memory of 2944 2832 Ikekmq32.exe 41 PID 2832 wrote to memory of 2944 2832 Ikekmq32.exe 41 PID 2832 wrote to memory of 2944 2832 Ikekmq32.exe 41 PID 2832 wrote to memory of 2944 2832 Ikekmq32.exe 41 PID 2944 wrote to memory of 2208 2944 Ibocjk32.exe 42 PID 2944 wrote to memory of 2208 2944 Ibocjk32.exe 42 PID 2944 wrote to memory of 2208 2944 Ibocjk32.exe 42 PID 2944 wrote to memory of 2208 2944 Ibocjk32.exe 42 PID 2208 wrote to memory of 380 2208 Ifkojiim.exe 43 PID 2208 wrote to memory of 380 2208 Ifkojiim.exe 43 PID 2208 wrote to memory of 380 2208 Ifkojiim.exe 43 PID 2208 wrote to memory of 380 2208 Ifkojiim.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe"C:\Users\Admin\AppData\Local\Temp\9fd329fc6ec345c34521af31c3f1445a0ae003c7998e97e8eef8aabba94a2112.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe33⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe35⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe36⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe37⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe38⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe39⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe40⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe41⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe42⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe43⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe47⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe50⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe51⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe53⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe54⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe55⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe57⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe58⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe59⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe60⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe61⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe63⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe64⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe65⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe66⤵PID:2600
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe67⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe68⤵PID:2456
-
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe69⤵PID:2660
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe70⤵PID:2144
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe71⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe72⤵PID:2856
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe73⤵PID:604
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe74⤵PID:828
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe75⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe76⤵PID:1228
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe77⤵PID:2324
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe78⤵PID:2384
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe79⤵PID:1424
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe81⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe82⤵PID:1240
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe83⤵PID:1356
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe84⤵PID:2336
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe85⤵PID:2428
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe87⤵PID:2852
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe88⤵PID:2640
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe89⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe91⤵PID:552
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe92⤵PID:3024
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe94⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe95⤵PID:624
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe96⤵PID:2700
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe97⤵PID:344
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe98⤵PID:2864
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe99⤵PID:2348
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe100⤵PID:2696
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe102⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe103⤵PID:2896
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe104⤵PID:2148
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe105⤵PID:568
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe106⤵PID:2480
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe107⤵PID:1460
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe108⤵PID:1404
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe109⤵PID:2316
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe110⤵PID:2664
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe111⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe112⤵PID:1056
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe113⤵PID:1360
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe114⤵PID:2248
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe115⤵PID:2244
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe116⤵PID:2264
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe117⤵PID:2820
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe118⤵PID:1668
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe119⤵PID:2520
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe120⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe121⤵
- Drops file in System32 directory
PID:2824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-