Analysis
-
max time kernel
152s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe
-
Size
101KB
-
MD5
83f489416cc6460d5930176f240e2400
-
SHA1
0ad5248a98036e5b250cc8971a42ab8fc62b565b
-
SHA256
96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f
-
SHA512
04efc8d2e81f422cbf6b57873b9f89ed9f0feab480ee11730f4a9acbd96a261d56cac630aecf69aaca0399e1a58888d54961863ba8538acdf3bb6d034c6b3fb6
-
SSDEEP
3072:sD4l6PTKR5zB5n8qeraam2TLjVxOCgc0h1o:sD+6PDm2fjqCgc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplfhnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhempmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldeilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihcbkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acbnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facoocil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjlln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdannbob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdgcccf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqpnnfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkoeejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jflieqec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfkoego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkbbgnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqkijcbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapqdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbafmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajepb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geqmjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknfhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecmbkea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkjeidm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpeenq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihcbkdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocqipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkhhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmqnlhoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqklcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeflpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlciagkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlckemnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblqgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efefmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmolgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgajkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjqcdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkjfmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binjgfjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjkhcbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpjkbco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhhjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfagba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilcal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhjbig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpadkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbhoedgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbjlkdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpljpggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbampfqf.exe -
Executes dropped EXE 64 IoCs
pid Process 1172 Pacbdk32.exe 1200 Hlkfem32.exe 1052 Ikgighhq.exe 2004 Jedcjqmg.exe 944 Kjeemg32.exe 1872 Lgoogkmf.exe 692 Mjdace32.exe 1700 Nqkijcbm.exe 804 Pjmmhjcn.exe 1216 Bojnlo32.exe 1468 Cmgechfi.exe 1464 Denidh32.exe 1788 Dmljnj32.exe 1392 Eebonkhm.exe 1000 Ghhmjicd.exe 840 Imhodjjc.exe 1812 Jilocode.exe 584 Khfeojeh.exe 1444 Kdapok32.exe 1268 Logpkg32.exe 336 Ncgbfhph.exe 1756 Oqfecqeb.exe 1880 Qpbddo32.exe 1856 Ahdoiq32.exe 616 Bpdnhbgf.exe 1116 Fpilncbb.exe 2008 Fbonkm32.exe 988 Gkqipo32.exe 1148 Hahaflol.exe 1740 Lbhbkqfq.exe 996 Mbebddjo.exe 1516 Meihlo32.exe 596 Mnfifaae.exe 1636 Nghqee32.exe 2044 Okjfni32.exe 1952 Pnbeqb32.exe 1984 Qelilpcl.exe 1728 Ekhpho32.exe 1908 Fbinfhlh.exe 1472 Faqhldom.exe 1816 Gmjegdbo.exe 1164 Globha32.exe 1364 Hiqbkikn.exe 1232 Hcifcn32.exe 1196 Hicophil.exe 1648 Hpmgmb32.exe 812 Iodqco32.exe 2020 Iagfkinl.exe 912 Iecbkh32.exe 1168 Joifna32.exe 768 Kfekpkgn.exe 1496 Knppdmdi.exe 1572 Kjinonhk.exe 1396 Kjljdn32.exe 1512 Lbpboo32.exe 1968 Nbbkcaka.exe 904 Nilcpl32.exe 1668 Nlkolg32.exe 1556 Odacmheo.exe 1316 Onjhem32.exe 1772 Pddlak32.exe 456 Bjggid32.exe 1368 Bddemi32.exe 1504 Bfcaid32.exe -
Loads dropped DLL 64 IoCs
pid Process 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 1172 Pacbdk32.exe 1172 Pacbdk32.exe 1200 Hlkfem32.exe 1200 Hlkfem32.exe 1052 Ikgighhq.exe 1052 Ikgighhq.exe 2004 Jedcjqmg.exe 2004 Jedcjqmg.exe 944 Kjeemg32.exe 944 Kjeemg32.exe 1872 Lgoogkmf.exe 1872 Lgoogkmf.exe 692 Mjdace32.exe 692 Mjdace32.exe 1700 Nqkijcbm.exe 1700 Nqkijcbm.exe 804 Pjmmhjcn.exe 804 Pjmmhjcn.exe 1216 Bojnlo32.exe 1216 Bojnlo32.exe 1468 Cmgechfi.exe 1468 Cmgechfi.exe 1464 Denidh32.exe 1464 Denidh32.exe 1788 Dmljnj32.exe 1788 Dmljnj32.exe 1392 Eebonkhm.exe 1392 Eebonkhm.exe 1000 Ghhmjicd.exe 1000 Ghhmjicd.exe 840 Imhodjjc.exe 840 Imhodjjc.exe 1812 Jilocode.exe 1812 Jilocode.exe 584 Khfeojeh.exe 584 Khfeojeh.exe 1444 Kdapok32.exe 1444 Kdapok32.exe 1268 Logpkg32.exe 1268 Logpkg32.exe 336 Ncgbfhph.exe 336 Ncgbfhph.exe 1756 Oqfecqeb.exe 1756 Oqfecqeb.exe 1880 Qpbddo32.exe 1880 Qpbddo32.exe 1856 Ahdoiq32.exe 1856 Ahdoiq32.exe 616 Bpdnhbgf.exe 616 Bpdnhbgf.exe 1116 Fpilncbb.exe 1116 Fpilncbb.exe 2008 Fbonkm32.exe 2008 Fbonkm32.exe 988 Gkqipo32.exe 988 Gkqipo32.exe 1148 Hahaflol.exe 1148 Hahaflol.exe 1740 Lbhbkqfq.exe 1740 Lbhbkqfq.exe 996 Mbebddjo.exe 996 Mbebddjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkljan32.exe Phnnebgh.exe File created C:\Windows\SysWOW64\Iejebo32.dll Qclkih32.exe File opened for modification C:\Windows\SysWOW64\Gbcjab32.exe Gcpieecd.exe File created C:\Windows\SysWOW64\Pbmclf32.exe Poogpkdo.exe File created C:\Windows\SysWOW64\Qmnjmcji.exe Qnkjaf32.exe File created C:\Windows\SysWOW64\Gjpdqn32.exe Ghahdb32.exe File created C:\Windows\SysWOW64\Mgbhdfdb.exe Mddlhkeo.exe File created C:\Windows\SysWOW64\Eqimje32.dll Mciboa32.exe File opened for modification C:\Windows\SysWOW64\Opmapa32.exe Onoecf32.exe File created C:\Windows\SysWOW64\Gapqdj32.exe Gihhbm32.exe File opened for modification C:\Windows\SysWOW64\Miicco32.exe Mbokgebn.exe File opened for modification C:\Windows\SysWOW64\Fpljpggk.exe Fgcegapj.exe File created C:\Windows\SysWOW64\Pbmmdejl.dll Cnnalice.exe File opened for modification C:\Windows\SysWOW64\Nmacfj32.exe Mnbcoobj.exe File opened for modification C:\Windows\SysWOW64\Aacmenfo.exe Aoeaicgk.exe File created C:\Windows\SysWOW64\Qlmchbba.dll Bmdjdm32.exe File opened for modification C:\Windows\SysWOW64\Bfpnkkkj.exe Bpeenq32.exe File opened for modification C:\Windows\SysWOW64\Ojikaeob.exe Oppghp32.exe File created C:\Windows\SysWOW64\Fnbcdl32.dll Jcpklief.exe File opened for modification C:\Windows\SysWOW64\Boidkm32.exe Bgamjo32.exe File created C:\Windows\SysWOW64\Boecqaac.dll Iblhkp32.exe File opened for modification C:\Windows\SysWOW64\Adlild32.exe Qjahnoao.exe File opened for modification C:\Windows\SysWOW64\Ahpdqq32.exe Apimpc32.exe File created C:\Windows\SysWOW64\Gbamlbla.exe Gcnmpe32.exe File created C:\Windows\SysWOW64\Gkokakbk.dll Npqkim32.exe File created C:\Windows\SysWOW64\Eaeedjdc.dll Heqkbj32.exe File created C:\Windows\SysWOW64\Elnqebgl.dll Miiqkfbg.exe File created C:\Windows\SysWOW64\Phaaam32.dll Qkpcnj32.exe File created C:\Windows\SysWOW64\Nlhknm32.dll Fbonkm32.exe File opened for modification C:\Windows\SysWOW64\Caannjbp.exe Cncbao32.exe File opened for modification C:\Windows\SysWOW64\Kamcof32.exe Kbjbdild.exe File opened for modification C:\Windows\SysWOW64\Nojompod.exe Nccnho32.exe File opened for modification C:\Windows\SysWOW64\Djmmck32.exe Deaabliq.exe File created C:\Windows\SysWOW64\Bdihka32.dll Icdhjbig.exe File created C:\Windows\SysWOW64\Pbcdgeia.dll Mejccjpi.exe File created C:\Windows\SysWOW64\Icigobgj.exe Hqkkcghf.exe File opened for modification C:\Windows\SysWOW64\Hfnjkikl.exe Hcononli.exe File created C:\Windows\SysWOW64\Gijcpclj.exe Gglgchmf.exe File created C:\Windows\SysWOW64\Edpqjg32.exe Ebadnl32.exe File created C:\Windows\SysWOW64\Ekdljedk.exe Eifpnjeh.exe File created C:\Windows\SysWOW64\Bbfhhhpb.dll Oogjef32.exe File created C:\Windows\SysWOW64\Ljofhe32.dll Baikboab.exe File opened for modification C:\Windows\SysWOW64\Meihlo32.exe Mbebddjo.exe File opened for modification C:\Windows\SysWOW64\Mnfifaae.exe Meihlo32.exe File opened for modification C:\Windows\SysWOW64\Hicophil.exe Hcifcn32.exe File created C:\Windows\SysWOW64\Lgcqgq32.exe Jjodnili.exe File created C:\Windows\SysWOW64\Jcemfk32.dll Lomjookf.exe File opened for modification C:\Windows\SysWOW64\Cncphj32.exe Ckeclo32.exe File created C:\Windows\SysWOW64\Pidiaaeb.dll Jokioc32.exe File opened for modification C:\Windows\SysWOW64\Olefdg32.exe Ocnocj32.exe File created C:\Windows\SysWOW64\Coddpo32.dll Dffooiac.exe File created C:\Windows\SysWOW64\Ihdmcffp.dll Bgmombei.exe File created C:\Windows\SysWOW64\Iaghochf.dll Bfgngm32.exe File opened for modification C:\Windows\SysWOW64\Kingim32.exe Jbcolc32.exe File created C:\Windows\SysWOW64\Coalckfh.dll Kihcbkdb.exe File created C:\Windows\SysWOW64\Lhflhf32.dll Bpnhck32.exe File opened for modification C:\Windows\SysWOW64\Ahdoiq32.exe Qpbddo32.exe File opened for modification C:\Windows\SysWOW64\Lhaemefl.exe Ldeilf32.exe File opened for modification C:\Windows\SysWOW64\Gogkhj32.exe Gpdklncg.exe File created C:\Windows\SysWOW64\Mokege32.exe Mhqljk32.exe File created C:\Windows\SysWOW64\Mflpjb32.exe Mejccjpi.exe File created C:\Windows\SysWOW64\Pfanpcac.exe Pcbbdhbp.exe File opened for modification C:\Windows\SysWOW64\Facoocil.exe Fnebcgjh.exe File opened for modification C:\Windows\SysWOW64\Moklak32.exe Mmjoicaj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3616 3624 WerFault.exe 863 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdapok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgmgaak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmdjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igfadb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naocao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonimmjh.dll" Fabeldnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdeqildg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeggdg32.dll" Dplhnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dplhnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mibipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpcgd32.dll" Jeealmfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjinonhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmjmp32.dll" Pkbalmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaiei32.dll" Apimpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkdbafgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmaoknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feomijhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobcpg32.dll" Pjpabdhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijlgbmf.dll" Aiidmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlqpiib.dll" Jbqneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijfaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkahnllp.dll" Blfalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikgkbmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahbjqch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcfaooj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmabmjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegfhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogbqpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjbaompb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkobg32.dll" Pmjbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adlild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgocehlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdlohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkkpafe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkildfac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmjbojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edibdahh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpigiego.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmcjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idoipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbakfi32.dll" Jpkeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiliebpq.dll" Odacmheo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglekf32.dll" Edibdahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphfpjcg.dll" Ajnaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhffdoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkngfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaogd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkjfmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebodgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggold32.dll" Gapqdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dipcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifqig32.dll" Gjpdqn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1172 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 26 PID 1720 wrote to memory of 1172 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 26 PID 1720 wrote to memory of 1172 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 26 PID 1720 wrote to memory of 1172 1720 96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe 26 PID 1172 wrote to memory of 1200 1172 Pacbdk32.exe 27 PID 1172 wrote to memory of 1200 1172 Pacbdk32.exe 27 PID 1172 wrote to memory of 1200 1172 Pacbdk32.exe 27 PID 1172 wrote to memory of 1200 1172 Pacbdk32.exe 27 PID 1200 wrote to memory of 1052 1200 Hlkfem32.exe 28 PID 1200 wrote to memory of 1052 1200 Hlkfem32.exe 28 PID 1200 wrote to memory of 1052 1200 Hlkfem32.exe 28 PID 1200 wrote to memory of 1052 1200 Hlkfem32.exe 28 PID 1052 wrote to memory of 2004 1052 Ikgighhq.exe 29 PID 1052 wrote to memory of 2004 1052 Ikgighhq.exe 29 PID 1052 wrote to memory of 2004 1052 Ikgighhq.exe 29 PID 1052 wrote to memory of 2004 1052 Ikgighhq.exe 29 PID 2004 wrote to memory of 944 2004 Jedcjqmg.exe 30 PID 2004 wrote to memory of 944 2004 Jedcjqmg.exe 30 PID 2004 wrote to memory of 944 2004 Jedcjqmg.exe 30 PID 2004 wrote to memory of 944 2004 Jedcjqmg.exe 30 PID 944 wrote to memory of 1872 944 Kjeemg32.exe 31 PID 944 wrote to memory of 1872 944 Kjeemg32.exe 31 PID 944 wrote to memory of 1872 944 Kjeemg32.exe 31 PID 944 wrote to memory of 1872 944 Kjeemg32.exe 31 PID 1872 wrote to memory of 692 1872 Lgoogkmf.exe 32 PID 1872 wrote to memory of 692 1872 Lgoogkmf.exe 32 PID 1872 wrote to memory of 692 1872 Lgoogkmf.exe 32 PID 1872 wrote to memory of 692 1872 Lgoogkmf.exe 32 PID 692 wrote to memory of 1700 692 Mjdace32.exe 33 PID 692 wrote to memory of 1700 692 Mjdace32.exe 33 PID 692 wrote to memory of 1700 692 Mjdace32.exe 33 PID 692 wrote to memory of 1700 692 Mjdace32.exe 33 PID 1700 wrote to memory of 804 1700 Nqkijcbm.exe 34 PID 1700 wrote to memory of 804 1700 Nqkijcbm.exe 34 PID 1700 wrote to memory of 804 1700 Nqkijcbm.exe 34 PID 1700 wrote to memory of 804 1700 Nqkijcbm.exe 34 PID 804 wrote to memory of 1216 804 Pjmmhjcn.exe 35 PID 804 wrote to memory of 1216 804 Pjmmhjcn.exe 35 PID 804 wrote to memory of 1216 804 Pjmmhjcn.exe 35 PID 804 wrote to memory of 1216 804 Pjmmhjcn.exe 35 PID 1216 wrote to memory of 1468 1216 Bojnlo32.exe 36 PID 1216 wrote to memory of 1468 1216 Bojnlo32.exe 36 PID 1216 wrote to memory of 1468 1216 Bojnlo32.exe 36 PID 1216 wrote to memory of 1468 1216 Bojnlo32.exe 36 PID 1468 wrote to memory of 1464 1468 Cmgechfi.exe 37 PID 1468 wrote to memory of 1464 1468 Cmgechfi.exe 37 PID 1468 wrote to memory of 1464 1468 Cmgechfi.exe 37 PID 1468 wrote to memory of 1464 1468 Cmgechfi.exe 37 PID 1464 wrote to memory of 1788 1464 Denidh32.exe 38 PID 1464 wrote to memory of 1788 1464 Denidh32.exe 38 PID 1464 wrote to memory of 1788 1464 Denidh32.exe 38 PID 1464 wrote to memory of 1788 1464 Denidh32.exe 38 PID 1788 wrote to memory of 1392 1788 Dmljnj32.exe 39 PID 1788 wrote to memory of 1392 1788 Dmljnj32.exe 39 PID 1788 wrote to memory of 1392 1788 Dmljnj32.exe 39 PID 1788 wrote to memory of 1392 1788 Dmljnj32.exe 39 PID 1392 wrote to memory of 1000 1392 Eebonkhm.exe 40 PID 1392 wrote to memory of 1000 1392 Eebonkhm.exe 40 PID 1392 wrote to memory of 1000 1392 Eebonkhm.exe 40 PID 1392 wrote to memory of 1000 1392 Eebonkhm.exe 40 PID 1000 wrote to memory of 840 1000 Ghhmjicd.exe 41 PID 1000 wrote to memory of 840 1000 Ghhmjicd.exe 41 PID 1000 wrote to memory of 840 1000 Ghhmjicd.exe 41 PID 1000 wrote to memory of 840 1000 Ghhmjicd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe"C:\Users\Admin\AppData\Local\Temp\96d01d1cc57ce70694a365bbeaf7b2bbaf3706a00f7ff690169b57620f78129f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Pacbdk32.exeC:\Windows\system32\Pacbdk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Hlkfem32.exeC:\Windows\system32\Hlkfem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ikgighhq.exeC:\Windows\system32\Ikgighhq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jedcjqmg.exeC:\Windows\system32\Jedcjqmg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Kjeemg32.exeC:\Windows\system32\Kjeemg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Lgoogkmf.exeC:\Windows\system32\Lgoogkmf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Mjdace32.exeC:\Windows\system32\Mjdace32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Nqkijcbm.exeC:\Windows\system32\Nqkijcbm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Pjmmhjcn.exeC:\Windows\system32\Pjmmhjcn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Bojnlo32.exeC:\Windows\system32\Bojnlo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Cmgechfi.exeC:\Windows\system32\Cmgechfi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Denidh32.exeC:\Windows\system32\Denidh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Dmljnj32.exeC:\Windows\system32\Dmljnj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Eebonkhm.exeC:\Windows\system32\Eebonkhm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Ghhmjicd.exeC:\Windows\system32\Ghhmjicd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Imhodjjc.exeC:\Windows\system32\Imhodjjc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Jilocode.exeC:\Windows\system32\Jilocode.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Khfeojeh.exeC:\Windows\system32\Khfeojeh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Kdapok32.exeC:\Windows\system32\Kdapok32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Logpkg32.exeC:\Windows\system32\Logpkg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Ncgbfhph.exeC:\Windows\system32\Ncgbfhph.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Oqfecqeb.exeC:\Windows\system32\Oqfecqeb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Qpbddo32.exeC:\Windows\system32\Qpbddo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Ahdoiq32.exeC:\Windows\system32\Ahdoiq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Bpdnhbgf.exeC:\Windows\system32\Bpdnhbgf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Fpilncbb.exeC:\Windows\system32\Fpilncbb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Fbonkm32.exeC:\Windows\system32\Fbonkm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Gkqipo32.exeC:\Windows\system32\Gkqipo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Hahaflol.exeC:\Windows\system32\Hahaflol.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Lbhbkqfq.exeC:\Windows\system32\Lbhbkqfq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Mbebddjo.exeC:\Windows\system32\Mbebddjo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Meihlo32.exeC:\Windows\system32\Meihlo32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Mnfifaae.exeC:\Windows\system32\Mnfifaae.exe34⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Nghqee32.exeC:\Windows\system32\Nghqee32.exe35⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Okjfni32.exeC:\Windows\system32\Okjfni32.exe36⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Pnbeqb32.exeC:\Windows\system32\Pnbeqb32.exe37⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Qelilpcl.exeC:\Windows\system32\Qelilpcl.exe38⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ekhpho32.exeC:\Windows\system32\Ekhpho32.exe39⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Fbinfhlh.exeC:\Windows\system32\Fbinfhlh.exe40⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Faqhldom.exeC:\Windows\system32\Faqhldom.exe41⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Gmjegdbo.exeC:\Windows\system32\Gmjegdbo.exe42⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Globha32.exeC:\Windows\system32\Globha32.exe43⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Hiqbkikn.exeC:\Windows\system32\Hiqbkikn.exe44⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Hcifcn32.exeC:\Windows\system32\Hcifcn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Hicophil.exeC:\Windows\system32\Hicophil.exe46⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hpmgmb32.exeC:\Windows\system32\Hpmgmb32.exe47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Iodqco32.exeC:\Windows\system32\Iodqco32.exe48⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Iagfkinl.exeC:\Windows\system32\Iagfkinl.exe49⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Iecbkh32.exeC:\Windows\system32\Iecbkh32.exe50⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Joifna32.exeC:\Windows\system32\Joifna32.exe51⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Kfekpkgn.exeC:\Windows\system32\Kfekpkgn.exe52⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Knppdmdi.exeC:\Windows\system32\Knppdmdi.exe53⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Kjinonhk.exeC:\Windows\system32\Kjinonhk.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Kjljdn32.exeC:\Windows\system32\Kjljdn32.exe55⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Lbpboo32.exeC:\Windows\system32\Lbpboo32.exe56⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Nbbkcaka.exeC:\Windows\system32\Nbbkcaka.exe57⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nilcpl32.exeC:\Windows\system32\Nilcpl32.exe58⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Nlkolg32.exeC:\Windows\system32\Nlkolg32.exe59⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Odacmheo.exeC:\Windows\system32\Odacmheo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Onjhem32.exeC:\Windows\system32\Onjhem32.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Pddlak32.exeC:\Windows\system32\Pddlak32.exe62⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Bjggid32.exeC:\Windows\system32\Bjggid32.exe63⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Bddemi32.exeC:\Windows\system32\Bddemi32.exe64⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Bfcaid32.exeC:\Windows\system32\Bfcaid32.exe65⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Cihdfo32.exeC:\Windows\system32\Cihdfo32.exe66⤵PID:1388
-
C:\Windows\SysWOW64\Clgpbj32.exeC:\Windows\system32\Clgpbj32.exe67⤵PID:752
-
C:\Windows\SysWOW64\Cmjiobnm.exeC:\Windows\system32\Cmjiobnm.exe68⤵PID:828
-
C:\Windows\SysWOW64\Dcnhhhfl.exeC:\Windows\system32\Dcnhhhfl.exe69⤵PID:2036
-
C:\Windows\SysWOW64\Dknfhj32.exeC:\Windows\system32\Dknfhj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:240 -
C:\Windows\SysWOW64\Enchdd32.exeC:\Windows\system32\Enchdd32.exe71⤵PID:1180
-
C:\Windows\SysWOW64\Fncdcg32.exeC:\Windows\system32\Fncdcg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Gcefgnek.exeC:\Windows\system32\Gcefgnek.exe73⤵PID:1584
-
C:\Windows\SysWOW64\Gmmkpcll.exeC:\Windows\system32\Gmmkpcll.exe74⤵PID:1752
-
C:\Windows\SysWOW64\Gppqgn32.exeC:\Windows\system32\Gppqgn32.exe75⤵PID:744
-
C:\Windows\SysWOW64\Ihgego32.exeC:\Windows\system32\Ihgego32.exe76⤵PID:1720
-
C:\Windows\SysWOW64\Ihedqb32.exeC:\Windows\system32\Ihedqb32.exe77⤵PID:1736
-
C:\Windows\SysWOW64\Jjodnili.exeC:\Windows\system32\Jjodnili.exe78⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Lgcqgq32.exeC:\Windows\system32\Lgcqgq32.exe79⤵PID:1748
-
C:\Windows\SysWOW64\Lghjbpii.exeC:\Windows\system32\Lghjbpii.exe80⤵PID:1200
-
C:\Windows\SysWOW64\Mibipg32.exeC:\Windows\system32\Mibipg32.exe81⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Oocgbp32.exeC:\Windows\system32\Oocgbp32.exe82⤵PID:2004
-
C:\Windows\SysWOW64\Oofdgp32.exeC:\Windows\system32\Oofdgp32.exe83⤵PID:2040
-
C:\Windows\SysWOW64\Onnnnl32.exeC:\Windows\system32\Onnnnl32.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Pnbgikqh.exeC:\Windows\system32\Pnbgikqh.exe85⤵PID:1708
-
C:\Windows\SysWOW64\Ppqcegpk.exeC:\Windows\system32\Ppqcegpk.exe86⤵PID:1468
-
C:\Windows\SysWOW64\Pohmlcbq.exeC:\Windows\system32\Pohmlcbq.exe87⤵PID:1464
-
C:\Windows\SysWOW64\Andpnn32.exeC:\Windows\system32\Andpnn32.exe88⤵PID:568
-
C:\Windows\SysWOW64\Aqcljj32.exeC:\Windows\system32\Aqcljj32.exe89⤵PID:1532
-
C:\Windows\SysWOW64\Agoalc32.exeC:\Windows\system32\Agoalc32.exe90⤵PID:560
-
C:\Windows\SysWOW64\Amqcpjpp.exeC:\Windows\system32\Amqcpjpp.exe91⤵PID:1460
-
C:\Windows\SysWOW64\Bijqjjcb.exeC:\Windows\system32\Bijqjjcb.exe92⤵PID:1188
-
C:\Windows\SysWOW64\Blhmffbe.exeC:\Windows\system32\Blhmffbe.exe93⤵PID:1616
-
C:\Windows\SysWOW64\Ciljomdk.exeC:\Windows\system32\Ciljomdk.exe94⤵PID:1872
-
C:\Windows\SysWOW64\Dlciagkd.exeC:\Windows\system32\Dlciagkd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Dkfimd32.exeC:\Windows\system32\Dkfimd32.exe96⤵PID:1312
-
C:\Windows\SysWOW64\Dmeeipab.exeC:\Windows\system32\Dmeeipab.exe97⤵PID:1060
-
C:\Windows\SysWOW64\Ecpjbd32.exeC:\Windows\system32\Ecpjbd32.exe98⤵PID:1776
-
C:\Windows\SysWOW64\Efnfnp32.exeC:\Windows\system32\Efnfnp32.exe99⤵PID:1948
-
C:\Windows\SysWOW64\Elhnkjij.exeC:\Windows\system32\Elhnkjij.exe100⤵PID:1268
-
C:\Windows\SysWOW64\Fofkgfin.exeC:\Windows\system32\Fofkgfin.exe101⤵PID:1880
-
C:\Windows\SysWOW64\Fkbegfjl.exeC:\Windows\system32\Fkbegfjl.exe102⤵PID:960
-
C:\Windows\SysWOW64\Fqajem32.exeC:\Windows\system32\Fqajem32.exe103⤵PID:336
-
C:\Windows\SysWOW64\Ggkbbgnn.exeC:\Windows\system32\Ggkbbgnn.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Gfblhcqc.exeC:\Windows\system32\Gfblhcqc.exe105⤵PID:840
-
C:\Windows\SysWOW64\Hcobpk32.exeC:\Windows\system32\Hcobpk32.exe106⤵PID:628
-
C:\Windows\SysWOW64\Hlamem32.exeC:\Windows\system32\Hlamem32.exe107⤵PID:1812
-
C:\Windows\SysWOW64\Iienoanm.exeC:\Windows\system32\Iienoanm.exe108⤵PID:1672
-
C:\Windows\SysWOW64\Ihmgem32.exeC:\Windows\system32\Ihmgem32.exe109⤵PID:1856
-
C:\Windows\SysWOW64\Iknqghnc.exeC:\Windows\system32\Iknqghnc.exe110⤵PID:1780
-
C:\Windows\SysWOW64\Jcpklief.exeC:\Windows\system32\Jcpklief.exe111⤵
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Nehoiela.exeC:\Windows\system32\Nehoiela.exe112⤵PID:2008
-
C:\Windows\SysWOW64\Poeilm32.exeC:\Windows\system32\Poeilm32.exe113⤵PID:2028
-
C:\Windows\SysWOW64\Peobighd.exeC:\Windows\system32\Peobighd.exe114⤵PID:1756
-
C:\Windows\SysWOW64\Phnnebgh.exeC:\Windows\system32\Phnnebgh.exe115⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Pkljan32.exeC:\Windows\system32\Pkljan32.exe116⤵PID:696
-
C:\Windows\SysWOW64\Pnjfmi32.exeC:\Windows\system32\Pnjfmi32.exe117⤵PID:1992
-
C:\Windows\SysWOW64\Ppibie32.exeC:\Windows\system32\Ppibie32.exe118⤵PID:1304
-
C:\Windows\SysWOW64\Phpkjb32.exeC:\Windows\system32\Phpkjb32.exe119⤵PID:2052
-
C:\Windows\SysWOW64\Pkngfn32.exeC:\Windows\system32\Pkngfn32.exe120⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Qpmlddqn.exeC:\Windows\system32\Qpmlddqn.exe121⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-