Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 22:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe
-
Size
55KB
-
MD5
cd556d708e2d3769769efcb435af27a1
-
SHA1
87460e2f8d15ad0b110483bab3e6e3224d97a95c
-
SHA256
70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c
-
SHA512
393aa76a8ab7867989b4971eb438433500c9fc5deaa559b988d533d40b20e08502190a787a41ebb96b8933607aaa631b1fabc4c60f21acd0f8a5c9f99c909146
-
SSDEEP
1536:Fi+vOtolxjc8qGXKiflSCu3Mvx18g2aNSoNSd0A3shxD6:Fi8O+bjbTa8lP3vj2aNXNW0A8hh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegble32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkojiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpeifeca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjanolhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclcnnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midcpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkkimlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe -
Executes dropped EXE 64 IoCs
pid Process 1928 Imnafd32.exe 2612 Iqljlb32.exe 2560 Ifhbdj32.exe 2728 Iigoqe32.exe 2376 Iclcnnji.exe 2624 Ifkojiim.exe 904 Ikggbpgd.exe 2640 Infdolgh.exe 852 Jilhldfn.exe 2148 Jnhqdkde.exe 2240 Jebiaelb.exe 2344 Jklanp32.exe 2028 Jbfijjkl.exe 2644 Jcgfbb32.exe 1864 Jjanolhg.exe 492 Jegble32.exe 1400 Jgenhp32.exe 272 Jnofejom.exe 396 Jancafna.exe 3036 Jclomamd.exe 1856 Jfkkimlh.exe 1240 Jmdcfg32.exe 1576 Kcolba32.exe 744 Kjhdokbo.exe 3004 Kikdkh32.exe 868 Kljqgc32.exe 2100 Kcahhq32.exe 1636 Kebepion.exe 2656 Knjiin32.exe 2460 Kfaajlfp.exe 2872 Klnjbbdh.exe 2440 Kbhbom32.exe 2484 Kegnkh32.exe 1596 Kjcgco32.exe 2772 Koocdnai.exe 2676 Kdlkld32.exe 1764 Loapim32.exe 1176 Lekhfgfc.exe 2384 Lfmdnp32.exe 1204 Lpeifeca.exe 3016 Ldqegd32.exe 2152 Lgoacojo.exe 1708 Lpgele32.exe 380 Lganiohl.exe 1808 Lmkfei32.exe 828 Llnfaffc.exe 2172 Libgjj32.exe 1464 Lmnbkinf.exe 748 Lplogdmj.exe 684 Mgfgdn32.exe 2128 Midcpj32.exe 1208 Mlcple32.exe 1600 Mpolmdkg.exe 2668 Maphdl32.exe 2660 Mhjpaf32.exe 2844 Mlelaeqk.exe 2456 Mcodno32.exe 1700 Menakj32.exe 2956 Mdqafgnf.exe 2428 Mkjica32.exe 1760 Mofecpnl.exe 1216 Mdcnlglc.exe 616 Mhnjle32.exe 2760 Mkmfhacp.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 1928 Imnafd32.exe 1928 Imnafd32.exe 2612 Iqljlb32.exe 2612 Iqljlb32.exe 2560 Ifhbdj32.exe 2560 Ifhbdj32.exe 2728 Iigoqe32.exe 2728 Iigoqe32.exe 2376 Iclcnnji.exe 2376 Iclcnnji.exe 2624 Ifkojiim.exe 2624 Ifkojiim.exe 904 Ikggbpgd.exe 904 Ikggbpgd.exe 2640 Infdolgh.exe 2640 Infdolgh.exe 852 Jilhldfn.exe 852 Jilhldfn.exe 2148 Jnhqdkde.exe 2148 Jnhqdkde.exe 2240 Jebiaelb.exe 2240 Jebiaelb.exe 2344 Jklanp32.exe 2344 Jklanp32.exe 2028 Jbfijjkl.exe 2028 Jbfijjkl.exe 2644 Jcgfbb32.exe 2644 Jcgfbb32.exe 1864 Jjanolhg.exe 1864 Jjanolhg.exe 492 Jegble32.exe 492 Jegble32.exe 1400 Jgenhp32.exe 1400 Jgenhp32.exe 272 Jnofejom.exe 272 Jnofejom.exe 396 Jancafna.exe 396 Jancafna.exe 3036 Jclomamd.exe 3036 Jclomamd.exe 1856 Jfkkimlh.exe 1856 Jfkkimlh.exe 1240 Jmdcfg32.exe 1240 Jmdcfg32.exe 1576 Kcolba32.exe 1576 Kcolba32.exe 744 Kjhdokbo.exe 744 Kjhdokbo.exe 3004 Kikdkh32.exe 3004 Kikdkh32.exe 868 Kljqgc32.exe 868 Kljqgc32.exe 2100 Kcahhq32.exe 2100 Kcahhq32.exe 1636 Kebepion.exe 1636 Kebepion.exe 2656 Knjiin32.exe 2656 Knjiin32.exe 2460 Kfaajlfp.exe 2460 Kfaajlfp.exe 2872 Klnjbbdh.exe 2872 Klnjbbdh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Magnek32.exe Mkmfhacp.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File opened for modification C:\Windows\SysWOW64\Iqljlb32.exe Imnafd32.exe File opened for modification C:\Windows\SysWOW64\Jmdcfg32.exe Jfkkimlh.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Naikkk32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Alhjai32.exe File created C:\Windows\SysWOW64\Paejki32.exe Ongnonkb.exe File opened for modification C:\Windows\SysWOW64\Ccdlbf32.exe Cdakgibq.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Dqhhknjp.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Jkoginch.dll Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File opened for modification C:\Windows\SysWOW64\Bopicc32.exe Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Jklanp32.exe Jebiaelb.exe File opened for modification C:\Windows\SysWOW64\Lpgele32.exe Lgoacojo.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Afiecb32.exe File created C:\Windows\SysWOW64\Ihomanac.dll Balijo32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Ebedndfa.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Mpkibc32.dll Jancafna.exe File created C:\Windows\SysWOW64\Gclcefmh.dll Ccdlbf32.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Anllbdkl.dll Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Bihebmne.dll Iigoqe32.exe File created C:\Windows\SysWOW64\Jjnmcd32.dll Jnofejom.exe File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Mhjpaf32.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mgcgmb32.exe File opened for modification C:\Windows\SysWOW64\Ncancbha.exe Nofabc32.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Lfqqcc32.dll Lfmdnp32.exe File created C:\Windows\SysWOW64\Fcmgmp32.dll Nfmmin32.exe File opened for modification C:\Windows\SysWOW64\Nhnfkigh.exe Njkfpl32.exe File created C:\Windows\SysWOW64\Pjgjmd32.dll Ocomlemo.exe File created C:\Windows\SysWOW64\Nopodm32.dll Facdeo32.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Endaal32.dll Iclcnnji.exe File created C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Ikggbpgd.exe Ifkojiim.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Ojcohaka.dll Ifkojiim.exe File created C:\Windows\SysWOW64\Fabnbook.dll Alenki32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Apajlhka.exe File created C:\Windows\SysWOW64\Klnjbbdh.exe Kfaajlfp.exe File opened for modification C:\Windows\SysWOW64\Llnfaffc.exe Lmkfei32.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Jpbpbqda.dll Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Ncoamb32.exe Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Iigoqe32.exe Ifhbdj32.exe File created C:\Windows\SysWOW64\Cgocalod.dll Lmkfei32.exe File created C:\Windows\SysWOW64\Obnqem32.exe Okchhc32.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Globlmmj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3668 3880 WerFault.exe 336 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebmi32.dll" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jancafna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfencna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqqcc32.dll" Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bogjdl32.dll" Jklanp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peegic32.dll" Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opljoqmk.dll" Kcolba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbabqdh.dll" Nfkpdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiinen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdpomfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekhfgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekdnobh.dll" 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfbjneg.dll" Infdolgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klnjbbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfgdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Adhlaggp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1928 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 28 PID 1732 wrote to memory of 1928 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 28 PID 1732 wrote to memory of 1928 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 28 PID 1732 wrote to memory of 1928 1732 70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe 28 PID 1928 wrote to memory of 2612 1928 Imnafd32.exe 29 PID 1928 wrote to memory of 2612 1928 Imnafd32.exe 29 PID 1928 wrote to memory of 2612 1928 Imnafd32.exe 29 PID 1928 wrote to memory of 2612 1928 Imnafd32.exe 29 PID 2612 wrote to memory of 2560 2612 Iqljlb32.exe 30 PID 2612 wrote to memory of 2560 2612 Iqljlb32.exe 30 PID 2612 wrote to memory of 2560 2612 Iqljlb32.exe 30 PID 2612 wrote to memory of 2560 2612 Iqljlb32.exe 30 PID 2560 wrote to memory of 2728 2560 Ifhbdj32.exe 31 PID 2560 wrote to memory of 2728 2560 Ifhbdj32.exe 31 PID 2560 wrote to memory of 2728 2560 Ifhbdj32.exe 31 PID 2560 wrote to memory of 2728 2560 Ifhbdj32.exe 31 PID 2728 wrote to memory of 2376 2728 Iigoqe32.exe 32 PID 2728 wrote to memory of 2376 2728 Iigoqe32.exe 32 PID 2728 wrote to memory of 2376 2728 Iigoqe32.exe 32 PID 2728 wrote to memory of 2376 2728 Iigoqe32.exe 32 PID 2376 wrote to memory of 2624 2376 Iclcnnji.exe 33 PID 2376 wrote to memory of 2624 2376 Iclcnnji.exe 33 PID 2376 wrote to memory of 2624 2376 Iclcnnji.exe 33 PID 2376 wrote to memory of 2624 2376 Iclcnnji.exe 33 PID 2624 wrote to memory of 904 2624 Ifkojiim.exe 34 PID 2624 wrote to memory of 904 2624 Ifkojiim.exe 34 PID 2624 wrote to memory of 904 2624 Ifkojiim.exe 34 PID 2624 wrote to memory of 904 2624 Ifkojiim.exe 34 PID 904 wrote to memory of 2640 904 Ikggbpgd.exe 35 PID 904 wrote to memory of 2640 904 Ikggbpgd.exe 35 PID 904 wrote to memory of 2640 904 Ikggbpgd.exe 35 PID 904 wrote to memory of 2640 904 Ikggbpgd.exe 35 PID 2640 wrote to memory of 852 2640 Infdolgh.exe 36 PID 2640 wrote to memory of 852 2640 Infdolgh.exe 36 PID 2640 wrote to memory of 852 2640 Infdolgh.exe 36 PID 2640 wrote to memory of 852 2640 Infdolgh.exe 36 PID 852 wrote to memory of 2148 852 Jilhldfn.exe 37 PID 852 wrote to memory of 2148 852 Jilhldfn.exe 37 PID 852 wrote to memory of 2148 852 Jilhldfn.exe 37 PID 852 wrote to memory of 2148 852 Jilhldfn.exe 37 PID 2148 wrote to memory of 2240 2148 Jnhqdkde.exe 38 PID 2148 wrote to memory of 2240 2148 Jnhqdkde.exe 38 PID 2148 wrote to memory of 2240 2148 Jnhqdkde.exe 38 PID 2148 wrote to memory of 2240 2148 Jnhqdkde.exe 38 PID 2240 wrote to memory of 2344 2240 Jebiaelb.exe 39 PID 2240 wrote to memory of 2344 2240 Jebiaelb.exe 39 PID 2240 wrote to memory of 2344 2240 Jebiaelb.exe 39 PID 2240 wrote to memory of 2344 2240 Jebiaelb.exe 39 PID 2344 wrote to memory of 2028 2344 Jklanp32.exe 40 PID 2344 wrote to memory of 2028 2344 Jklanp32.exe 40 PID 2344 wrote to memory of 2028 2344 Jklanp32.exe 40 PID 2344 wrote to memory of 2028 2344 Jklanp32.exe 40 PID 2028 wrote to memory of 2644 2028 Jbfijjkl.exe 41 PID 2028 wrote to memory of 2644 2028 Jbfijjkl.exe 41 PID 2028 wrote to memory of 2644 2028 Jbfijjkl.exe 41 PID 2028 wrote to memory of 2644 2028 Jbfijjkl.exe 41 PID 2644 wrote to memory of 1864 2644 Jcgfbb32.exe 42 PID 2644 wrote to memory of 1864 2644 Jcgfbb32.exe 42 PID 2644 wrote to memory of 1864 2644 Jcgfbb32.exe 42 PID 2644 wrote to memory of 1864 2644 Jcgfbb32.exe 42 PID 1864 wrote to memory of 492 1864 Jjanolhg.exe 43 PID 1864 wrote to memory of 492 1864 Jjanolhg.exe 43 PID 1864 wrote to memory of 492 1864 Jjanolhg.exe 43 PID 1864 wrote to memory of 492 1864 Jjanolhg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe"C:\Users\Admin\AppData\Local\Temp\70304514ea5bd55d20c16ce0e8adb6cc9c69361e9292d41a9a28ccb460c0636c.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe35⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe38⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe42⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe44⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe45⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe47⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe48⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe49⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe50⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe54⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe57⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe58⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe60⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe62⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe63⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe64⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe67⤵PID:580
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe70⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe71⤵PID:316
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe72⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe73⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe74⤵PID:1520
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe76⤵PID:2572
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe77⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe78⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe79⤵PID:2688
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe81⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe82⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe83⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe84⤵PID:320
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe87⤵PID:1548
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe88⤵PID:1572
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe89⤵PID:1532
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe90⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe91⤵PID:2788
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe92⤵PID:2952
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe93⤵PID:2812
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe94⤵PID:2800
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe95⤵PID:1676
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe96⤵PID:1784
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe97⤵PID:1452
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe98⤵PID:1884
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe99⤵PID:1684
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe100⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe101⤵PID:444
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe102⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe103⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe104⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe105⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe106⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe108⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe110⤵PID:344
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe111⤵PID:2044
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe112⤵PID:2144
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe114⤵PID:2816
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe115⤵PID:984
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe116⤵PID:792
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe117⤵PID:1960
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe118⤵PID:2308
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe121⤵
- Drops file in System32 directory
PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-