Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe
-
Size
320KB
-
MD5
fe59814fb4eb68b35b674c3c4417cab9
-
SHA1
8a64e6a8d8ade395d648e1df2c3138c3ca089075
-
SHA256
855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135
-
SHA512
7497354297f27c8ecf9e1c9843f1a6a8c4abe55501debd426142346ad6e135f0c9c9750693cfb4c737f5a58e92cb991e16e7dbc38f790aced54637331eb0e070
-
SSDEEP
6144:I+pxvl/Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:PxvQm05XEvG6IveDVqvQ6IvP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoailji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jancafna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdejaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpemgbqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladeqhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikekmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilhldfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoailji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgmjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcgco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkfgoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjfhn32.exe -
Executes dropped EXE 64 IoCs
pid Process 1828 Imnafd32.exe 2104 Ichico32.exe 2676 Icjfhn32.exe 2592 Ikekmq32.exe 2508 Ifkojiim.exe 2480 Imeggc32.exe 3048 Jilhldfn.exe 2780 Jagmpg32.exe 1164 Jjoailji.exe 944 Jcgfbb32.exe 2936 Jmpjkggj.exe 1656 Jgenhp32.exe 632 Jancafna.exe 860 Jiigehkl.exe 856 Kbalnnam.exe 760 Kpemgbqf.exe 1712 Kmimafop.exe 784 Kbfeimng.exe 1824 Kipnfged.exe 2152 Khcnad32.exe 1812 Kakbjibo.exe 332 Kegnkh32.exe 1904 Kjcgco32.exe 696 Kbkodl32.exe 1644 Kdlkld32.exe 3040 Llccmb32.exe 2112 Lhjdbcef.exe 2692 Lkhpnnej.exe 2600 Lmgmjjdn.exe 2728 Lhlqhb32.exe 2544 Lmiipi32.exe 2800 Ladeqhjd.exe 956 Lmkfei32.exe 2052 Llnfaffc.exe 2824 Lgdjnofi.exe 2788 Lefkjkmc.exe 2940 Mcjkcplm.exe 1680 Meigpkka.exe 1436 Mhgclfje.exe 1268 Mcmhiojk.exe 1288 Mekdekin.exe 1168 Mhjpaf32.exe 592 Menakj32.exe 2004 Mdqafgnf.exe 296 Mlgigdoh.exe 1536 Mkjica32.exe 2320 Mnieom32.exe 2876 Mepnpj32.exe 2240 Mhnjle32.exe 2292 Mkmfhacp.exe 2664 Magnek32.exe 2720 Mdejaf32.exe 2496 Mkobnqan.exe 2688 Nnnojlpa.exe 2312 Nplkfgoe.exe 2820 Nkaocp32.exe 2364 Nnplpl32.exe 2760 Nlblkhei.exe 2992 Npnhlg32.exe 2984 Ncmdhb32.exe 852 Nfkpdn32.exe 688 Njgldmdc.exe 2224 Nocemcbj.exe 1708 Ngkmnacm.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 1828 Imnafd32.exe 1828 Imnafd32.exe 2104 Ichico32.exe 2104 Ichico32.exe 2676 Icjfhn32.exe 2676 Icjfhn32.exe 2592 Ikekmq32.exe 2592 Ikekmq32.exe 2508 Ifkojiim.exe 2508 Ifkojiim.exe 2480 Imeggc32.exe 2480 Imeggc32.exe 3048 Jilhldfn.exe 3048 Jilhldfn.exe 2780 Jagmpg32.exe 2780 Jagmpg32.exe 1164 Jjoailji.exe 1164 Jjoailji.exe 944 Jcgfbb32.exe 944 Jcgfbb32.exe 2936 Jmpjkggj.exe 2936 Jmpjkggj.exe 1656 Jgenhp32.exe 1656 Jgenhp32.exe 632 Jancafna.exe 632 Jancafna.exe 860 Jiigehkl.exe 860 Jiigehkl.exe 856 Kbalnnam.exe 856 Kbalnnam.exe 760 Kpemgbqf.exe 760 Kpemgbqf.exe 1712 Kmimafop.exe 1712 Kmimafop.exe 784 Kbfeimng.exe 784 Kbfeimng.exe 1824 Kipnfged.exe 1824 Kipnfged.exe 2152 Khcnad32.exe 2152 Khcnad32.exe 1812 Kakbjibo.exe 1812 Kakbjibo.exe 332 Kegnkh32.exe 332 Kegnkh32.exe 1904 Kjcgco32.exe 1904 Kjcgco32.exe 696 Kbkodl32.exe 696 Kbkodl32.exe 1644 Kdlkld32.exe 1644 Kdlkld32.exe 3040 Llccmb32.exe 3040 Llccmb32.exe 2112 Lhjdbcef.exe 2112 Lhjdbcef.exe 2692 Lkhpnnej.exe 2692 Lkhpnnej.exe 2600 Lmgmjjdn.exe 2600 Lmgmjjdn.exe 2728 Lhlqhb32.exe 2728 Lhlqhb32.exe 2544 Lmiipi32.exe 2544 Lmiipi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebbjqa32.dll Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Npnhlg32.exe Nlblkhei.exe File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Ppmdbe32.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Apcfahio.exe File created C:\Windows\SysWOW64\Enihne32.exe Emhlfmgj.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Mhjpaf32.exe Mekdekin.exe File opened for modification C:\Windows\SysWOW64\Njgldmdc.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Plahag32.exe Piblek32.exe File created C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Nnplpl32.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Mkjica32.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Kbalnnam.exe Jiigehkl.exe File created C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Kmimafop.exe Kpemgbqf.exe File created C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ejbfhfaj.exe File created C:\Windows\SysWOW64\Djdbmo32.dll Kbalnnam.exe File created C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Bpcbqk32.exe Baqbenep.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Nbdnoo32.exe File created C:\Windows\SysWOW64\Pienahqb.dll Afkbib32.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Flabbihl.exe File created C:\Windows\SysWOW64\Abmibdlh.exe Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Pelipl32.exe File created C:\Windows\SysWOW64\Ealnephf.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Okoomd32.exe Omloag32.exe File opened for modification C:\Windows\SysWOW64\Afdlhchf.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Ambmpmln.exe File created C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dflkdp32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dnneja32.exe File created C:\Windows\SysWOW64\Facklcaq.dll Fejgko32.exe File created C:\Windows\SysWOW64\Hknach32.exe Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Paggai32.exe Pipopl32.exe File created C:\Windows\SysWOW64\Qjhpbe32.dll Lhlqhb32.exe File created C:\Windows\SysWOW64\Mcmhiojk.exe Mhgclfje.exe File opened for modification C:\Windows\SysWOW64\Dqlafm32.exe Dnneja32.exe File created C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File created C:\Windows\SysWOW64\Kpemgbqf.exe Kbalnnam.exe File created C:\Windows\SysWOW64\Kdlkld32.exe Kbkodl32.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Kjcgco32.exe Kegnkh32.exe File opened for modification C:\Windows\SysWOW64\Nnnojlpa.exe Mkobnqan.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Pbkpna32.exe File opened for modification C:\Windows\SysWOW64\Afkbib32.exe Abpfhcje.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Kjqipbka.dll Bebkpn32.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Flabbihl.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gangic32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3692 3604 WerFault.exe 301 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodppf32.dll" Pijbfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgenhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmimf32.dll" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cphlljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdejaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jancafna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifclcknc.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjlmdgj.dll" Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcbqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgigdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Hogmmjfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1828 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 28 PID 2548 wrote to memory of 1828 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 28 PID 2548 wrote to memory of 1828 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 28 PID 2548 wrote to memory of 1828 2548 855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe 28 PID 1828 wrote to memory of 2104 1828 Imnafd32.exe 29 PID 1828 wrote to memory of 2104 1828 Imnafd32.exe 29 PID 1828 wrote to memory of 2104 1828 Imnafd32.exe 29 PID 1828 wrote to memory of 2104 1828 Imnafd32.exe 29 PID 2104 wrote to memory of 2676 2104 Ichico32.exe 30 PID 2104 wrote to memory of 2676 2104 Ichico32.exe 30 PID 2104 wrote to memory of 2676 2104 Ichico32.exe 30 PID 2104 wrote to memory of 2676 2104 Ichico32.exe 30 PID 2676 wrote to memory of 2592 2676 Icjfhn32.exe 31 PID 2676 wrote to memory of 2592 2676 Icjfhn32.exe 31 PID 2676 wrote to memory of 2592 2676 Icjfhn32.exe 31 PID 2676 wrote to memory of 2592 2676 Icjfhn32.exe 31 PID 2592 wrote to memory of 2508 2592 Ikekmq32.exe 32 PID 2592 wrote to memory of 2508 2592 Ikekmq32.exe 32 PID 2592 wrote to memory of 2508 2592 Ikekmq32.exe 32 PID 2592 wrote to memory of 2508 2592 Ikekmq32.exe 32 PID 2508 wrote to memory of 2480 2508 Ifkojiim.exe 33 PID 2508 wrote to memory of 2480 2508 Ifkojiim.exe 33 PID 2508 wrote to memory of 2480 2508 Ifkojiim.exe 33 PID 2508 wrote to memory of 2480 2508 Ifkojiim.exe 33 PID 2480 wrote to memory of 3048 2480 Imeggc32.exe 34 PID 2480 wrote to memory of 3048 2480 Imeggc32.exe 34 PID 2480 wrote to memory of 3048 2480 Imeggc32.exe 34 PID 2480 wrote to memory of 3048 2480 Imeggc32.exe 34 PID 3048 wrote to memory of 2780 3048 Jilhldfn.exe 35 PID 3048 wrote to memory of 2780 3048 Jilhldfn.exe 35 PID 3048 wrote to memory of 2780 3048 Jilhldfn.exe 35 PID 3048 wrote to memory of 2780 3048 Jilhldfn.exe 35 PID 2780 wrote to memory of 1164 2780 Jagmpg32.exe 36 PID 2780 wrote to memory of 1164 2780 Jagmpg32.exe 36 PID 2780 wrote to memory of 1164 2780 Jagmpg32.exe 36 PID 2780 wrote to memory of 1164 2780 Jagmpg32.exe 36 PID 1164 wrote to memory of 944 1164 Jjoailji.exe 37 PID 1164 wrote to memory of 944 1164 Jjoailji.exe 37 PID 1164 wrote to memory of 944 1164 Jjoailji.exe 37 PID 1164 wrote to memory of 944 1164 Jjoailji.exe 37 PID 944 wrote to memory of 2936 944 Jcgfbb32.exe 38 PID 944 wrote to memory of 2936 944 Jcgfbb32.exe 38 PID 944 wrote to memory of 2936 944 Jcgfbb32.exe 38 PID 944 wrote to memory of 2936 944 Jcgfbb32.exe 38 PID 2936 wrote to memory of 1656 2936 Jmpjkggj.exe 39 PID 2936 wrote to memory of 1656 2936 Jmpjkggj.exe 39 PID 2936 wrote to memory of 1656 2936 Jmpjkggj.exe 39 PID 2936 wrote to memory of 1656 2936 Jmpjkggj.exe 39 PID 1656 wrote to memory of 632 1656 Jgenhp32.exe 40 PID 1656 wrote to memory of 632 1656 Jgenhp32.exe 40 PID 1656 wrote to memory of 632 1656 Jgenhp32.exe 40 PID 1656 wrote to memory of 632 1656 Jgenhp32.exe 40 PID 632 wrote to memory of 860 632 Jancafna.exe 41 PID 632 wrote to memory of 860 632 Jancafna.exe 41 PID 632 wrote to memory of 860 632 Jancafna.exe 41 PID 632 wrote to memory of 860 632 Jancafna.exe 41 PID 860 wrote to memory of 856 860 Jiigehkl.exe 42 PID 860 wrote to memory of 856 860 Jiigehkl.exe 42 PID 860 wrote to memory of 856 860 Jiigehkl.exe 42 PID 860 wrote to memory of 856 860 Jiigehkl.exe 42 PID 856 wrote to memory of 760 856 Kbalnnam.exe 43 PID 856 wrote to memory of 760 856 Kbalnnam.exe 43 PID 856 wrote to memory of 760 856 Kbalnnam.exe 43 PID 856 wrote to memory of 760 856 Kbalnnam.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe"C:\Users\Admin\AppData\Local\Temp\855a3c2b36c4e80ffb237e0b231fc6b9d9d551a384e27ccdbf97a4674ac3f135.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe34⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe35⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe36⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe39⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe41⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe43⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe44⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe45⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe49⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe50⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe52⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe57⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe60⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe61⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe63⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe64⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe65⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe66⤵PID:844
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe68⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe69⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe70⤵PID:3036
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe71⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe72⤵PID:2640
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe73⤵PID:1816
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe74⤵PID:1400
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe75⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe76⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe77⤵PID:2084
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe78⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe80⤵PID:240
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe81⤵PID:1372
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe82⤵PID:1344
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe83⤵PID:1252
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe84⤵PID:276
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe86⤵PID:2612
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe87⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe88⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe89⤵PID:1300
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe90⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe91⤵PID:2108
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe92⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe93⤵PID:1440
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe94⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe95⤵PID:1716
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe96⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe97⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe98⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe100⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe101⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe102⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe104⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe105⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe106⤵PID:1240
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe107⤵PID:2888
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe108⤵PID:2172
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe111⤵PID:108
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe113⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe114⤵PID:1408
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe115⤵PID:2456
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe116⤵PID:1776
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe117⤵PID:268
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe118⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe119⤵PID:344
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe120⤵PID:1616
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-