Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 23:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe
-
Size
59KB
-
MD5
18c16dfa645432626aae43a1d6798c40
-
SHA1
9c902fd7aa79d0149757e3e610e2320ac25119b9
-
SHA256
1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75
-
SHA512
bbc4ace938601f1104590c1459562a48e984fa988e38e37b222488c86c10b46823de39bb04f7e8335f4a7b2fe726e365d4a10fb3d0b1da4775b6823aa1f4b206
-
SSDEEP
1536:dgQQqGNEqSAQuQUCGSX8pZKwC5UNyjD2LqO:WnqGNEqSPJUXtFTNyjgqO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdiijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffeoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchnnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjoqhah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclcnnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqljlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcicmpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdbcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdcjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojieip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkdqe32.exe -
Executes dropped EXE 64 IoCs
pid Process 1336 Hjkkojlc.exe 2156 Hdpplb32.exe 2820 Hjmhdi32.exe 2664 Imkdqe32.exe 1676 Ifdiijpe.exe 2548 Inkakhpg.exe 3052 Ichico32.exe 2900 Iffeoj32.exe 2432 Iqljlb32.exe 1660 Icjfhn32.exe 2856 Ijdnehci.exe 2732 Imbkadcl.exe 316 Iclcnnji.exe 1196 Ifkojiim.exe 2236 Ikggbpgd.exe 756 Infdolgh.exe 668 Jeplkf32.exe 1088 Jgnhga32.exe 1836 Jkjdhpea.exe 832 Jnhqdkde.exe 1028 Jinead32.exe 2408 Jklanp32.exe 948 Jnkmjk32.exe 1852 Jaiiff32.exe 2620 Jcgfbb32.exe 2180 Jjanolhg.exe 2832 Jmpjkggj.exe 2632 Jmbgpg32.exe 2792 Jjfgjk32.exe 1984 Jmdcfg32.exe 2652 Kbalnnam.exe 2528 Kjhdokbo.exe 1728 Kbcicmpj.exe 1792 Kinaqg32.exe 2452 Kbfeimng.exe 2608 Kedaeh32.exe 112 Khcnad32.exe 1152 Kbhbom32.exe 1844 Khekgc32.exe 1532 Klqfhbbe.exe 2500 Kjcgco32.exe 788 Kdlkld32.exe 2056 Laplei32.exe 1484 Lhjdbcef.exe 1988 Lfmdnp32.exe 2164 Ldqegd32.exe 1780 Lgoacojo.exe 2184 Lkkmdn32.exe 2948 Ladeqhjd.exe 2440 Ldcamcih.exe 2280 Lganiohl.exe 2788 Lkmjin32.exe 3024 Lmkfei32.exe 2692 Lpjbad32.exe 2816 Lchnnp32.exe 792 Lefkjkmc.exe 2844 Libgjj32.exe 2868 Lmnbkinf.exe 2344 Lplogdmj.exe 1428 Mgfgdn32.exe 1516 Midcpj32.exe 620 Mlcple32.exe 2088 Mpolmdkg.exe 696 Moalhq32.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 1336 Hjkkojlc.exe 1336 Hjkkojlc.exe 2156 Hdpplb32.exe 2156 Hdpplb32.exe 2820 Hjmhdi32.exe 2820 Hjmhdi32.exe 2664 Imkdqe32.exe 2664 Imkdqe32.exe 1676 Ifdiijpe.exe 1676 Ifdiijpe.exe 2548 Inkakhpg.exe 2548 Inkakhpg.exe 3052 Ichico32.exe 3052 Ichico32.exe 2900 Iffeoj32.exe 2900 Iffeoj32.exe 2432 Iqljlb32.exe 2432 Iqljlb32.exe 1660 Icjfhn32.exe 1660 Icjfhn32.exe 2856 Ijdnehci.exe 2856 Ijdnehci.exe 2732 Imbkadcl.exe 2732 Imbkadcl.exe 316 Iclcnnji.exe 316 Iclcnnji.exe 1196 Ifkojiim.exe 1196 Ifkojiim.exe 2236 Ikggbpgd.exe 2236 Ikggbpgd.exe 756 Infdolgh.exe 756 Infdolgh.exe 668 Jeplkf32.exe 668 Jeplkf32.exe 1088 Jgnhga32.exe 1088 Jgnhga32.exe 1836 Jkjdhpea.exe 1836 Jkjdhpea.exe 832 Jnhqdkde.exe 832 Jnhqdkde.exe 1028 Jinead32.exe 1028 Jinead32.exe 2408 Jklanp32.exe 2408 Jklanp32.exe 948 Jnkmjk32.exe 948 Jnkmjk32.exe 1852 Jaiiff32.exe 1852 Jaiiff32.exe 2620 Jcgfbb32.exe 2620 Jcgfbb32.exe 2180 Jjanolhg.exe 2180 Jjanolhg.exe 2832 Jmpjkggj.exe 2832 Jmpjkggj.exe 2632 Jmbgpg32.exe 2632 Jmbgpg32.exe 2792 Jjfgjk32.exe 2792 Jjfgjk32.exe 1984 Jmdcfg32.exe 1984 Jmdcfg32.exe 2652 Kbalnnam.exe 2652 Kbalnnam.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mpjoqhah.exe File created C:\Windows\SysWOW64\Mlcple32.exe Midcpj32.exe File created C:\Windows\SysWOW64\Okchhc32.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Medfkpfc.dll Pgobhcac.exe File created C:\Windows\SysWOW64\Jhnaid32.dll Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Bnbjopoi.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Ikfihl32.dll Imkdqe32.exe File created C:\Windows\SysWOW64\Goddhg32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Ldqegd32.exe Lfmdnp32.exe File created C:\Windows\SysWOW64\Bnhgoq32.dll Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Lchnnp32.exe Lpjbad32.exe File opened for modification C:\Windows\SysWOW64\Ofbfdmeb.exe Nccjhafn.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dflkdp32.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Nqcagfim.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bdjefj32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Bnpmipql.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hiekid32.exe File created C:\Windows\SysWOW64\Piddlm32.dll Obkdonic.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Nofabc32.exe File created C:\Windows\SysWOW64\Ofbfdmeb.exe Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fnbkddem.exe File created C:\Windows\SysWOW64\Endaal32.dll Iclcnnji.exe File created C:\Windows\SysWOW64\Qonlfkdd.dll Pfflopdh.exe File created C:\Windows\SysWOW64\Fabnbook.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Qngmeo32.dll Mpjoqhah.exe File created C:\Windows\SysWOW64\Hlfkgnmg.dll Jaiiff32.exe File created C:\Windows\SysWOW64\Hhbabqdh.dll Nnbhek32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ejbfhfaj.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Ijdnehci.exe Icjfhn32.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mofecpnl.exe File created C:\Windows\SysWOW64\Nofabc32.exe Nqcagfim.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dnlidb32.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Ghmiam32.exe Geolea32.exe File created C:\Windows\SysWOW64\Mlgigdoh.exe Menakj32.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Laplei32.exe Kdlkld32.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Khcnad32.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Pigeqkai.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Cbkeib32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Onmkio32.exe Onmkio32.exe File created C:\Windows\SysWOW64\Jaqlckoi.dll Coklgg32.exe File created C:\Windows\SysWOW64\Jkjdhpea.exe Jgnhga32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aiedjneg.exe File opened for modification C:\Windows\SysWOW64\Cnippoha.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3608 3876 WerFault.exe 336 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necggg32.dll" Inkakhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdngl32.dll" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amclfbco.dll" Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopljni.dll" Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjkhm32.dll" Ifdiijpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllkkc32.dll" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdcfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lchnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klealkpf.dll" Laplei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blipbfpp.dll" Lgoacojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiabffn.dll" Lchnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljkjq32.dll" Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoiafh32.dll" Kjhdokbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgogib32.dll" Jmbgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknecn32.dll" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihebmne.dll" Imbkadcl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1336 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 28 PID 1700 wrote to memory of 1336 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 28 PID 1700 wrote to memory of 1336 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 28 PID 1700 wrote to memory of 1336 1700 1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe 28 PID 1336 wrote to memory of 2156 1336 Hjkkojlc.exe 29 PID 1336 wrote to memory of 2156 1336 Hjkkojlc.exe 29 PID 1336 wrote to memory of 2156 1336 Hjkkojlc.exe 29 PID 1336 wrote to memory of 2156 1336 Hjkkojlc.exe 29 PID 2156 wrote to memory of 2820 2156 Hdpplb32.exe 30 PID 2156 wrote to memory of 2820 2156 Hdpplb32.exe 30 PID 2156 wrote to memory of 2820 2156 Hdpplb32.exe 30 PID 2156 wrote to memory of 2820 2156 Hdpplb32.exe 30 PID 2820 wrote to memory of 2664 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2664 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2664 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2664 2820 Hjmhdi32.exe 31 PID 2664 wrote to memory of 1676 2664 Imkdqe32.exe 32 PID 2664 wrote to memory of 1676 2664 Imkdqe32.exe 32 PID 2664 wrote to memory of 1676 2664 Imkdqe32.exe 32 PID 2664 wrote to memory of 1676 2664 Imkdqe32.exe 32 PID 1676 wrote to memory of 2548 1676 Ifdiijpe.exe 33 PID 1676 wrote to memory of 2548 1676 Ifdiijpe.exe 33 PID 1676 wrote to memory of 2548 1676 Ifdiijpe.exe 33 PID 1676 wrote to memory of 2548 1676 Ifdiijpe.exe 33 PID 2548 wrote to memory of 3052 2548 Inkakhpg.exe 34 PID 2548 wrote to memory of 3052 2548 Inkakhpg.exe 34 PID 2548 wrote to memory of 3052 2548 Inkakhpg.exe 34 PID 2548 wrote to memory of 3052 2548 Inkakhpg.exe 34 PID 3052 wrote to memory of 2900 3052 Ichico32.exe 35 PID 3052 wrote to memory of 2900 3052 Ichico32.exe 35 PID 3052 wrote to memory of 2900 3052 Ichico32.exe 35 PID 3052 wrote to memory of 2900 3052 Ichico32.exe 35 PID 2900 wrote to memory of 2432 2900 Iffeoj32.exe 36 PID 2900 wrote to memory of 2432 2900 Iffeoj32.exe 36 PID 2900 wrote to memory of 2432 2900 Iffeoj32.exe 36 PID 2900 wrote to memory of 2432 2900 Iffeoj32.exe 36 PID 2432 wrote to memory of 1660 2432 Iqljlb32.exe 37 PID 2432 wrote to memory of 1660 2432 Iqljlb32.exe 37 PID 2432 wrote to memory of 1660 2432 Iqljlb32.exe 37 PID 2432 wrote to memory of 1660 2432 Iqljlb32.exe 37 PID 1660 wrote to memory of 2856 1660 Icjfhn32.exe 38 PID 1660 wrote to memory of 2856 1660 Icjfhn32.exe 38 PID 1660 wrote to memory of 2856 1660 Icjfhn32.exe 38 PID 1660 wrote to memory of 2856 1660 Icjfhn32.exe 38 PID 2856 wrote to memory of 2732 2856 Ijdnehci.exe 39 PID 2856 wrote to memory of 2732 2856 Ijdnehci.exe 39 PID 2856 wrote to memory of 2732 2856 Ijdnehci.exe 39 PID 2856 wrote to memory of 2732 2856 Ijdnehci.exe 39 PID 2732 wrote to memory of 316 2732 Imbkadcl.exe 40 PID 2732 wrote to memory of 316 2732 Imbkadcl.exe 40 PID 2732 wrote to memory of 316 2732 Imbkadcl.exe 40 PID 2732 wrote to memory of 316 2732 Imbkadcl.exe 40 PID 316 wrote to memory of 1196 316 Iclcnnji.exe 41 PID 316 wrote to memory of 1196 316 Iclcnnji.exe 41 PID 316 wrote to memory of 1196 316 Iclcnnji.exe 41 PID 316 wrote to memory of 1196 316 Iclcnnji.exe 41 PID 1196 wrote to memory of 2236 1196 Ifkojiim.exe 42 PID 1196 wrote to memory of 2236 1196 Ifkojiim.exe 42 PID 1196 wrote to memory of 2236 1196 Ifkojiim.exe 42 PID 1196 wrote to memory of 2236 1196 Ifkojiim.exe 42 PID 2236 wrote to memory of 756 2236 Ikggbpgd.exe 43 PID 2236 wrote to memory of 756 2236 Ikggbpgd.exe 43 PID 2236 wrote to memory of 756 2236 Ikggbpgd.exe 43 PID 2236 wrote to memory of 756 2236 Ikggbpgd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe"C:\Users\Admin\AppData\Local\Temp\1a36ac351eab6e5e86738d3b309c7deeafb3fcc0766f73e53f77471c4d49ae75.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe35⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe36⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe38⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe39⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe42⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe47⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe49⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe51⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe52⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe54⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe57⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe59⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe61⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe63⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe64⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe65⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe66⤵PID:2136
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe67⤵PID:536
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe69⤵PID:272
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe70⤵
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe72⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe73⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe74⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe75⤵PID:3040
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe76⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe77⤵PID:2848
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe78⤵PID:1584
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe81⤵PID:988
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe82⤵PID:2328
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe83⤵PID:1776
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe84⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe87⤵PID:2668
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe88⤵PID:1120
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe89⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe90⤵PID:2912
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe92⤵PID:1432
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe93⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe94⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe95⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe96⤵PID:2972
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe97⤵PID:1496
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe98⤵PID:1784
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe99⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe100⤵PID:2976
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe101⤵PID:2796
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe102⤵PID:2804
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe103⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe105⤵PID:2420
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe107⤵PID:2872
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe108⤵PID:2336
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe110⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe111⤵PID:540
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe112⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe113⤵PID:2780
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe115⤵PID:3028
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe116⤵PID:1868
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe117⤵PID:2748
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe119⤵PID:812
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe120⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe121⤵PID:1248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-