Analysis
-
max time kernel
81s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 22:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bb219e0cf240da389ede15612b32910N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
1bb219e0cf240da389ede15612b32910N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
1bb219e0cf240da389ede15612b32910N.exe
-
Size
59KB
-
MD5
1bb219e0cf240da389ede15612b32910
-
SHA1
a1b43aa12adc0e38882885a4e7a31d9f3ac640df
-
SHA256
7045b216a6785d38fe0471cdc2a93a9f859d59e14efffd495a8b4ce3c7f89fd8
-
SHA512
ac7b26318c58de2438ee16309c33c5d3be3eb0302b0162b0246d3a2c84e859fb0c613497fcd3b3b3ed75743787262d866ddb36a98a598a5d65d2c783edfb6f9e
-
SSDEEP
768:MD/rodgdmiwtxqZpXZusxtJkJO2pRnelFCAZ/1H5L65nf1fZMEBFELvkVgFRo:MDjSgY2lxtJkRDelNkNCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgcfmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkedemc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkblghdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llefld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokkag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijinaed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbboakna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpojcpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaegfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkhbece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geibin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfmecba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfpofkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miqmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllpmlqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koobcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgcjmkcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcahdib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffmgqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphhobmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fklaqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipaqqli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapcnodg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpejcnlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnpdaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmafocbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlboeanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehaleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbbbhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibigeojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiflgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaaklmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnifia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnokohkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnbfjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahnjefcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfiqgfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qechbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpdfmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmcdjmn.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Boggkicf.exe 2144 Baecgdbj.exe 2016 Cagpldqg.exe 2888 Chahin32.exe 2624 Cajmbd32.exe 2600 Cpojcpcm.exe 2688 Cignlf32.exe 1396 Ckgkfi32.exe 1644 Cpccnp32.exe 2508 Dmhcgd32.exe 3040 Dgphpi32.exe 816 Dlmqip32.exe 2464 Dokmel32.exe 1092 Dhcanahm.exe 1464 Dciekjhc.exe 2444 Dejnme32.exe 1948 Dgkkdnkb.exe 1140 Egmhjm32.exe 912 Engpfgql.exe 2432 Ecdhonoc.exe 628 Ejnqkh32.exe 1600 Egbaelej.exe 3064 Eomfiobe.exe 1044 Ecibjn32.exe 344 Elafbcao.exe 2104 Fcnkemgi.exe 2168 Fhjcmcep.exe 2824 Fkipiodd.exe 2728 Ffndghdj.exe 3056 Fimpcc32.exe 2796 Fdcahdib.exe 2596 Fnnbfjmp.exe 2092 Fehjcc32.exe 1680 Gmcogf32.exe 2332 Gijplg32.exe 2640 Gmhibenb.exe 3036 Gbeakllj.exe 2300 Glmecbbj.exe 2476 Giafmfad.exe 2452 Gpknjp32.exe 1124 Hnnoempk.exe 820 Hnbhpl32.exe 2196 Hhklibbf.exe 2492 Hfnmdo32.exe 1332 Hmheai32.exe 864 Hdbmnchk.exe 2220 Hjlekm32.exe 2320 Hmjagh32.exe 1564 Ilpohecc.exe 2120 Ipkkhckl.exe 2744 Ibigeojp.exe 2900 Iehcajjc.exe 1532 Imokbhjf.exe 2732 Ipmgncii.exe 2764 Iiflgi32.exe 2632 Ippdcc32.exe 1696 Iobdopna.exe 2528 Ielllj32.exe 2364 Ihkihe32.exe 2152 Ikiedq32.exe 2392 Ieoiai32.exe 3024 Ihmene32.exe 2972 Iklajp32.exe 2140 Iognjojl.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 1bb219e0cf240da389ede15612b32910N.exe 1756 1bb219e0cf240da389ede15612b32910N.exe 1716 Boggkicf.exe 1716 Boggkicf.exe 2144 Baecgdbj.exe 2144 Baecgdbj.exe 2016 Cagpldqg.exe 2016 Cagpldqg.exe 2888 Chahin32.exe 2888 Chahin32.exe 2624 Cajmbd32.exe 2624 Cajmbd32.exe 2600 Cpojcpcm.exe 2600 Cpojcpcm.exe 2688 Cignlf32.exe 2688 Cignlf32.exe 1396 Ckgkfi32.exe 1396 Ckgkfi32.exe 1644 Cpccnp32.exe 1644 Cpccnp32.exe 2508 Dmhcgd32.exe 2508 Dmhcgd32.exe 3040 Dgphpi32.exe 3040 Dgphpi32.exe 816 Dlmqip32.exe 816 Dlmqip32.exe 2464 Dokmel32.exe 2464 Dokmel32.exe 1092 Dhcanahm.exe 1092 Dhcanahm.exe 1464 Dciekjhc.exe 1464 Dciekjhc.exe 2444 Dejnme32.exe 2444 Dejnme32.exe 1948 Dgkkdnkb.exe 1948 Dgkkdnkb.exe 1140 Egmhjm32.exe 1140 Egmhjm32.exe 912 Engpfgql.exe 912 Engpfgql.exe 2432 Ecdhonoc.exe 2432 Ecdhonoc.exe 628 Ejnqkh32.exe 628 Ejnqkh32.exe 1600 Egbaelej.exe 1600 Egbaelej.exe 3064 Eomfiobe.exe 3064 Eomfiobe.exe 1044 Ecibjn32.exe 1044 Ecibjn32.exe 344 Elafbcao.exe 344 Elafbcao.exe 2104 Fcnkemgi.exe 2104 Fcnkemgi.exe 2168 Fhjcmcep.exe 2168 Fhjcmcep.exe 2824 Fkipiodd.exe 2824 Fkipiodd.exe 2728 Ffndghdj.exe 2728 Ffndghdj.exe 3056 Fimpcc32.exe 3056 Fimpcc32.exe 2796 Fdcahdib.exe 2796 Fdcahdib.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gclopbjo.exe Gmoghklh.exe File created C:\Windows\SysWOW64\Fjpike32.dll Process not Found File created C:\Windows\SysWOW64\Mihngj32.exe Mfjaknoe.exe File created C:\Windows\SysWOW64\Hfkidh32.exe Hcmmhmhd.exe File opened for modification C:\Windows\SysWOW64\Bmacqj32.exe Bfgkdp32.exe File created C:\Windows\SysWOW64\Lpmgioed.exe Lajgnb32.exe File created C:\Windows\SysWOW64\Aacknfhl.exe Akical32.exe File created C:\Windows\SysWOW64\Gmoghklh.exe Ggeoka32.exe File created C:\Windows\SysWOW64\Kipqpl32.dll Dmkipb32.exe File opened for modification C:\Windows\SysWOW64\Gjkeii32.exe Gglimm32.exe File created C:\Windows\SysWOW64\Dhlelc32.dll Lkhfhaea.exe File created C:\Windows\SysWOW64\Fifane32.dll Pcgqoech.exe File opened for modification C:\Windows\SysWOW64\Pcjmdd32.exe Ppkahi32.exe File opened for modification C:\Windows\SysWOW64\Naedfi32.exe Nfpphp32.exe File opened for modification C:\Windows\SysWOW64\Bagafeai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bkabejfg.exe Process not Found File created C:\Windows\SysWOW64\Afjgjj32.dll Dgphpi32.exe File created C:\Windows\SysWOW64\Aahfoa32.dll Ddbegmqm.exe File created C:\Windows\SysWOW64\Kkkigf32.exe Khmmkj32.exe File opened for modification C:\Windows\SysWOW64\Liplmolo.exe Process not Found File created C:\Windows\SysWOW64\Cpojcpcm.exe Cajmbd32.exe File opened for modification C:\Windows\SysWOW64\Cefbfa32.exe Cceenilo.exe File created C:\Windows\SysWOW64\Nannejni.exe Nnpbinoe.exe File created C:\Windows\SysWOW64\Aibjlcli.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cekkaanh.exe Cbmoeeod.exe File opened for modification C:\Windows\SysWOW64\Nmlekj32.exe Nfbmnpfh.exe File created C:\Windows\SysWOW64\Pmkhcg32.dll Process not Found File created C:\Windows\SysWOW64\Nefejg32.dll Mbgggf32.exe File created C:\Windows\SysWOW64\Cmhcbm32.dll Peclcc32.exe File opened for modification C:\Windows\SysWOW64\Ldpfoipj.exe Process not Found File created C:\Windows\SysWOW64\Gbjppf32.dll Iognjojl.exe File created C:\Windows\SysWOW64\Mblkeg32.dll Dccgpf32.exe File created C:\Windows\SysWOW64\Jclqefac.exe Process not Found File created C:\Windows\SysWOW64\Abcobjdg.dll Odbcnh32.exe File created C:\Windows\SysWOW64\Biddhbhe.dll Process not Found File created C:\Windows\SysWOW64\Gcffom32.dll Ckkjmf32.exe File created C:\Windows\SysWOW64\Ggmlffbo.exe Gapcnodg.exe File created C:\Windows\SysWOW64\Kaigmoiq.exe Process not Found File created C:\Windows\SysWOW64\Fkipiodd.exe Fhjcmcep.exe File created C:\Windows\SysWOW64\Gcfiqgfp.exe Gadlio32.exe File created C:\Windows\SysWOW64\Acpocbie.dll Njnkggfe.exe File created C:\Windows\SysWOW64\Djieql32.dll Aqapek32.exe File created C:\Windows\SysWOW64\Oiiehk32.dll Hecedmaa.exe File created C:\Windows\SysWOW64\Omemciec.dll Dcmkciap.exe File opened for modification C:\Windows\SysWOW64\Ehbgbngm.exe Eedjfchi.exe File created C:\Windows\SysWOW64\Bloglgcc.dll Fjkije32.exe File opened for modification C:\Windows\SysWOW64\Minika32.exe Moedbl32.exe File created C:\Windows\SysWOW64\Dekfjd32.dll Jinkkgeb.exe File created C:\Windows\SysWOW64\Fahdja32.exe Fknlmggc.exe File created C:\Windows\SysWOW64\Hnoane32.exe Hgdhakpb.exe File opened for modification C:\Windows\SysWOW64\Bglhcihn.exe Bpepbkhk.exe File opened for modification C:\Windows\SysWOW64\Eomaha32.exe Eloekf32.exe File opened for modification C:\Windows\SysWOW64\Lecfiahe.exe Lagjhc32.exe File created C:\Windows\SysWOW64\Dmkipb32.exe Dfaachpa.exe File opened for modification C:\Windows\SysWOW64\Ljjnpo32.exe Kdmehh32.exe File created C:\Windows\SysWOW64\Imokbhjf.exe Iehcajjc.exe File created C:\Windows\SysWOW64\Eopehg32.exe Elahkl32.exe File created C:\Windows\SysWOW64\Khbjhk32.dll Enedml32.exe File created C:\Windows\SysWOW64\Fhcejjal.exe Fgaibb32.exe File created C:\Windows\SysWOW64\Mlhaip32.exe Mneancpi.exe File opened for modification C:\Windows\SysWOW64\Jkbhjo32.exe Jclpib32.exe File created C:\Windows\SysWOW64\Bencfl32.dll Mnllppfh.exe File created C:\Windows\SysWOW64\Aaeoad32.dll Mhklfbcj.exe File opened for modification C:\Windows\SysWOW64\Oobkna32.exe Olcoaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3236 4700 Process not Found 1226 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmlffbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faapbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflkin32.dll" Ihmene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nememapl.dll" Ngiikmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aikkgnnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokccf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlacg32.dll" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mloigc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kooimpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecigepeq.dll" Geibin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpebpdb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcocei32.dll" Ildjlmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihacbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpdfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abaegjfb.dll" Fkfobbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnohc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmpifdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmdfn32.dll" Napdpchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnonbec.dll" Cqgkkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgojdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfhgho32.dll" Mpaado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjbqafo.dll" Khmmkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmgljnf.dll" Anebhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iekbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqbbpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhobnqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgfec32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piaiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjcighq.dll" Hgfnlejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnmao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fobamgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbiakap.dll" Jdnkamhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dccgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphhobmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbdnecd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgcjijc.dll" Giafmfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamdpnhj.dll" Ibdcnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moedbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolknkkl.dll" Qjleem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keadoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qofjmnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklicjkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colhlcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phclhp32.dll" Dalhop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqojpqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaocoklg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqllie32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 1716 1756 1bb219e0cf240da389ede15612b32910N.exe 29 PID 1756 wrote to memory of 1716 1756 1bb219e0cf240da389ede15612b32910N.exe 29 PID 1756 wrote to memory of 1716 1756 1bb219e0cf240da389ede15612b32910N.exe 29 PID 1756 wrote to memory of 1716 1756 1bb219e0cf240da389ede15612b32910N.exe 29 PID 1716 wrote to memory of 2144 1716 Boggkicf.exe 30 PID 1716 wrote to memory of 2144 1716 Boggkicf.exe 30 PID 1716 wrote to memory of 2144 1716 Boggkicf.exe 30 PID 1716 wrote to memory of 2144 1716 Boggkicf.exe 30 PID 2144 wrote to memory of 2016 2144 Baecgdbj.exe 31 PID 2144 wrote to memory of 2016 2144 Baecgdbj.exe 31 PID 2144 wrote to memory of 2016 2144 Baecgdbj.exe 31 PID 2144 wrote to memory of 2016 2144 Baecgdbj.exe 31 PID 2016 wrote to memory of 2888 2016 Cagpldqg.exe 32 PID 2016 wrote to memory of 2888 2016 Cagpldqg.exe 32 PID 2016 wrote to memory of 2888 2016 Cagpldqg.exe 32 PID 2016 wrote to memory of 2888 2016 Cagpldqg.exe 32 PID 2888 wrote to memory of 2624 2888 Chahin32.exe 33 PID 2888 wrote to memory of 2624 2888 Chahin32.exe 33 PID 2888 wrote to memory of 2624 2888 Chahin32.exe 33 PID 2888 wrote to memory of 2624 2888 Chahin32.exe 33 PID 2624 wrote to memory of 2600 2624 Cajmbd32.exe 34 PID 2624 wrote to memory of 2600 2624 Cajmbd32.exe 34 PID 2624 wrote to memory of 2600 2624 Cajmbd32.exe 34 PID 2624 wrote to memory of 2600 2624 Cajmbd32.exe 34 PID 2600 wrote to memory of 2688 2600 Cpojcpcm.exe 35 PID 2600 wrote to memory of 2688 2600 Cpojcpcm.exe 35 PID 2600 wrote to memory of 2688 2600 Cpojcpcm.exe 35 PID 2600 wrote to memory of 2688 2600 Cpojcpcm.exe 35 PID 2688 wrote to memory of 1396 2688 Cignlf32.exe 36 PID 2688 wrote to memory of 1396 2688 Cignlf32.exe 36 PID 2688 wrote to memory of 1396 2688 Cignlf32.exe 36 PID 2688 wrote to memory of 1396 2688 Cignlf32.exe 36 PID 1396 wrote to memory of 1644 1396 Ckgkfi32.exe 37 PID 1396 wrote to memory of 1644 1396 Ckgkfi32.exe 37 PID 1396 wrote to memory of 1644 1396 Ckgkfi32.exe 37 PID 1396 wrote to memory of 1644 1396 Ckgkfi32.exe 37 PID 1644 wrote to memory of 2508 1644 Cpccnp32.exe 38 PID 1644 wrote to memory of 2508 1644 Cpccnp32.exe 38 PID 1644 wrote to memory of 2508 1644 Cpccnp32.exe 38 PID 1644 wrote to memory of 2508 1644 Cpccnp32.exe 38 PID 2508 wrote to memory of 3040 2508 Dmhcgd32.exe 39 PID 2508 wrote to memory of 3040 2508 Dmhcgd32.exe 39 PID 2508 wrote to memory of 3040 2508 Dmhcgd32.exe 39 PID 2508 wrote to memory of 3040 2508 Dmhcgd32.exe 39 PID 3040 wrote to memory of 816 3040 Dgphpi32.exe 40 PID 3040 wrote to memory of 816 3040 Dgphpi32.exe 40 PID 3040 wrote to memory of 816 3040 Dgphpi32.exe 40 PID 3040 wrote to memory of 816 3040 Dgphpi32.exe 40 PID 816 wrote to memory of 2464 816 Dlmqip32.exe 41 PID 816 wrote to memory of 2464 816 Dlmqip32.exe 41 PID 816 wrote to memory of 2464 816 Dlmqip32.exe 41 PID 816 wrote to memory of 2464 816 Dlmqip32.exe 41 PID 2464 wrote to memory of 1092 2464 Dokmel32.exe 42 PID 2464 wrote to memory of 1092 2464 Dokmel32.exe 42 PID 2464 wrote to memory of 1092 2464 Dokmel32.exe 42 PID 2464 wrote to memory of 1092 2464 Dokmel32.exe 42 PID 1092 wrote to memory of 1464 1092 Dhcanahm.exe 43 PID 1092 wrote to memory of 1464 1092 Dhcanahm.exe 43 PID 1092 wrote to memory of 1464 1092 Dhcanahm.exe 43 PID 1092 wrote to memory of 1464 1092 Dhcanahm.exe 43 PID 1464 wrote to memory of 2444 1464 Dciekjhc.exe 44 PID 1464 wrote to memory of 2444 1464 Dciekjhc.exe 44 PID 1464 wrote to memory of 2444 1464 Dciekjhc.exe 44 PID 1464 wrote to memory of 2444 1464 Dciekjhc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bb219e0cf240da389ede15612b32910N.exe"C:\Users\Admin\AppData\Local\Temp\1bb219e0cf240da389ede15612b32910N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Boggkicf.exeC:\Windows\system32\Boggkicf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Baecgdbj.exeC:\Windows\system32\Baecgdbj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Cagpldqg.exeC:\Windows\system32\Cagpldqg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Chahin32.exeC:\Windows\system32\Chahin32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Cajmbd32.exeC:\Windows\system32\Cajmbd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Cpojcpcm.exeC:\Windows\system32\Cpojcpcm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cignlf32.exeC:\Windows\system32\Cignlf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ckgkfi32.exeC:\Windows\system32\Ckgkfi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Cpccnp32.exeC:\Windows\system32\Cpccnp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Dmhcgd32.exeC:\Windows\system32\Dmhcgd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Dgphpi32.exeC:\Windows\system32\Dgphpi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Dlmqip32.exeC:\Windows\system32\Dlmqip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Dokmel32.exeC:\Windows\system32\Dokmel32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dhcanahm.exeC:\Windows\system32\Dhcanahm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Dciekjhc.exeC:\Windows\system32\Dciekjhc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Dejnme32.exeC:\Windows\system32\Dejnme32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Dgkkdnkb.exeC:\Windows\system32\Dgkkdnkb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Egmhjm32.exeC:\Windows\system32\Egmhjm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Engpfgql.exeC:\Windows\system32\Engpfgql.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Ecdhonoc.exeC:\Windows\system32\Ecdhonoc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Ejnqkh32.exeC:\Windows\system32\Ejnqkh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Egbaelej.exeC:\Windows\system32\Egbaelej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Eomfiobe.exeC:\Windows\system32\Eomfiobe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Ecibjn32.exeC:\Windows\system32\Ecibjn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Elafbcao.exeC:\Windows\system32\Elafbcao.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Fcnkemgi.exeC:\Windows\system32\Fcnkemgi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Fhjcmcep.exeC:\Windows\system32\Fhjcmcep.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fkipiodd.exeC:\Windows\system32\Fkipiodd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ffndghdj.exeC:\Windows\system32\Ffndghdj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Fimpcc32.exeC:\Windows\system32\Fimpcc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Fdcahdib.exeC:\Windows\system32\Fdcahdib.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Fnnbfjmp.exeC:\Windows\system32\Fnnbfjmp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Fehjcc32.exeC:\Windows\system32\Fehjcc32.exe34⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gmcogf32.exeC:\Windows\system32\Gmcogf32.exe35⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Gijplg32.exeC:\Windows\system32\Gijplg32.exe36⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Gmhibenb.exeC:\Windows\system32\Gmhibenb.exe37⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gbeakllj.exeC:\Windows\system32\Gbeakllj.exe38⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Glmecbbj.exeC:\Windows\system32\Glmecbbj.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Giafmfad.exeC:\Windows\system32\Giafmfad.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Gpknjp32.exeC:\Windows\system32\Gpknjp32.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hnnoempk.exeC:\Windows\system32\Hnnoempk.exe42⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hnbhpl32.exeC:\Windows\system32\Hnbhpl32.exe43⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Hhklibbf.exeC:\Windows\system32\Hhklibbf.exe44⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hfnmdo32.exeC:\Windows\system32\Hfnmdo32.exe45⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Hmheai32.exeC:\Windows\system32\Hmheai32.exe46⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Hdbmnchk.exeC:\Windows\system32\Hdbmnchk.exe47⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Hjlekm32.exeC:\Windows\system32\Hjlekm32.exe48⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Hmjagh32.exeC:\Windows\system32\Hmjagh32.exe49⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ilpohecc.exeC:\Windows\system32\Ilpohecc.exe50⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ipkkhckl.exeC:\Windows\system32\Ipkkhckl.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ibigeojp.exeC:\Windows\system32\Ibigeojp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Iehcajjc.exeC:\Windows\system32\Iehcajjc.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Imokbhjf.exeC:\Windows\system32\Imokbhjf.exe54⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ipmgncii.exeC:\Windows\system32\Ipmgncii.exe55⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Iiflgi32.exeC:\Windows\system32\Iiflgi32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ippdcc32.exeC:\Windows\system32\Ippdcc32.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Iobdopna.exeC:\Windows\system32\Iobdopna.exe58⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ielllj32.exeC:\Windows\system32\Ielllj32.exe59⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ihkihe32.exeC:\Windows\system32\Ihkihe32.exe60⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ikiedq32.exeC:\Windows\system32\Ikiedq32.exe61⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ieoiai32.exeC:\Windows\system32\Ieoiai32.exe62⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ihmene32.exeC:\Windows\system32\Ihmene32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Iklajp32.exeC:\Windows\system32\Iklajp32.exe64⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Iognjojl.exeC:\Windows\system32\Iognjojl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Jeafgiai.exeC:\Windows\system32\Jeafgiai.exe66⤵PID:2132
-
C:\Windows\SysWOW64\Jgbboa32.exeC:\Windows\system32\Jgbboa32.exe67⤵PID:2172
-
C:\Windows\SysWOW64\Jnlkkkod.exeC:\Windows\system32\Jnlkkkod.exe68⤵PID:976
-
C:\Windows\SysWOW64\Jpkgggnh.exeC:\Windows\system32\Jpkgggnh.exe69⤵PID:1912
-
C:\Windows\SysWOW64\Jkpkepnn.exeC:\Windows\system32\Jkpkepnn.exe70⤵PID:1708
-
C:\Windows\SysWOW64\Jnogakma.exeC:\Windows\system32\Jnogakma.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Jclpib32.exeC:\Windows\system32\Jclpib32.exe72⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Jkbhjo32.exeC:\Windows\system32\Jkbhjo32.exe73⤵PID:528
-
C:\Windows\SysWOW64\Jcnloa32.exeC:\Windows\system32\Jcnloa32.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Jncqlj32.exeC:\Windows\system32\Jncqlj32.exe75⤵PID:2808
-
C:\Windows\SysWOW64\Jodmdboj.exeC:\Windows\system32\Jodmdboj.exe76⤵PID:2612
-
C:\Windows\SysWOW64\Jjjaak32.exeC:\Windows\system32\Jjjaak32.exe77⤵PID:2052
-
C:\Windows\SysWOW64\Klinmg32.exeC:\Windows\system32\Klinmg32.exe78⤵PID:2356
-
C:\Windows\SysWOW64\Klkjbf32.exeC:\Windows\system32\Klkjbf32.exe79⤵PID:2960
-
C:\Windows\SysWOW64\Koifob32.exeC:\Windows\system32\Koifob32.exe80⤵PID:2844
-
C:\Windows\SysWOW64\Kfcoll32.exeC:\Windows\system32\Kfcoll32.exe81⤵PID:2216
-
C:\Windows\SysWOW64\Klmghfio.exeC:\Windows\system32\Klmghfio.exe82⤵PID:320
-
C:\Windows\SysWOW64\Kkpgdc32.exeC:\Windows\system32\Kkpgdc32.exe83⤵PID:916
-
C:\Windows\SysWOW64\Knocpn32.exeC:\Windows\system32\Knocpn32.exe84⤵PID:2400
-
C:\Windows\SysWOW64\Kfflal32.exeC:\Windows\system32\Kfflal32.exe85⤵PID:1928
-
C:\Windows\SysWOW64\Khdhmg32.exeC:\Windows\system32\Khdhmg32.exe86⤵PID:1652
-
C:\Windows\SysWOW64\Kkbdib32.exeC:\Windows\system32\Kkbdib32.exe87⤵PID:1888
-
C:\Windows\SysWOW64\Konpjafp.exeC:\Windows\system32\Konpjafp.exe88⤵PID:860
-
C:\Windows\SysWOW64\Kqomai32.exeC:\Windows\system32\Kqomai32.exe89⤵PID:2224
-
C:\Windows\SysWOW64\Khfdcgmp.exeC:\Windows\system32\Khfdcgmp.exe90⤵PID:2608
-
C:\Windows\SysWOW64\Kkeqobld.exeC:\Windows\system32\Kkeqobld.exe91⤵PID:2324
-
C:\Windows\SysWOW64\Kncmknkg.exeC:\Windows\system32\Kncmknkg.exe92⤵PID:2880
-
C:\Windows\SysWOW64\Kqaigijk.exeC:\Windows\system32\Kqaigijk.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe94⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Ljjnpo32.exeC:\Windows\system32\Ljjnpo32.exe95⤵PID:2108
-
C:\Windows\SysWOW64\Ldpbmg32.exeC:\Windows\system32\Ldpbmg32.exe96⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Lcbbidgl.exeC:\Windows\system32\Lcbbidgl.exe97⤵PID:1268
-
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe98⤵PID:2588
-
C:\Windows\SysWOW64\Lmkgajnm.exeC:\Windows\system32\Lmkgajnm.exe99⤵PID:2856
-
C:\Windows\SysWOW64\Loicnemp.exeC:\Windows\system32\Loicnemp.exe100⤵PID:1640
-
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe101⤵PID:1672
-
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe102⤵PID:1772
-
C:\Windows\SysWOW64\Lokpcekn.exeC:\Windows\system32\Lokpcekn.exe103⤵PID:1620
-
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe104⤵PID:604
-
C:\Windows\SysWOW64\Lpnlid32.exeC:\Windows\system32\Lpnlid32.exe105⤵PID:2772
-
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe106⤵PID:2712
-
C:\Windows\SysWOW64\Lifqbjpk.exeC:\Windows\system32\Lifqbjpk.exe107⤵PID:2616
-
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe108⤵PID:828
-
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe109⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Mihngj32.exeC:\Windows\system32\Mihngj32.exe110⤵PID:644
-
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Madbll32.exeC:\Windows\system32\Madbll32.exe112⤵PID:2260
-
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe113⤵PID:1492
-
C:\Windows\SysWOW64\Mlifie32.exeC:\Windows\system32\Mlifie32.exe114⤵PID:924
-
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe115⤵PID:1568
-
C:\Windows\SysWOW64\Mhpgnfpn.exeC:\Windows\system32\Mhpgnfpn.exe116⤵PID:2240
-
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe117⤵PID:2656
-
C:\Windows\SysWOW64\Mahlgkgo.exeC:\Windows\system32\Mahlgkgo.exe118⤵PID:564
-
C:\Windows\SysWOW64\Mcghcgfb.exeC:\Windows\system32\Mcghcgfb.exe119⤵PID:2480
-
C:\Windows\SysWOW64\Mfedobef.exeC:\Windows\system32\Mfedobef.exe120⤵PID:2520
-
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe121⤵
- Drops file in System32 directory
PID:796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-