Analysis
-
max time kernel
159s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 19:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf36cfd6bbd40e4697687820b196faa6_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bf36cfd6bbd40e4697687820b196faa6_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
bf36cfd6bbd40e4697687820b196faa6_JC.exe
-
Size
257KB
-
MD5
bf36cfd6bbd40e4697687820b196faa6
-
SHA1
e5ef89ca4efe942ea62bd82786e78e0036477972
-
SHA256
b0fe65fc46e60b77948c254960e4bcb745f26b3c00b95c1c1a20f87a0598089e
-
SHA512
042b970f106fc65b10e6b111f4be55ae6f4695bf183f618133f80199c8716db7cfe7d36d2b2d7d5ae61a78b8d018671abf7a26bd130e458cc041ec8be9fa7903
-
SSDEEP
3072:feoMU07cb/6FCtRPRw5rDioutkTy27zh5cl:L07czyCtRpwDioSkTl7zjK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodnfbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apbblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqniihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cipaqqli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphdaeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihijhpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefpmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglekch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjcmcep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjqdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpledf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplgmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjnigb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkgajnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpnchjpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdldeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjjdpdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgcnihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iekgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooncljom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neocahbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpeoakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlleni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piadma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogiqffhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neihmpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epcomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmhjlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pamlel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eajennij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naihdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aikkgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlialfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnchjpa.exe -
Executes dropped EXE 64 IoCs
pid Process 1132 Aiaoclgl.exe 2800 Gehiioaj.exe 1464 Iipejmko.exe 2668 Jllqplnp.exe 2216 Jpjifjdg.exe 2504 Klecfkff.exe 2584 Kageia32.exe 2160 Lidgcclp.exe 1456 Lhlqjone.exe 2080 Lljipmdl.exe 748 Mdldeo32.exe 2424 Nbmdhfog.exe 1892 Pfflql32.exe 2532 Aompambg.exe 2716 Bikjmj32.exe 1804 Dqaode32.exe 672 Fhhbif32.exe 1744 Igmepdbc.exe 2276 Kpbhjh32.exe 1052 Kijmbnpo.exe 2372 Kpdeoh32.exe 2288 Khojcj32.exe 2828 Kaholp32.exe 2180 Lmhbgpia.exe 1272 Nnjklb32.exe 1364 Ockinl32.exe 2060 Piadma32.exe 3012 Boobki32.exe 2968 Emdhhdqb.exe 2624 Gpgjnbnl.exe 2640 Hkogpn32.exe 2480 Jgmjdaqb.exe 2548 Knfopnkk.exe 2484 Kgocid32.exe 2444 Lpldcfmd.exe 2004 Lfhiepbn.exe 1532 Lepclldc.exe 2384 Mbdcepcm.exe 2540 Naimepkp.exe 2456 Okhgod32.exe 2024 Oabplobe.exe 1524 Omqjgl32.exe 1916 Bpjnmlel.exe 2832 Codeih32.exe 2836 Glkgcmbg.exe 1004 Gecklbih.exe 1728 Hbpbck32.exe 2944 Hkejnl32.exe 1448 Ihijhpdo.exe 2200 Igbqdlea.exe 2244 Ihdmld32.exe 2684 Ialadj32.exe 2712 Jhmpbc32.exe 2696 Lbhmok32.exe 2636 Pamlel32.exe 2520 Ajcldpkd.exe 2528 Bpengf32.exe 932 Bafkookd.exe 1936 Bllomg32.exe 1080 Bmohjooe.exe 2168 Bdipfi32.exe 1956 Cooddbfh.exe 1996 Ckfeic32.exe 1896 Cmfnjnin.exe -
Loads dropped DLL 64 IoCs
pid Process 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 1132 Aiaoclgl.exe 1132 Aiaoclgl.exe 2800 Gehiioaj.exe 2800 Gehiioaj.exe 1464 Iipejmko.exe 1464 Iipejmko.exe 2668 Jllqplnp.exe 2668 Jllqplnp.exe 2216 Jpjifjdg.exe 2216 Jpjifjdg.exe 2504 Klecfkff.exe 2504 Klecfkff.exe 2584 Kageia32.exe 2584 Kageia32.exe 2160 Lidgcclp.exe 2160 Lidgcclp.exe 1456 Lhlqjone.exe 1456 Lhlqjone.exe 2080 Lljipmdl.exe 2080 Lljipmdl.exe 748 Mdldeo32.exe 748 Mdldeo32.exe 2424 Nbmdhfog.exe 2424 Nbmdhfog.exe 1892 Pfflql32.exe 1892 Pfflql32.exe 2532 Aompambg.exe 2532 Aompambg.exe 2716 Bikjmj32.exe 2716 Bikjmj32.exe 1804 Dqaode32.exe 1804 Dqaode32.exe 672 Fhhbif32.exe 672 Fhhbif32.exe 1744 Igmepdbc.exe 1744 Igmepdbc.exe 2276 Kpbhjh32.exe 2276 Kpbhjh32.exe 1052 Kijmbnpo.exe 1052 Kijmbnpo.exe 2372 Kpdeoh32.exe 2372 Kpdeoh32.exe 2288 Khojcj32.exe 2288 Khojcj32.exe 2828 Kaholp32.exe 2828 Kaholp32.exe 2180 Lmhbgpia.exe 2180 Lmhbgpia.exe 1272 Nnjklb32.exe 1272 Nnjklb32.exe 1364 Ockinl32.exe 1364 Ockinl32.exe 2060 Piadma32.exe 2060 Piadma32.exe 3012 Boobki32.exe 3012 Boobki32.exe 2968 Emdhhdqb.exe 2968 Emdhhdqb.exe 2624 Gpgjnbnl.exe 2624 Gpgjnbnl.exe 2640 Hkogpn32.exe 2640 Hkogpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhmiqo32.dll Nkdpmn32.exe File opened for modification C:\Windows\SysWOW64\Neemgp32.exe Niombolm.exe File opened for modification C:\Windows\SysWOW64\Piadma32.exe Ockinl32.exe File created C:\Windows\SysWOW64\Miiaogio.exe Mbpibm32.exe File created C:\Windows\SysWOW64\Nmhpeo32.dll Mgodjico.exe File opened for modification C:\Windows\SysWOW64\Bgndnd32.exe Apbblg32.exe File opened for modification C:\Windows\SysWOW64\Nnpbinoe.exe Mgfjld32.exe File created C:\Windows\SysWOW64\Mbdcepcm.exe Lepclldc.exe File created C:\Windows\SysWOW64\Ooocab32.dll Cooddbfh.exe File opened for modification C:\Windows\SysWOW64\Hjkneb32.exe Elbkbh32.exe File created C:\Windows\SysWOW64\Gaegpokc.dll Chdeonfa.exe File created C:\Windows\SysWOW64\Ippdcc32.exe Hbgjoo32.exe File created C:\Windows\SysWOW64\Jaklei32.exe Jlodma32.exe File opened for modification C:\Windows\SysWOW64\Lepclldc.exe Lfhiepbn.exe File created C:\Windows\SysWOW64\Ihdmld32.exe Igbqdlea.exe File created C:\Windows\SysWOW64\Ebhkaa32.dll Achikonn.exe File created C:\Windows\SysWOW64\Fallil32.exe Fjbdmbmb.exe File created C:\Windows\SysWOW64\Chdeonfa.exe Cajmbd32.exe File opened for modification C:\Windows\SysWOW64\Mgfjld32.exe Mfdmdlaj.exe File created C:\Windows\SysWOW64\Jlhjll32.dll Efhenccl.exe File opened for modification C:\Windows\SysWOW64\Hlgodgnk.exe Gpledf32.exe File opened for modification C:\Windows\SysWOW64\Opohil32.exe Nabegpbp.exe File opened for modification C:\Windows\SysWOW64\Cbfidfem.exe Badlln32.exe File created C:\Windows\SysWOW64\Naophfnm.dll Naihdb32.exe File opened for modification C:\Windows\SysWOW64\Ddbbod32.exe Ckjnfobi.exe File created C:\Windows\SysWOW64\Qajccegk.dll Hikpnkme.exe File created C:\Windows\SysWOW64\Ikndhp32.dll Oagkac32.exe File opened for modification C:\Windows\SysWOW64\Njnion32.exe Nphdaeol.exe File opened for modification C:\Windows\SysWOW64\Kpdeoh32.exe Kijmbnpo.exe File created C:\Windows\SysWOW64\Piadma32.exe Ockinl32.exe File created C:\Windows\SysWOW64\Gmqlkcao.dll Dlpdfjjp.exe File created C:\Windows\SysWOW64\Fgjnpb32.exe Edkbdf32.exe File opened for modification C:\Windows\SysWOW64\Bjhgjdjd.exe Bapcaocc.exe File created C:\Windows\SysWOW64\Eenbnl32.dll Jomnpdjb.exe File opened for modification C:\Windows\SysWOW64\Coofoghn.exe Clqjblij.exe File opened for modification C:\Windows\SysWOW64\Cenhfqle.exe Ckhdihlp.exe File opened for modification C:\Windows\SysWOW64\Lljipmdl.exe Lhlqjone.exe File created C:\Windows\SysWOW64\Phmogdkh.dll Aompambg.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Khojcj32.exe File created C:\Windows\SysWOW64\Kppegfpa.dll Piadma32.exe File opened for modification C:\Windows\SysWOW64\Ihjcko32.exe Iekgod32.exe File opened for modification C:\Windows\SysWOW64\Ododdlcd.exe Oejgbonl.exe File created C:\Windows\SysWOW64\Benqjobn.dll Aapikqel.exe File created C:\Windows\SysWOW64\Gjaioj32.dll Aqpgblqh.exe File opened for modification C:\Windows\SysWOW64\Mloigc32.exe Mfbqol32.exe File created C:\Windows\SysWOW64\Aqnjml32.exe Ajcbpbkn.exe File created C:\Windows\SysWOW64\Hiaggm32.dll Igbqdlea.exe File created C:\Windows\SysWOW64\Ngiiip32.exe Mhmfgdch.exe File created C:\Windows\SysWOW64\Qpfpde32.dll Ooncljom.exe File opened for modification C:\Windows\SysWOW64\Ckpdej32.exe Chahin32.exe File opened for modification C:\Windows\SysWOW64\Gcmgdpid.exe Gmcogf32.exe File created C:\Windows\SysWOW64\Ijfpif32.exe Hlijan32.exe File created C:\Windows\SysWOW64\Feeldk32.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Ldamfd32.dll Ckhdihlp.exe File opened for modification C:\Windows\SysWOW64\Lhlqjone.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Iekgod32.exe Hagepa32.exe File created C:\Windows\SysWOW64\Bkjdpp32.exe Achikonn.exe File created C:\Windows\SysWOW64\Lpmeojbo.exe Kapbmo32.exe File opened for modification C:\Windows\SysWOW64\Lpmeojbo.exe Kapbmo32.exe File created C:\Windows\SysWOW64\Jkkcfa32.dll Cbhejf32.exe File opened for modification C:\Windows\SysWOW64\Jllggbde.exe Idligq32.exe File created C:\Windows\SysWOW64\Ddlcdi32.dll Neocahbm.exe File opened for modification C:\Windows\SysWOW64\Jhmpbc32.exe Ialadj32.exe File created C:\Windows\SysWOW64\Jgelak32.dll Akphfbbl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphqle32.dll" Gcmgdpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakoqh32.dll" Ioochn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgcnihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naihdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fghppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhbjmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emjnikpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmohjooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eagbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaocib32.dll" Jdklcebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcbbidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohncdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caenln32.dll" Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamfd32.dll" Ckhdihlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nieffgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emldia32.dll" Elejqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmocck32.dll" Lhbjmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Injlmcib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfile32.dll" Gmnlog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oejgbonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papifjfj.dll" Pnpfckmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjnpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkehhlef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifhinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iainddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demljd32.dll" Bfkbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqmbca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjcnoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doclijgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eomoohoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bllomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahomebko.dll" Oepjmbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ielllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmnqdme.dll" Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haggkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiopiqpb.dll" Bcdpacgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elpjkgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chahin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moidkk32.dll" Hjiiemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpidah32.dll" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahjia32.dll" Njnion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odpghiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjmdgmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcbbidgl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 1132 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 29 PID 2928 wrote to memory of 1132 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 29 PID 2928 wrote to memory of 1132 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 29 PID 2928 wrote to memory of 1132 2928 bf36cfd6bbd40e4697687820b196faa6_JC.exe 29 PID 1132 wrote to memory of 2800 1132 Aiaoclgl.exe 31 PID 1132 wrote to memory of 2800 1132 Aiaoclgl.exe 31 PID 1132 wrote to memory of 2800 1132 Aiaoclgl.exe 31 PID 1132 wrote to memory of 2800 1132 Aiaoclgl.exe 31 PID 2800 wrote to memory of 1464 2800 Gehiioaj.exe 32 PID 2800 wrote to memory of 1464 2800 Gehiioaj.exe 32 PID 2800 wrote to memory of 1464 2800 Gehiioaj.exe 32 PID 2800 wrote to memory of 1464 2800 Gehiioaj.exe 32 PID 1464 wrote to memory of 2668 1464 Iipejmko.exe 33 PID 1464 wrote to memory of 2668 1464 Iipejmko.exe 33 PID 1464 wrote to memory of 2668 1464 Iipejmko.exe 33 PID 1464 wrote to memory of 2668 1464 Iipejmko.exe 33 PID 2668 wrote to memory of 2216 2668 Jllqplnp.exe 34 PID 2668 wrote to memory of 2216 2668 Jllqplnp.exe 34 PID 2668 wrote to memory of 2216 2668 Jllqplnp.exe 34 PID 2668 wrote to memory of 2216 2668 Jllqplnp.exe 34 PID 2216 wrote to memory of 2504 2216 Jpjifjdg.exe 35 PID 2216 wrote to memory of 2504 2216 Jpjifjdg.exe 35 PID 2216 wrote to memory of 2504 2216 Jpjifjdg.exe 35 PID 2216 wrote to memory of 2504 2216 Jpjifjdg.exe 35 PID 2504 wrote to memory of 2584 2504 Klecfkff.exe 36 PID 2504 wrote to memory of 2584 2504 Klecfkff.exe 36 PID 2504 wrote to memory of 2584 2504 Klecfkff.exe 36 PID 2504 wrote to memory of 2584 2504 Klecfkff.exe 36 PID 2584 wrote to memory of 2160 2584 Kageia32.exe 37 PID 2584 wrote to memory of 2160 2584 Kageia32.exe 37 PID 2584 wrote to memory of 2160 2584 Kageia32.exe 37 PID 2584 wrote to memory of 2160 2584 Kageia32.exe 37 PID 2160 wrote to memory of 1456 2160 Lidgcclp.exe 38 PID 2160 wrote to memory of 1456 2160 Lidgcclp.exe 38 PID 2160 wrote to memory of 1456 2160 Lidgcclp.exe 38 PID 2160 wrote to memory of 1456 2160 Lidgcclp.exe 38 PID 1456 wrote to memory of 2080 1456 Lhlqjone.exe 39 PID 1456 wrote to memory of 2080 1456 Lhlqjone.exe 39 PID 1456 wrote to memory of 2080 1456 Lhlqjone.exe 39 PID 1456 wrote to memory of 2080 1456 Lhlqjone.exe 39 PID 2080 wrote to memory of 748 2080 Lljipmdl.exe 40 PID 2080 wrote to memory of 748 2080 Lljipmdl.exe 40 PID 2080 wrote to memory of 748 2080 Lljipmdl.exe 40 PID 2080 wrote to memory of 748 2080 Lljipmdl.exe 40 PID 748 wrote to memory of 2424 748 Mdldeo32.exe 41 PID 748 wrote to memory of 2424 748 Mdldeo32.exe 41 PID 748 wrote to memory of 2424 748 Mdldeo32.exe 41 PID 748 wrote to memory of 2424 748 Mdldeo32.exe 41 PID 2424 wrote to memory of 1892 2424 Nbmdhfog.exe 42 PID 2424 wrote to memory of 1892 2424 Nbmdhfog.exe 42 PID 2424 wrote to memory of 1892 2424 Nbmdhfog.exe 42 PID 2424 wrote to memory of 1892 2424 Nbmdhfog.exe 42 PID 1892 wrote to memory of 2532 1892 Pfflql32.exe 43 PID 1892 wrote to memory of 2532 1892 Pfflql32.exe 43 PID 1892 wrote to memory of 2532 1892 Pfflql32.exe 43 PID 1892 wrote to memory of 2532 1892 Pfflql32.exe 43 PID 2532 wrote to memory of 2716 2532 Aompambg.exe 44 PID 2532 wrote to memory of 2716 2532 Aompambg.exe 44 PID 2532 wrote to memory of 2716 2532 Aompambg.exe 44 PID 2532 wrote to memory of 2716 2532 Aompambg.exe 44 PID 2716 wrote to memory of 1804 2716 Bikjmj32.exe 45 PID 2716 wrote to memory of 1804 2716 Bikjmj32.exe 45 PID 2716 wrote to memory of 1804 2716 Bikjmj32.exe 45 PID 2716 wrote to memory of 1804 2716 Bikjmj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf36cfd6bbd40e4697687820b196faa6_JC.exe"C:\Users\Admin\AppData\Local\Temp\bf36cfd6bbd40e4697687820b196faa6_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe33⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe39⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe40⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe42⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe43⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe44⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe45⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe46⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe47⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe49⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe59⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe62⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe64⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe65⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe66⤵PID:2740
-
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe67⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe68⤵PID:2020
-
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe69⤵PID:964
-
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe70⤵PID:2184
-
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe71⤵PID:1388
-
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe72⤵PID:1400
-
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe73⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe74⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe75⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe76⤵PID:1016
-
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe77⤵PID:2404
-
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe81⤵PID:2576
-
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe82⤵PID:2700
-
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe83⤵PID:2948
-
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe84⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe85⤵PID:2688
-
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe87⤵PID:536
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe88⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe89⤵PID:2388
-
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe90⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe91⤵PID:1664
-
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe92⤵PID:1452
-
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe93⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe96⤵PID:1528
-
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe97⤵PID:936
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe98⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Biahijec.exeC:\Windows\system32\Biahijec.exe99⤵PID:1236
-
C:\Windows\SysWOW64\Cdapjglj.exeC:\Windows\system32\Cdapjglj.exe100⤵PID:1360
-
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe101⤵PID:1584
-
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe103⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe104⤵PID:2996
-
C:\Windows\SysWOW64\Egikle32.exeC:\Windows\system32\Egikle32.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe106⤵PID:1504
-
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe107⤵PID:2824
-
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe110⤵PID:2276
-
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe111⤵PID:2592
-
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe112⤵PID:2896
-
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe113⤵PID:2084
-
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe114⤵PID:928
-
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe115⤵PID:1616
-
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe116⤵PID:1392
-
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe119⤵PID:1820
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe120⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-