Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 22:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
375322e973887c483516f8285e51985a.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
375322e973887c483516f8285e51985a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
375322e973887c483516f8285e51985a.exe
-
Size
80KB
-
MD5
375322e973887c483516f8285e51985a
-
SHA1
1cd09490bfd7c9ca312248958d44cf8bb82cc769
-
SHA256
64d7113e4898fde4ff34137da95b136fb362db726c3149847f689fbcdd7bb02a
-
SHA512
61e2dd2116309f95196f1dc40d4e88dd62132f6bbd05509ed708a53e7d8c222c32aebfbce53a111ad294c57316636836a56b2df5d61ef889e8b6fabfbe87b533
-
SSDEEP
1536:WZF3aO7sRenCAqVw6XIeTf2Ltbdwfi+TjRC/6i:WF3aOsenfqVwGwrwf1TjYL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacgohjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffiepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgiobadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiiempl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmqjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abiqcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deegjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikicikap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abiqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbbidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkelhemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkhfkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djafaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboahbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfppgohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfjcdln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcgapjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpendha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncdqcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iekgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lighjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgibkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebemmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmfgkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqnillbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doijcjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqiingf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckchcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faanibeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjjkefd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penjdien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcgeejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobenc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1820 Pnnmeh32.exe 944 Qblfkgqb.exe 1976 Qldjdlgb.exe 1048 Ajjgei32.exe 2028 Aeokba32.exe 596 Ajldkhjh.exe 884 Apilcoho.exe 1540 Ammmlcgi.exe 2460 Amoibc32.exe 2532 Amafgc32.exe 2636 Bfjkphjd.exe 2852 Boeoek32.exe 1828 Blipno32.exe 2944 Blkmdodf.exe 3056 Blniinac.exe 2996 Bdinnqon.exe 1604 Cppobaeb.exe 2608 Cncolfcl.exe 1392 Cglcek32.exe 2160 Cnflae32.exe 1032 Cgnpjkhj.exe 2844 Clkicbfa.exe 2148 Clnehado.exe 2288 Djafaf32.exe 2096 Donojm32.exe 772 Dhgccbhp.exe 2368 Dboglhna.exe 1552 Dnfhqi32.exe 1416 Dhklna32.exe 2328 Ddbmcb32.exe 2008 Dklepmal.exe 1264 Ecgjdong.exe 2404 Efhcej32.exe 1276 Eifobe32.exe 2552 Ebockkal.exe 2336 Eikimeff.exe 2700 Enhaeldn.exe 2540 Efoifiep.exe 2676 Egpena32.exe 1352 Fbfjkj32.exe 2920 Fhbbcail.exe 2984 Fbhfajia.exe 1404 Fheoiqgi.exe 2516 Fmbgageq.exe 2896 Fdlpnamm.exe 2796 Fjfhkl32.exe 2892 Fappgflg.exe 808 Ffmipmjn.exe 1768 Fmfalg32.exe 2092 Gbcien32.exe 2340 Gminbfoh.exe 1036 Gpgjnbnl.exe 1636 Gedbfimc.exe 572 Gmkjgfmf.exe 516 Hhlaiccm.exe 1268 Hpgfmeag.exe 696 Hdeoccgn.exe 1388 Hkogpn32.exe 2888 Hnmcli32.exe 2668 Hgfheodo.exe 2868 Hclhjpjc.exe 1600 Ilemce32.exe 2964 Ihlnhffh.exe 1644 Ikjjda32.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 375322e973887c483516f8285e51985a.exe 2236 375322e973887c483516f8285e51985a.exe 1820 Pnnmeh32.exe 1820 Pnnmeh32.exe 944 Qblfkgqb.exe 944 Qblfkgqb.exe 1976 Qldjdlgb.exe 1976 Qldjdlgb.exe 1048 Ajjgei32.exe 1048 Ajjgei32.exe 2028 Aeokba32.exe 2028 Aeokba32.exe 596 Ajldkhjh.exe 596 Ajldkhjh.exe 884 Apilcoho.exe 884 Apilcoho.exe 1540 Ammmlcgi.exe 1540 Ammmlcgi.exe 2460 Amoibc32.exe 2460 Amoibc32.exe 2532 Amafgc32.exe 2532 Amafgc32.exe 2636 Bfjkphjd.exe 2636 Bfjkphjd.exe 2852 Boeoek32.exe 2852 Boeoek32.exe 1828 Blipno32.exe 1828 Blipno32.exe 2944 Blkmdodf.exe 2944 Blkmdodf.exe 3056 Blniinac.exe 3056 Blniinac.exe 2996 Bdinnqon.exe 2996 Bdinnqon.exe 1604 Cppobaeb.exe 1604 Cppobaeb.exe 2608 Cncolfcl.exe 2608 Cncolfcl.exe 1392 Cglcek32.exe 1392 Cglcek32.exe 2160 Cnflae32.exe 2160 Cnflae32.exe 1032 Cgnpjkhj.exe 1032 Cgnpjkhj.exe 2844 Clkicbfa.exe 2844 Clkicbfa.exe 2148 Clnehado.exe 2148 Clnehado.exe 2288 Djafaf32.exe 2288 Djafaf32.exe 2096 Donojm32.exe 2096 Donojm32.exe 772 Dhgccbhp.exe 772 Dhgccbhp.exe 2368 Dboglhna.exe 2368 Dboglhna.exe 1552 Dnfhqi32.exe 1552 Dnfhqi32.exe 1416 Dhklna32.exe 1416 Dhklna32.exe 2328 Ddbmcb32.exe 2328 Ddbmcb32.exe 2008 Dklepmal.exe 2008 Dklepmal.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibpgdb32.dll Cojghf32.exe File created C:\Windows\SysWOW64\Nfmahkhh.exe Ndoelpid.exe File created C:\Windows\SysWOW64\Blcikifh.dll Hiofdmkq.exe File opened for modification C:\Windows\SysWOW64\Inmpklpj.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Ebakdbbk.dll Olopjddf.exe File opened for modification C:\Windows\SysWOW64\Lhapocoi.exe Kepgmh32.exe File created C:\Windows\SysWOW64\Fmdpcpjb.dll Omnmal32.exe File created C:\Windows\SysWOW64\Kgmilmkb.exe Kkfhglen.exe File opened for modification C:\Windows\SysWOW64\Mdoccg32.exe Mkdbea32.exe File created C:\Windows\SysWOW64\Gbhfjh32.dll Kkbbqjgb.exe File opened for modification C:\Windows\SysWOW64\Coejfn32.exe Caajmilh.exe File created C:\Windows\SysWOW64\Pagdkl32.dll Lebemmbk.exe File created C:\Windows\SysWOW64\Hkahhl32.dll Ambnlmja.exe File created C:\Windows\SysWOW64\Anhbdpje.exe Agnjge32.exe File opened for modification C:\Windows\SysWOW64\Amoibc32.exe Ammmlcgi.exe File created C:\Windows\SysWOW64\Ieoeff32.dll Efhcej32.exe File created C:\Windows\SysWOW64\Jjmdaidg.dll Bpbabf32.exe File created C:\Windows\SysWOW64\Qmicii32.dll Lighjd32.exe File opened for modification C:\Windows\SysWOW64\Qekdpkgj.exe Qbmhdp32.exe File opened for modification C:\Windows\SysWOW64\Gapoob32.exe Gjffbhnj.exe File created C:\Windows\SysWOW64\Ihnjmf32.exe Ifpnaj32.exe File opened for modification C:\Windows\SysWOW64\Mgfiocfl.exe Mkohjbah.exe File created C:\Windows\SysWOW64\Dkblohek.exe Dajgfboj.exe File opened for modification C:\Windows\SysWOW64\Dgildi32.exe Dkblohek.exe File opened for modification C:\Windows\SysWOW64\Enngdgim.exe Elmkmo32.exe File created C:\Windows\SysWOW64\Oaciom32.exe Ocqhcqgk.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Ogohdeam.exe File opened for modification C:\Windows\SysWOW64\Eblpke32.exe Eomdoj32.exe File created C:\Windows\SysWOW64\Bakdjn32.exe Bomhnb32.exe File opened for modification C:\Windows\SysWOW64\Boeoek32.exe Bfjkphjd.exe File opened for modification C:\Windows\SysWOW64\Oqmokioh.exe Ogekbchg.exe File created C:\Windows\SysWOW64\Kgahboge.dll Glomllkd.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Iekgod32.exe File created C:\Windows\SysWOW64\Bpkphm32.dll Lomglo32.exe File opened for modification C:\Windows\SysWOW64\Dboglhna.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Pgdekmcg.dll Heakefnf.exe File created C:\Windows\SysWOW64\Ijipclac.dll Ajapoqmf.exe File opened for modification C:\Windows\SysWOW64\Pieobaiq.exe Jigagocd.exe File created C:\Windows\SysWOW64\Apqaki32.dll Hdpqhc32.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Ammmlcgi.exe File opened for modification C:\Windows\SysWOW64\Npppaejj.exe Ncloha32.exe File created C:\Windows\SysWOW64\Opgcne32.dll Opcejd32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe Bldpiifb.exe File opened for modification C:\Windows\SysWOW64\Hbghdj32.exe Hiockd32.exe File created C:\Windows\SysWOW64\Pjhpin32.exe Pcnhmdli.exe File created C:\Windows\SysWOW64\Afakja32.dll Qoqhncgp.exe File created C:\Windows\SysWOW64\Epkhfkco.exe Elmoqlmh.exe File created C:\Windows\SysWOW64\Jjlgai32.dll Hgfheodo.exe File created C:\Windows\SysWOW64\Dncdqcbl.exe Dgildi32.exe File created C:\Windows\SysWOW64\Qgdiqn32.dll Dncdqcbl.exe File created C:\Windows\SysWOW64\Bbfijm32.dll Lcffgnnc.exe File opened for modification C:\Windows\SysWOW64\Biceoj32.exe Bbimbpld.exe File created C:\Windows\SysWOW64\Npbpjn32.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Dangeigl.dll Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Gjffbhnj.exe Giejkp32.exe File opened for modification C:\Windows\SysWOW64\Mmjqhd32.exe Lhiodnob.exe File created C:\Windows\SysWOW64\Cgnpjkhj.exe Cnflae32.exe File created C:\Windows\SysWOW64\Ihpfbd32.dll Cgnpjkhj.exe File opened for modification C:\Windows\SysWOW64\Occeip32.exe Olimlf32.exe File created C:\Windows\SysWOW64\Biiiempl.exe Bboahbio.exe File created C:\Windows\SysWOW64\Ajipkb32.exe Acohnhab.exe File created C:\Windows\SysWOW64\Kfgcieii.exe Komjmk32.exe File created C:\Windows\SysWOW64\Dmfhqmge.exe Qomcdf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2628 4348 WerFault.exe 570 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbncof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iceojc32.dll" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhjpnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihjghlh.dll" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbloflp.dll" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belecp32.dll" Lfgbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qakagnfq.dll" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipippm32.dll" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebjaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfeoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcijnhod.dll" Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbcekpd.dll" Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blajkq32.dll" Gmamfddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anckcdco.dll" Bboahbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qokdamgl.dll" Dglkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgcfmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdgdnq.dll" Gfjicd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmngof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggbgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihqdoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagag32.dll" Apilcoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcppgbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdimfhnj.dll" Agnjge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkehhlef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbiokdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibamdc32.dll" Hdeoccgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijopjhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbphfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilgcb32.dll" Elmkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnhmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekncjfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 375322e973887c483516f8285e51985a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgbdihl.dll" Gminbfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmold32.dll" Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loapkfmc.dll" Lmbcmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hblidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkmdodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfmnkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnamhfg.dll" Pmeemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hblidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjkof32.dll" Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbimbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmjcemh.dll" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbcmo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1820 2236 375322e973887c483516f8285e51985a.exe 30 PID 2236 wrote to memory of 1820 2236 375322e973887c483516f8285e51985a.exe 30 PID 2236 wrote to memory of 1820 2236 375322e973887c483516f8285e51985a.exe 30 PID 2236 wrote to memory of 1820 2236 375322e973887c483516f8285e51985a.exe 30 PID 1820 wrote to memory of 944 1820 Pnnmeh32.exe 31 PID 1820 wrote to memory of 944 1820 Pnnmeh32.exe 31 PID 1820 wrote to memory of 944 1820 Pnnmeh32.exe 31 PID 1820 wrote to memory of 944 1820 Pnnmeh32.exe 31 PID 944 wrote to memory of 1976 944 Qblfkgqb.exe 32 PID 944 wrote to memory of 1976 944 Qblfkgqb.exe 32 PID 944 wrote to memory of 1976 944 Qblfkgqb.exe 32 PID 944 wrote to memory of 1976 944 Qblfkgqb.exe 32 PID 1976 wrote to memory of 1048 1976 Qldjdlgb.exe 33 PID 1976 wrote to memory of 1048 1976 Qldjdlgb.exe 33 PID 1976 wrote to memory of 1048 1976 Qldjdlgb.exe 33 PID 1976 wrote to memory of 1048 1976 Qldjdlgb.exe 33 PID 1048 wrote to memory of 2028 1048 Ajjgei32.exe 34 PID 1048 wrote to memory of 2028 1048 Ajjgei32.exe 34 PID 1048 wrote to memory of 2028 1048 Ajjgei32.exe 34 PID 1048 wrote to memory of 2028 1048 Ajjgei32.exe 34 PID 2028 wrote to memory of 596 2028 Aeokba32.exe 35 PID 2028 wrote to memory of 596 2028 Aeokba32.exe 35 PID 2028 wrote to memory of 596 2028 Aeokba32.exe 35 PID 2028 wrote to memory of 596 2028 Aeokba32.exe 35 PID 596 wrote to memory of 884 596 Ajldkhjh.exe 36 PID 596 wrote to memory of 884 596 Ajldkhjh.exe 36 PID 596 wrote to memory of 884 596 Ajldkhjh.exe 36 PID 596 wrote to memory of 884 596 Ajldkhjh.exe 36 PID 884 wrote to memory of 1540 884 Apilcoho.exe 37 PID 884 wrote to memory of 1540 884 Apilcoho.exe 37 PID 884 wrote to memory of 1540 884 Apilcoho.exe 37 PID 884 wrote to memory of 1540 884 Apilcoho.exe 37 PID 1540 wrote to memory of 2460 1540 Ammmlcgi.exe 38 PID 1540 wrote to memory of 2460 1540 Ammmlcgi.exe 38 PID 1540 wrote to memory of 2460 1540 Ammmlcgi.exe 38 PID 1540 wrote to memory of 2460 1540 Ammmlcgi.exe 38 PID 2460 wrote to memory of 2532 2460 Amoibc32.exe 39 PID 2460 wrote to memory of 2532 2460 Amoibc32.exe 39 PID 2460 wrote to memory of 2532 2460 Amoibc32.exe 39 PID 2460 wrote to memory of 2532 2460 Amoibc32.exe 39 PID 2532 wrote to memory of 2636 2532 Amafgc32.exe 40 PID 2532 wrote to memory of 2636 2532 Amafgc32.exe 40 PID 2532 wrote to memory of 2636 2532 Amafgc32.exe 40 PID 2532 wrote to memory of 2636 2532 Amafgc32.exe 40 PID 2636 wrote to memory of 2852 2636 Bfjkphjd.exe 41 PID 2636 wrote to memory of 2852 2636 Bfjkphjd.exe 41 PID 2636 wrote to memory of 2852 2636 Bfjkphjd.exe 41 PID 2636 wrote to memory of 2852 2636 Bfjkphjd.exe 41 PID 2852 wrote to memory of 1828 2852 Boeoek32.exe 42 PID 2852 wrote to memory of 1828 2852 Boeoek32.exe 42 PID 2852 wrote to memory of 1828 2852 Boeoek32.exe 42 PID 2852 wrote to memory of 1828 2852 Boeoek32.exe 42 PID 1828 wrote to memory of 2944 1828 Blipno32.exe 43 PID 1828 wrote to memory of 2944 1828 Blipno32.exe 43 PID 1828 wrote to memory of 2944 1828 Blipno32.exe 43 PID 1828 wrote to memory of 2944 1828 Blipno32.exe 43 PID 2944 wrote to memory of 3056 2944 Blkmdodf.exe 44 PID 2944 wrote to memory of 3056 2944 Blkmdodf.exe 44 PID 2944 wrote to memory of 3056 2944 Blkmdodf.exe 44 PID 2944 wrote to memory of 3056 2944 Blkmdodf.exe 44 PID 3056 wrote to memory of 2996 3056 Blniinac.exe 45 PID 3056 wrote to memory of 2996 3056 Blniinac.exe 45 PID 3056 wrote to memory of 2996 3056 Blniinac.exe 45 PID 3056 wrote to memory of 2996 3056 Blniinac.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\375322e973887c483516f8285e51985a.exe"C:\Users\Admin\AppData\Local\Temp\375322e973887c483516f8285e51985a.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe33⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe35⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe37⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe39⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe40⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe41⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe44⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe45⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe46⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe47⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe49⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe51⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe53⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe54⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe55⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe56⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe57⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe59⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe60⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe62⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe64⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe65⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe66⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe67⤵PID:864
-
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe68⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe70⤵PID:1452
-
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe71⤵PID:1728
-
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe72⤵PID:1840
-
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe73⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe74⤵PID:1532
-
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe76⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe77⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe78⤵PID:2408
-
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe79⤵PID:1740
-
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe80⤵PID:1060
-
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe81⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe82⤵PID:2832
-
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe83⤵PID:956
-
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe84⤵PID:2708
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe86⤵PID:2652
-
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe87⤵PID:3000
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe88⤵PID:2912
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe89⤵PID:1640
-
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe90⤵PID:2424
-
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe91⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe92⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe93⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe94⤵PID:2124
-
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe95⤵PID:2076
-
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe96⤵PID:2740
-
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe97⤵PID:2132
-
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe98⤵PID:2364
-
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe99⤵PID:2020
-
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe100⤵PID:1612
-
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe101⤵PID:1848
-
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe103⤵PID:1160
-
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe104⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe105⤵PID:2848
-
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe106⤵PID:2680
-
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe107⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe109⤵PID:2100
-
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe110⤵
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe112⤵PID:308
-
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe113⤵PID:1764
-
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe114⤵PID:2064
-
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe115⤵PID:2268
-
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe116⤵PID:1396
-
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe117⤵PID:2900
-
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe118⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-