Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f4b06e4696229a573b87ecf8bca582b.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f4b06e4696229a573b87ecf8bca582b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0f4b06e4696229a573b87ecf8bca582b.exe
-
Size
467KB
-
MD5
0f4b06e4696229a573b87ecf8bca582b
-
SHA1
e80ed124b8a53f11ceb2dcd9ac62d7192a4b6daa
-
SHA256
d802e4e58c82caf305861b85bb7db883a78ab05aec7a31f0c672a9830438cf8a
-
SHA512
118e7ac203bb1e0ecfb52f123519db23a1a68713f5711fd0c32827b2578b36c27abe2277fecf6f902cfed5aa121f71f218cca1a99078efc0e0fc04c6138f33d6
-
SSDEEP
12288:+n82o8wEBW8wESByvNv54B9f01ZmHByvNv5:+n82o8wqW8wQvr4B9f01ZmQvr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0f4b06e4696229a573b87ecf8bca582b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlfgcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnheohcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcoib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mggabaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oioggmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjcic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpcckck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe -
Executes dropped EXE 64 IoCs
pid Process 2828 Ehjona32.exe 2688 Eccpoo32.exe 2780 Foojop32.exe 2660 Fkejcq32.exe 2620 Fqglggcp.exe 2472 Gqiimfam.exe 2544 Gcmoda32.exe 1660 Gpcoib32.exe 1916 Hpjeialg.exe 2600 Hhejnc32.exe 1964 Hanogipc.exe 2360 Hhjcic32.exe 1932 Ifampo32.exe 2116 Iegjqk32.exe 328 Jaeafklf.exe 1384 Jagnlkjd.exe 2956 Jnnnalph.exe 1804 Kghpoa32.exe 1400 Kgkleabc.exe 1560 Kcamjb32.exe 828 Kohnoc32.exe 3020 Kbigpn32.exe 1700 Ldoimh32.exe 752 Lmjnak32.exe 1756 Lfbbjpgd.exe 2224 Lqhfhigj.exe 2220 Mkaghg32.exe 2612 Mfglep32.exe 2516 Mpamde32.exe 2644 Mgmahg32.exe 2724 Mbbfep32.exe 2632 Mccbmh32.exe 2476 Mnifja32.exe 2468 Ncfoch32.exe 1512 Npmphinm.exe 2524 Niedqnen.exe 832 Ndkhngdd.exe 2016 Njdqka32.exe 1148 Nlfmbibo.exe 1572 Nenakoho.exe 2972 Noffdd32.exe 1956 Oiljam32.exe 1048 Opfbngfb.exe 1100 Oioggmmc.exe 1920 Ookpodkj.exe 1544 Odhhgkib.exe 1012 Okbpde32.exe 2392 Odjdmjgo.exe 896 Ogknoe32.exe 668 Ppcbgkka.exe 1736 Pkifdd32.exe 2280 Ppfomk32.exe 2928 Pnjofo32.exe 1220 Pcghof32.exe 464 Plolgk32.exe 1728 Pegqpacp.exe 2840 Popeif32.exe 1428 Pdmnam32.exe 2528 Qobbofgn.exe 2652 Qfljkp32.exe 2556 Qododfek.exe 2488 Qqfkln32.exe 2440 Qhmcmk32.exe 2856 Adcdbl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2508 0f4b06e4696229a573b87ecf8bca582b.exe 2508 0f4b06e4696229a573b87ecf8bca582b.exe 2828 Ehjona32.exe 2828 Ehjona32.exe 2688 Eccpoo32.exe 2688 Eccpoo32.exe 2780 Foojop32.exe 2780 Foojop32.exe 2660 Fkejcq32.exe 2660 Fkejcq32.exe 2620 Fqglggcp.exe 2620 Fqglggcp.exe 2472 Gqiimfam.exe 2472 Gqiimfam.exe 2544 Gcmoda32.exe 2544 Gcmoda32.exe 1660 Gpcoib32.exe 1660 Gpcoib32.exe 1916 Hpjeialg.exe 1916 Hpjeialg.exe 2600 Hhejnc32.exe 2600 Hhejnc32.exe 1964 Hanogipc.exe 1964 Hanogipc.exe 2360 Hhjcic32.exe 2360 Hhjcic32.exe 1932 Ifampo32.exe 1932 Ifampo32.exe 2116 Iegjqk32.exe 2116 Iegjqk32.exe 328 Jaeafklf.exe 328 Jaeafklf.exe 1384 Jagnlkjd.exe 1384 Jagnlkjd.exe 2956 Jnnnalph.exe 2956 Jnnnalph.exe 1804 Kghpoa32.exe 1804 Kghpoa32.exe 1400 Kgkleabc.exe 1400 Kgkleabc.exe 1560 Kcamjb32.exe 1560 Kcamjb32.exe 828 Kohnoc32.exe 828 Kohnoc32.exe 3020 Kbigpn32.exe 3020 Kbigpn32.exe 1700 Ldoimh32.exe 1700 Ldoimh32.exe 752 Lmjnak32.exe 752 Lmjnak32.exe 1756 Lfbbjpgd.exe 1756 Lfbbjpgd.exe 2224 Lqhfhigj.exe 2224 Lqhfhigj.exe 2220 Mkaghg32.exe 2220 Mkaghg32.exe 2612 Mfglep32.exe 2612 Mfglep32.exe 2516 Mpamde32.exe 2516 Mpamde32.exe 2644 Mgmahg32.exe 2644 Mgmahg32.exe 2724 Mbbfep32.exe 2724 Mbbfep32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ccpcckck.exe Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Dfphcj32.exe Deollamj.exe File created C:\Windows\SysWOW64\Ibcnojnp.exe Iikifegp.exe File opened for modification C:\Windows\SysWOW64\Aaimopli.exe Ajmijmnn.exe File created C:\Windows\SysWOW64\Daajeb32.dll Npmphinm.exe File created C:\Windows\SysWOW64\Aihfap32.exe Aopahjll.exe File created C:\Windows\SysWOW64\Pmagpjhh.dll Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Pplaki32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Hqjpab32.dll Accqnc32.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Iplkimih.dll Noffdd32.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Idgnjl32.dll Dfphcj32.exe File created C:\Windows\SysWOW64\Mkaohl32.dll Ghdgfbkl.exe File created C:\Windows\SysWOW64\Iikifegp.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Hhjcic32.exe Hanogipc.exe File created C:\Windows\SysWOW64\Jagnlkjd.exe Jaeafklf.exe File created C:\Windows\SysWOW64\Jnnnalph.exe Jagnlkjd.exe File created C:\Windows\SysWOW64\Egkoigpo.dll Ppfomk32.exe File created C:\Windows\SysWOW64\Klqahn32.dll Amohfo32.exe File created C:\Windows\SysWOW64\Baleem32.dll Beackp32.exe File created C:\Windows\SysWOW64\Pfqgfg32.dll Qgjccb32.exe File created C:\Windows\SysWOW64\Ijppackl.dll Ciohqa32.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hnheohcl.exe File created C:\Windows\SysWOW64\Andpoahc.dll Kpgffe32.exe File opened for modification C:\Windows\SysWOW64\Mggabaea.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Qhmcmk32.exe Qqfkln32.exe File created C:\Windows\SysWOW64\Iakgefqe.exe Ilnomp32.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pplaki32.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Accqnc32.exe Qnghel32.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mgmahg32.exe File created C:\Windows\SysWOW64\Ejgccq32.dll Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Bkbaii32.exe File opened for modification C:\Windows\SysWOW64\Lkgngb32.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Oiljam32.exe Noffdd32.exe File opened for modification C:\Windows\SysWOW64\Hcigco32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Jmgnph32.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kgclio32.exe File created C:\Windows\SysWOW64\Kgkleabc.exe Kghpoa32.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Akabgebj.exe Aaimopli.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Pdaemiaj.dll Cillkbac.exe File opened for modification C:\Windows\SysWOW64\Cfcijf32.exe Cpiqmlfm.exe File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jioopgef.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll Kgclio32.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Jenghkhk.dll Hanogipc.exe File opened for modification C:\Windows\SysWOW64\Dbncjf32.exe Dldkmlhl.exe File created C:\Windows\SysWOW64\Hpbdmo32.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Pipnmn32.dll Jioopgef.exe File created C:\Windows\SysWOW64\Ladpkl32.dll Mmgfqh32.exe File opened for modification C:\Windows\SysWOW64\Popeif32.exe Pegqpacp.exe File created C:\Windows\SysWOW64\Amohfo32.exe Aknlofim.exe File opened for modification C:\Windows\SysWOW64\Ilnomp32.exe Injndk32.exe File opened for modification C:\Windows\SysWOW64\Nfahomfd.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Ckjamgmk.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjmll32.dll" Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiead32.dll" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhadqf32.dll" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabalojc.dll" Klngkfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" Qcachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfljkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddlnn32.dll" Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcfig32.dll" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aopahjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjbeofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kglehp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kklkcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npmphinm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll" Mqpflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bdcifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qndkpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 0f4b06e4696229a573b87ecf8bca582b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lkgngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkbaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgccgk32.dll" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegime32.dll" Oiljam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2828 2508 0f4b06e4696229a573b87ecf8bca582b.exe 28 PID 2508 wrote to memory of 2828 2508 0f4b06e4696229a573b87ecf8bca582b.exe 28 PID 2508 wrote to memory of 2828 2508 0f4b06e4696229a573b87ecf8bca582b.exe 28 PID 2508 wrote to memory of 2828 2508 0f4b06e4696229a573b87ecf8bca582b.exe 28 PID 2828 wrote to memory of 2688 2828 Ehjona32.exe 29 PID 2828 wrote to memory of 2688 2828 Ehjona32.exe 29 PID 2828 wrote to memory of 2688 2828 Ehjona32.exe 29 PID 2828 wrote to memory of 2688 2828 Ehjona32.exe 29 PID 2688 wrote to memory of 2780 2688 Eccpoo32.exe 30 PID 2688 wrote to memory of 2780 2688 Eccpoo32.exe 30 PID 2688 wrote to memory of 2780 2688 Eccpoo32.exe 30 PID 2688 wrote to memory of 2780 2688 Eccpoo32.exe 30 PID 2780 wrote to memory of 2660 2780 Foojop32.exe 31 PID 2780 wrote to memory of 2660 2780 Foojop32.exe 31 PID 2780 wrote to memory of 2660 2780 Foojop32.exe 31 PID 2780 wrote to memory of 2660 2780 Foojop32.exe 31 PID 2660 wrote to memory of 2620 2660 Fkejcq32.exe 32 PID 2660 wrote to memory of 2620 2660 Fkejcq32.exe 32 PID 2660 wrote to memory of 2620 2660 Fkejcq32.exe 32 PID 2660 wrote to memory of 2620 2660 Fkejcq32.exe 32 PID 2620 wrote to memory of 2472 2620 Fqglggcp.exe 33 PID 2620 wrote to memory of 2472 2620 Fqglggcp.exe 33 PID 2620 wrote to memory of 2472 2620 Fqglggcp.exe 33 PID 2620 wrote to memory of 2472 2620 Fqglggcp.exe 33 PID 2472 wrote to memory of 2544 2472 Gqiimfam.exe 34 PID 2472 wrote to memory of 2544 2472 Gqiimfam.exe 34 PID 2472 wrote to memory of 2544 2472 Gqiimfam.exe 34 PID 2472 wrote to memory of 2544 2472 Gqiimfam.exe 34 PID 2544 wrote to memory of 1660 2544 Gcmoda32.exe 35 PID 2544 wrote to memory of 1660 2544 Gcmoda32.exe 35 PID 2544 wrote to memory of 1660 2544 Gcmoda32.exe 35 PID 2544 wrote to memory of 1660 2544 Gcmoda32.exe 35 PID 1660 wrote to memory of 1916 1660 Gpcoib32.exe 36 PID 1660 wrote to memory of 1916 1660 Gpcoib32.exe 36 PID 1660 wrote to memory of 1916 1660 Gpcoib32.exe 36 PID 1660 wrote to memory of 1916 1660 Gpcoib32.exe 36 PID 1916 wrote to memory of 2600 1916 Hpjeialg.exe 37 PID 1916 wrote to memory of 2600 1916 Hpjeialg.exe 37 PID 1916 wrote to memory of 2600 1916 Hpjeialg.exe 37 PID 1916 wrote to memory of 2600 1916 Hpjeialg.exe 37 PID 2600 wrote to memory of 1964 2600 Hhejnc32.exe 38 PID 2600 wrote to memory of 1964 2600 Hhejnc32.exe 38 PID 2600 wrote to memory of 1964 2600 Hhejnc32.exe 38 PID 2600 wrote to memory of 1964 2600 Hhejnc32.exe 38 PID 1964 wrote to memory of 2360 1964 Hanogipc.exe 39 PID 1964 wrote to memory of 2360 1964 Hanogipc.exe 39 PID 1964 wrote to memory of 2360 1964 Hanogipc.exe 39 PID 1964 wrote to memory of 2360 1964 Hanogipc.exe 39 PID 2360 wrote to memory of 1932 2360 Hhjcic32.exe 40 PID 2360 wrote to memory of 1932 2360 Hhjcic32.exe 40 PID 2360 wrote to memory of 1932 2360 Hhjcic32.exe 40 PID 2360 wrote to memory of 1932 2360 Hhjcic32.exe 40 PID 1932 wrote to memory of 2116 1932 Ifampo32.exe 41 PID 1932 wrote to memory of 2116 1932 Ifampo32.exe 41 PID 1932 wrote to memory of 2116 1932 Ifampo32.exe 41 PID 1932 wrote to memory of 2116 1932 Ifampo32.exe 41 PID 2116 wrote to memory of 328 2116 Iegjqk32.exe 42 PID 2116 wrote to memory of 328 2116 Iegjqk32.exe 42 PID 2116 wrote to memory of 328 2116 Iegjqk32.exe 42 PID 2116 wrote to memory of 328 2116 Iegjqk32.exe 42 PID 328 wrote to memory of 1384 328 Jaeafklf.exe 43 PID 328 wrote to memory of 1384 328 Jaeafklf.exe 43 PID 328 wrote to memory of 1384 328 Jaeafklf.exe 43 PID 328 wrote to memory of 1384 328 Jaeafklf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f4b06e4696229a573b87ecf8bca582b.exe"C:\Users\Admin\AppData\Local\Temp\0f4b06e4696229a573b87ecf8bca582b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe35⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe39⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe40⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe41⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe44⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe46⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe47⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe48⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe49⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe50⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe51⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe56⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe59⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe60⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe62⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe64⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe66⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe67⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe68⤵PID:2712
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe69⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe71⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe73⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe74⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe77⤵PID:3016
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe78⤵PID:2800
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe79⤵PID:632
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe80⤵PID:2768
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe81⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe82⤵PID:1988
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe84⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe85⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe87⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe90⤵PID:2004
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe93⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe94⤵PID:1612
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe95⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe96⤵PID:2884
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe98⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe99⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe101⤵PID:1732
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe103⤵PID:1608
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe104⤵PID:2984
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe105⤵PID:572
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe106⤵PID:2864
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe107⤵PID:2140
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe108⤵PID:2552
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe109⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe110⤵PID:2860
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe111⤵PID:2844
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe112⤵PID:936
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe115⤵PID:2200
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe117⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe118⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe120⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-