Analysis
-
max time kernel
138s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 20:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe
-
Size
1.5MB
-
MD5
abb29bc7564c1027c5c041f24892fcd0
-
SHA1
9108a314ca4e3f950c59e54a18c80b9546b2c6e2
-
SHA256
17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8
-
SHA512
003ff79901af28e7ce58cbd5118998e584fcd6c8fe1b2b374488f2bf15324d97810d72fcc1b21d4697e5760bc99d42efc0ce7e65e8afefe8c77bd39f0471e0ad
-
SSDEEP
12288:26N8ONuPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oWB+:26DNWzecI50+YNpsKv2EvZHp3oWB+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liplnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifhnpea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjmbj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2016 Pabjem32.exe 2468 Qdccfh32.exe 2520 Aplpai32.exe 2616 Abmibdlh.exe 2496 Aigaon32.exe 2376 Bbdocc32.exe 2104 Bingpmnl.exe 2744 Baildokg.exe 352 Bdhhqk32.exe 1760 Bloqah32.exe 328 Bommnc32.exe 1456 Bhfagipa.exe 1260 Bkdmcdoe.exe 2156 Banepo32.exe 1264 Bdlblj32.exe 748 Bgknheej.exe 836 Bjijdadm.exe 1676 Baqbenep.exe 684 Bdooajdc.exe 2800 Cgmkmecg.exe 1692 Cngcjo32.exe 1680 Cpeofk32.exe 2980 Ccdlbf32.exe 272 Cfbhnaho.exe 1944 Cllpkl32.exe 2924 Coklgg32.exe 852 Cfeddafl.exe 2568 Chcqpmep.exe 2956 Comimg32.exe 2940 Cbkeib32.exe 2476 Chemfl32.exe 2500 Ckdjbh32.exe 2344 Cckace32.exe 1420 Chhjkl32.exe 2716 Ckffgg32.exe 300 Dbpodagk.exe 2332 Dflkdp32.exe 1712 Dhjgal32.exe 1740 Gaemjbcg.exe 988 Gphmeo32.exe 2172 Hknach32.exe 448 Hahjpbad.exe 980 Hlakpp32.exe 1544 Hckcmjep.exe 1756 Hnagjbdf.exe 1948 Hellne32.exe 2248 Hkkalk32.exe 3052 Icbimi32.exe 2432 Inljnfkg.exe 2948 Idfbkq32.exe 3064 Igdogl32.exe 1648 Iqmcpahh.exe 2620 Ihdkao32.exe 3012 Ikbgmj32.exe 2976 Iblpjdpk.exe 1204 Icmlam32.exe 2336 Idmhkpml.exe 2696 Ifnechbj.exe 1548 Jmhmpb32.exe 1136 Jofiln32.exe 2012 Jjlnif32.exe 360 Jmjjea32.exe 1868 Jkpgfn32.exe 2776 Jokcgmee.exe -
Loads dropped DLL 64 IoCs
pid Process 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 2016 Pabjem32.exe 2016 Pabjem32.exe 2468 Qdccfh32.exe 2468 Qdccfh32.exe 2520 Aplpai32.exe 2520 Aplpai32.exe 2616 Abmibdlh.exe 2616 Abmibdlh.exe 2496 Aigaon32.exe 2496 Aigaon32.exe 2376 Bbdocc32.exe 2376 Bbdocc32.exe 2104 Bingpmnl.exe 2104 Bingpmnl.exe 2744 Baildokg.exe 2744 Baildokg.exe 352 Bdhhqk32.exe 352 Bdhhqk32.exe 1760 Bloqah32.exe 1760 Bloqah32.exe 328 Bommnc32.exe 328 Bommnc32.exe 1456 Bhfagipa.exe 1456 Bhfagipa.exe 1260 Bkdmcdoe.exe 1260 Bkdmcdoe.exe 2156 Banepo32.exe 2156 Banepo32.exe 1264 Bdlblj32.exe 1264 Bdlblj32.exe 748 Bgknheej.exe 748 Bgknheej.exe 836 Bjijdadm.exe 836 Bjijdadm.exe 1676 Baqbenep.exe 1676 Baqbenep.exe 684 Bdooajdc.exe 684 Bdooajdc.exe 2800 Cgmkmecg.exe 2800 Cgmkmecg.exe 1692 Cngcjo32.exe 1692 Cngcjo32.exe 1680 Cpeofk32.exe 1680 Cpeofk32.exe 2980 Ccdlbf32.exe 2980 Ccdlbf32.exe 272 Cfbhnaho.exe 272 Cfbhnaho.exe 1944 Cllpkl32.exe 1944 Cllpkl32.exe 2924 Coklgg32.exe 2924 Coklgg32.exe 852 Cfeddafl.exe 852 Cfeddafl.exe 2568 Chcqpmep.exe 2568 Chcqpmep.exe 2956 Comimg32.exe 2956 Comimg32.exe 2940 Cbkeib32.exe 2940 Cbkeib32.exe 2476 Chemfl32.exe 2476 Chemfl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Banepo32.exe Bkdmcdoe.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lbeknj32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Ipjoplgo.exe Ilncom32.exe File created C:\Windows\SysWOW64\Cllpkl32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Aipddi32.exe Qcbllb32.exe File opened for modification C:\Windows\SysWOW64\Bjlqhoba.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Hhgdkjol.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Lfmffhde.exe File created C:\Windows\SysWOW64\Jkbcln32.exe Jbjochdi.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Ljpome32.dll Kcihlong.exe File created C:\Windows\SysWOW64\Gokkjm32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Djhmenjp.dll Oddpfc32.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Aekodi32.exe File created C:\Windows\SysWOW64\Geiiogja.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Deokcq32.dll Banepo32.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Ndpaod32.dll Jmhmpb32.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Lkppbl32.exe File created C:\Windows\SysWOW64\Gheabp32.dll Hlljjjnm.exe File created C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Ihdkao32.exe Iqmcpahh.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Cbnnqb32.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Kaaldl32.dll Fnfamcoj.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gdjpeifj.exe File created C:\Windows\SysWOW64\Lmikibio.exe Ljkomfjl.exe File created C:\Windows\SysWOW64\Mlhkpm32.exe Mencccop.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Inlepd32.dll Ojahnj32.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Gdgcpi32.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Niikceid.exe File created C:\Windows\SysWOW64\Kddjlc32.dll Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Ejkima32.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Liplnc32.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Ndemjoae.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Kmefooki.exe File created C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mcbjgn32.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Ckafbbph.exe Cgejac32.exe File created C:\Windows\SysWOW64\Jfiale32.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Jonplmcb.exe Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Kfegbj32.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qbcpbo32.exe File created C:\Windows\SysWOW64\Giaekk32.dll Bkommo32.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Chhjkl32.exe File opened for modification C:\Windows\SysWOW64\Kilfcpqm.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Bpleef32.exe Bkommo32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Echfaf32.exe File created C:\Windows\SysWOW64\Fikejl32.exe Fnfamcoj.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Mmneda32.exe File created C:\Windows\SysWOW64\Kcihlong.exe Kfegbj32.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bppoqeja.exe -
Program crash 1 IoCs
pid pid_target Process 4732 4700 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceaboqg.dll" Nhiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laegiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpcnhmk.dll" Gbomfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loclnq32.dll" Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcakaipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckchjmoo.dll" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnipnaf.dll" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqmicng.dll" Nefpnhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaoqk32.dll" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbqecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncdgcqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2016 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 28 PID 2836 wrote to memory of 2016 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 28 PID 2836 wrote to memory of 2016 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 28 PID 2836 wrote to memory of 2016 2836 17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe 28 PID 2016 wrote to memory of 2468 2016 Pabjem32.exe 29 PID 2016 wrote to memory of 2468 2016 Pabjem32.exe 29 PID 2016 wrote to memory of 2468 2016 Pabjem32.exe 29 PID 2016 wrote to memory of 2468 2016 Pabjem32.exe 29 PID 2468 wrote to memory of 2520 2468 Qdccfh32.exe 30 PID 2468 wrote to memory of 2520 2468 Qdccfh32.exe 30 PID 2468 wrote to memory of 2520 2468 Qdccfh32.exe 30 PID 2468 wrote to memory of 2520 2468 Qdccfh32.exe 30 PID 2520 wrote to memory of 2616 2520 Aplpai32.exe 31 PID 2520 wrote to memory of 2616 2520 Aplpai32.exe 31 PID 2520 wrote to memory of 2616 2520 Aplpai32.exe 31 PID 2520 wrote to memory of 2616 2520 Aplpai32.exe 31 PID 2616 wrote to memory of 2496 2616 Abmibdlh.exe 32 PID 2616 wrote to memory of 2496 2616 Abmibdlh.exe 32 PID 2616 wrote to memory of 2496 2616 Abmibdlh.exe 32 PID 2616 wrote to memory of 2496 2616 Abmibdlh.exe 32 PID 2496 wrote to memory of 2376 2496 Aigaon32.exe 33 PID 2496 wrote to memory of 2376 2496 Aigaon32.exe 33 PID 2496 wrote to memory of 2376 2496 Aigaon32.exe 33 PID 2496 wrote to memory of 2376 2496 Aigaon32.exe 33 PID 2376 wrote to memory of 2104 2376 Bbdocc32.exe 34 PID 2376 wrote to memory of 2104 2376 Bbdocc32.exe 34 PID 2376 wrote to memory of 2104 2376 Bbdocc32.exe 34 PID 2376 wrote to memory of 2104 2376 Bbdocc32.exe 34 PID 2104 wrote to memory of 2744 2104 Bingpmnl.exe 35 PID 2104 wrote to memory of 2744 2104 Bingpmnl.exe 35 PID 2104 wrote to memory of 2744 2104 Bingpmnl.exe 35 PID 2104 wrote to memory of 2744 2104 Bingpmnl.exe 35 PID 2744 wrote to memory of 352 2744 Baildokg.exe 36 PID 2744 wrote to memory of 352 2744 Baildokg.exe 36 PID 2744 wrote to memory of 352 2744 Baildokg.exe 36 PID 2744 wrote to memory of 352 2744 Baildokg.exe 36 PID 352 wrote to memory of 1760 352 Bdhhqk32.exe 37 PID 352 wrote to memory of 1760 352 Bdhhqk32.exe 37 PID 352 wrote to memory of 1760 352 Bdhhqk32.exe 37 PID 352 wrote to memory of 1760 352 Bdhhqk32.exe 37 PID 1760 wrote to memory of 328 1760 Bloqah32.exe 38 PID 1760 wrote to memory of 328 1760 Bloqah32.exe 38 PID 1760 wrote to memory of 328 1760 Bloqah32.exe 38 PID 1760 wrote to memory of 328 1760 Bloqah32.exe 38 PID 328 wrote to memory of 1456 328 Bommnc32.exe 39 PID 328 wrote to memory of 1456 328 Bommnc32.exe 39 PID 328 wrote to memory of 1456 328 Bommnc32.exe 39 PID 328 wrote to memory of 1456 328 Bommnc32.exe 39 PID 1456 wrote to memory of 1260 1456 Bhfagipa.exe 40 PID 1456 wrote to memory of 1260 1456 Bhfagipa.exe 40 PID 1456 wrote to memory of 1260 1456 Bhfagipa.exe 40 PID 1456 wrote to memory of 1260 1456 Bhfagipa.exe 40 PID 1260 wrote to memory of 2156 1260 Bkdmcdoe.exe 41 PID 1260 wrote to memory of 2156 1260 Bkdmcdoe.exe 41 PID 1260 wrote to memory of 2156 1260 Bkdmcdoe.exe 41 PID 1260 wrote to memory of 2156 1260 Bkdmcdoe.exe 41 PID 2156 wrote to memory of 1264 2156 Banepo32.exe 42 PID 2156 wrote to memory of 1264 2156 Banepo32.exe 42 PID 2156 wrote to memory of 1264 2156 Banepo32.exe 42 PID 2156 wrote to memory of 1264 2156 Banepo32.exe 42 PID 1264 wrote to memory of 748 1264 Bdlblj32.exe 43 PID 1264 wrote to memory of 748 1264 Bdlblj32.exe 43 PID 1264 wrote to memory of 748 1264 Bdlblj32.exe 43 PID 1264 wrote to memory of 748 1264 Bdlblj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe"C:\Users\Admin\AppData\Local\Temp\17555c33d04c9f1ce554a402a8ac561a80c7bd187e22bca341e91c0455c6f3b8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe33⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe34⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe38⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe39⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe41⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe44⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe49⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe51⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe52⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe61⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe62⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe63⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe65⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe66⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe67⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe68⤵PID:1664
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe69⤵PID:2080
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe70⤵PID:1672
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe72⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe73⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe74⤵PID:2624
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe75⤵PID:2852
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe76⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe77⤵PID:2308
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe78⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe79⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe80⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe81⤵PID:2656
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe82⤵PID:2416
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe83⤵PID:672
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe84⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe86⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe87⤵PID:1220
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe88⤵PID:1612
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe89⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe92⤵PID:1752
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe93⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe94⤵PID:2588
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe95⤵PID:992
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe97⤵PID:2876
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe98⤵PID:2196
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe99⤵PID:2152
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe101⤵PID:2996
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe105⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe106⤵PID:704
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe108⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe109⤵PID:2896
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe110⤵PID:1564
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe112⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe113⤵PID:1364
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe114⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe115⤵PID:1628
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe116⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe118⤵PID:2820
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe119⤵PID:1428
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe120⤵PID:2400
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe121⤵
- Drops file in System32 directory
PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-