Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 00:13
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe
-
Size
88KB
-
MD5
c2d805c34941d4ef9a65fc8a9978e719
-
SHA1
4f5a99f6beb36ea09dcb9678f9135e1021be6982
-
SHA256
a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7
-
SHA512
5fa083394ad208e6f277889c0fb2fa4e6dbfd80d1fa70a1b3112089103f2a153f06be6e2e4900cc5b5826b4b77046b1dcdae6666f940922b75c4a9bc7a9c3b2d
-
SSDEEP
1536:SnjLGz0qCntNRFPxrT5jN+Hc/yOI5xa+uH+QL5nouy8L:+jiz0qmnRFPxrT5jgHKE5xazeQLpoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hppeim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcembe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcngafol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbhph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hannao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfholhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdimqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbbimih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eincadmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iepihf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infqklol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmepbki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclhjkfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nalgbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaqphgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdqdokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbocfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naaghoik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqdlmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqkajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmoncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bglgdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiqjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbgdl32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000f00000002324d-6.dat UPX behavioral2/files/0x000800000002325c-14.dat UPX behavioral2/files/0x000700000002325e-22.dat UPX behavioral2/files/0x0007000000023260-25.dat UPX behavioral2/files/0x0007000000023262-38.dat UPX behavioral2/files/0x0007000000023264-46.dat UPX behavioral2/files/0x0007000000023266-54.dat UPX behavioral2/files/0x0007000000023268-62.dat UPX behavioral2/files/0x000700000002326a-70.dat UPX behavioral2/files/0x000700000002326c-78.dat UPX behavioral2/files/0x000700000002326e-86.dat UPX behavioral2/files/0x0007000000023270-94.dat UPX behavioral2/files/0x0007000000023273-102.dat UPX behavioral2/files/0x0007000000023275-110.dat UPX behavioral2/files/0x0007000000023277-118.dat UPX behavioral2/files/0x0007000000023279-126.dat UPX behavioral2/files/0x000700000002327b-134.dat UPX behavioral2/files/0x000700000002327d-142.dat UPX behavioral2/files/0x000700000002327f-150.dat UPX behavioral2/files/0x0007000000023281-158.dat UPX behavioral2/files/0x0007000000023283-161.dat UPX behavioral2/files/0x0007000000023285-174.dat UPX behavioral2/files/0x0007000000023287-182.dat UPX behavioral2/files/0x0007000000023289-190.dat UPX behavioral2/files/0x000700000002328c-193.dat UPX behavioral2/files/0x000700000002328e-206.dat UPX behavioral2/files/0x0007000000023290-209.dat UPX behavioral2/files/0x0007000000023292-222.dat UPX behavioral2/files/0x0007000000023294-230.dat UPX behavioral2/files/0x0007000000023296-238.dat UPX behavioral2/files/0x0007000000023298-247.dat UPX behavioral2/files/0x000700000002329a-254.dat UPX behavioral2/files/0x00070000000232a2-275.dat UPX behavioral2/files/0x00070000000232aa-299.dat UPX behavioral2/files/0x00070000000232b2-324.dat UPX behavioral2/files/0x00070000000232c0-366.dat UPX behavioral2/files/0x00070000000232ce-422.dat UPX behavioral2/files/0x00070000000232de-473.dat UPX behavioral2/files/0x00070000000232e6-497.dat UPX behavioral2/files/0x00070000000232ea-509.dat UPX behavioral2/files/0x00070000000232e2-485.dat UPX behavioral2/files/0x00070000000232f6-548.dat UPX behavioral2/files/0x00070000000232fa-562.dat UPX behavioral2/files/0x0007000000023305-594.dat UPX behavioral2/files/0x0007000000023309-607.dat UPX behavioral2/files/0x0007000000023311-635.dat UPX behavioral2/files/0x0007000000023317-654.dat UPX behavioral2/files/0x000700000002331b-667.dat UPX behavioral2/files/0x000700000002332f-727.dat UPX behavioral2/files/0x0007000000023355-855.dat UPX behavioral2/files/0x0007000000023367-917.dat UPX behavioral2/files/0x0007000000023371-952.dat UPX behavioral2/files/0x0007000000023381-1010.dat UPX behavioral2/files/0x0007000000023389-1040.dat UPX behavioral2/files/0x0007000000023395-1085.dat UPX behavioral2/files/0x000700000002339b-1109.dat UPX behavioral2/files/0x0007000000023399-1100.dat UPX behavioral2/files/0x00070000000233a3-1138.dat UPX behavioral2/files/0x00070000000233bd-1233.dat UPX behavioral2/files/0x00070000000233c1-1247.dat UPX behavioral2/files/0x00070000000233cd-1289.dat UPX behavioral2/files/0x00070000000233d3-1311.dat UPX behavioral2/files/0x00070000000233d7-1324.dat UPX behavioral2/files/0x00070000000233e3-1366.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 4104 Kgninn32.exe 1248 Lddgmbpb.exe 688 Lqkgbcff.exe 4988 Ldipha32.exe 3708 Lekmnajj.exe 660 Mcqjon32.exe 4380 Mgobel32.exe 1436 Mgaokl32.exe 208 Mchppmij.exe 532 Megljppl.exe 228 Nclikl32.exe 1300 Nlfnaicd.exe 3452 Nmigoagp.exe 1964 Nagpeo32.exe 960 Najmjokc.exe 4812 Ohfami32.exe 4964 Bepmoh32.exe 1008 Coohhlpe.exe 3044 Cfkmkf32.exe 764 Cfnjpfcl.exe 3392 Cljobphg.exe 1288 Dokgdkeh.exe 2248 Dkahilkl.exe 2624 Dmcain32.exe 3148 Ekkkoj32.exe 220 Eiahnnph.exe 4604 Epmmqheb.exe 944 Emanjldl.exe 1652 Felbnn32.exe 2268 Fpbflg32.exe 2060 Fmhdkknd.exe 1944 Fmkqpkla.exe 2140 Gfhndpol.exe 3264 Gflhoo32.exe 3608 Hedafk32.exe 1524 Hbjoeojc.exe 5044 Hfjdqmng.exe 2168 Ifmqfm32.exe 1136 Ifomll32.exe 1516 Iojbpo32.exe 4712 Ipjoja32.exe 2324 Imnocf32.exe 1620 Iidphgcn.exe 2108 Jiglnf32.exe 1556 Jocefm32.exe 3456 Jenmcggo.exe 3940 Jofalmmp.exe 5084 Jilfifme.exe 1704 Jcdjbk32.exe 4624 Jphkkpbp.exe 4640 Kcidmkpq.exe 3648 Knenkbio.exe 4500 Lfgipd32.exe 3428 Mmmqhl32.exe 2460 Nopfpgip.exe 4392 Ncnofeof.exe 4452 Njjdho32.exe 64 Nceefd32.exe 4908 Opnbae32.exe 720 Paeelgnj.exe 3616 Pagbaglh.exe 436 Paiogf32.exe 4548 Pmpolgoi.exe 3756 Pjdpelnc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfmekm32.exe Jmdqbg32.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Lknjhokg.exe File created C:\Windows\SysWOW64\Igghilhi.exe Hjbhph32.exe File created C:\Windows\SysWOW64\Jqmicpbj.exe Jjcqffkm.exe File opened for modification C:\Windows\SysWOW64\Ladhkmno.exe Lfodmdni.exe File opened for modification C:\Windows\SysWOW64\Bqdlmo32.exe Bnfoac32.exe File created C:\Windows\SysWOW64\Fdqekdcj.dll Cqiehnml.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Eiahnnph.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Iimcma32.exe File created C:\Windows\SysWOW64\Gjmheb32.dll Iecmhlhb.exe File created C:\Windows\SysWOW64\Cefoni32.exe Bfabmmhe.exe File opened for modification C:\Windows\SysWOW64\Ijfkpnji.exe Hmbkfjko.exe File created C:\Windows\SysWOW64\Jmjdlb32.dll Klgqabib.exe File created C:\Windows\SysWOW64\Jffokn32.exe Iaifbg32.exe File opened for modification C:\Windows\SysWOW64\Omlkmign.exe Ohobebig.exe File created C:\Windows\SysWOW64\Kiljgf32.dll Cljobphg.exe File created C:\Windows\SysWOW64\Jekjcaef.exe Jpnakk32.exe File created C:\Windows\SysWOW64\Jlgfga32.dll Kcjjhdjb.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Opbean32.exe File opened for modification C:\Windows\SysWOW64\Cacmpj32.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Kocphojh.exe Kejloi32.exe File opened for modification C:\Windows\SysWOW64\Icqmncof.exe Incdem32.exe File created C:\Windows\SysWOW64\Pnlcdg32.exe Pgbkgmao.exe File created C:\Windows\SysWOW64\Polnbakm.dll Ahkkhnpg.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bqnemp32.exe File created C:\Windows\SysWOW64\Ekfjcc32.dll Ifmqfm32.exe File created C:\Windows\SysWOW64\Ppadalgj.dll Kheekkjl.exe File created C:\Windows\SysWOW64\Pcpgmf32.exe Okmpqjad.exe File created C:\Windows\SysWOW64\Cibkonhf.dll Dpihbjmg.exe File created C:\Windows\SysWOW64\Pagbaglh.exe Paeelgnj.exe File opened for modification C:\Windows\SysWOW64\Dqnjgl32.exe Dkndie32.exe File created C:\Windows\SysWOW64\Cajjjk32.exe Bagmdllg.exe File opened for modification C:\Windows\SysWOW64\Npadcfnl.exe Niglfl32.exe File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Dhikci32.exe File created C:\Windows\SysWOW64\Foniaq32.dll Kofdhd32.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Bihhhi32.exe File created C:\Windows\SysWOW64\Fpbflg32.exe Felbnn32.exe File created C:\Windows\SysWOW64\Egegjn32.exe Ephbhd32.exe File created C:\Windows\SysWOW64\Ddqbbo32.exe Ciknefmk.exe File opened for modification C:\Windows\SysWOW64\Kjopbd32.exe Kcehejic.exe File created C:\Windows\SysWOW64\Oileakbj.exe Ohkijc32.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Fmkqpkla.exe File opened for modification C:\Windows\SysWOW64\Dbocfo32.exe Dnajppda.exe File created C:\Windows\SysWOW64\Ephbhd32.exe Egpnooan.exe File created C:\Windows\SysWOW64\Npjnbg32.exe Nfaijand.exe File created C:\Windows\SysWOW64\Pjhfcm32.dll Qclmck32.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cmbgdl32.exe File created C:\Windows\SysWOW64\Gflhoo32.exe Gfhndpol.exe File created C:\Windows\SysWOW64\Ifmqfm32.exe Hfjdqmng.exe File created C:\Windows\SysWOW64\Ncjakdno.dll Khlklj32.exe File created C:\Windows\SysWOW64\Fkekkccb.dll Mkjjdmaj.exe File created C:\Windows\SysWOW64\Ngkpgkbd.dll Nfiagd32.exe File created C:\Windows\SysWOW64\Lecipbeq.dll Iepihf32.exe File opened for modification C:\Windows\SysWOW64\Kfeagefd.exe Kplijk32.exe File created C:\Windows\SysWOW64\Ahafcp32.dll Adnbapjp.exe File created C:\Windows\SysWOW64\Cfnjpfcl.exe Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Ielfgmnj.exe Hghfnioq.exe File opened for modification C:\Windows\SysWOW64\Mcfkpjng.exe Mddkbbfg.exe File created C:\Windows\SysWOW64\Pmhegoin.dll Nhbciqln.exe File created C:\Windows\SysWOW64\Famnbgil.dll Apimodmh.exe File opened for modification C:\Windows\SysWOW64\Jmffnq32.exe Jmdjha32.exe File created C:\Windows\SysWOW64\Jkkmgl32.dll Ndhgie32.exe File created C:\Windows\SysWOW64\Mhfmom32.dll Kjopbd32.exe File created C:\Windows\SysWOW64\Lddgmbpb.exe Kgninn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7368 7548 WerFault.exe 680 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbpedjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdjej32.dll" Lfodmdni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emanjldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kallod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfidgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll" Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdppaidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpchbhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpmomo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmjlkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oahnhncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcbkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ladhkmno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mofmobmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhddgofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calbnnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcbkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipdndloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opbean32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qomghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifhac32.dll" Ngklppei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddgmbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llngbabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gglfbkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Paeelgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kedlip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjgkab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiinc32.dll" Paomog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Fmkqpkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aibibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfjakgpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaipdbpa.dll" Ohobebig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqfojblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll" Kbgfhnhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihckfoa.dll" Onngci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidfo32.dll" Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjnndime.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lipmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnocakfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkjjdmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll" Ddqbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkekkccb.dll" Mkjjdmaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll" Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" Iehmmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 4104 4796 a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe 91 PID 4796 wrote to memory of 4104 4796 a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe 91 PID 4796 wrote to memory of 4104 4796 a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe 91 PID 4104 wrote to memory of 1248 4104 Kgninn32.exe 92 PID 4104 wrote to memory of 1248 4104 Kgninn32.exe 92 PID 4104 wrote to memory of 1248 4104 Kgninn32.exe 92 PID 1248 wrote to memory of 688 1248 Lddgmbpb.exe 93 PID 1248 wrote to memory of 688 1248 Lddgmbpb.exe 93 PID 1248 wrote to memory of 688 1248 Lddgmbpb.exe 93 PID 688 wrote to memory of 4988 688 Lqkgbcff.exe 94 PID 688 wrote to memory of 4988 688 Lqkgbcff.exe 94 PID 688 wrote to memory of 4988 688 Lqkgbcff.exe 94 PID 4988 wrote to memory of 3708 4988 Ldipha32.exe 95 PID 4988 wrote to memory of 3708 4988 Ldipha32.exe 95 PID 4988 wrote to memory of 3708 4988 Ldipha32.exe 95 PID 3708 wrote to memory of 660 3708 Lekmnajj.exe 96 PID 3708 wrote to memory of 660 3708 Lekmnajj.exe 96 PID 3708 wrote to memory of 660 3708 Lekmnajj.exe 96 PID 660 wrote to memory of 4380 660 Mcqjon32.exe 97 PID 660 wrote to memory of 4380 660 Mcqjon32.exe 97 PID 660 wrote to memory of 4380 660 Mcqjon32.exe 97 PID 4380 wrote to memory of 1436 4380 Mgobel32.exe 98 PID 4380 wrote to memory of 1436 4380 Mgobel32.exe 98 PID 4380 wrote to memory of 1436 4380 Mgobel32.exe 98 PID 1436 wrote to memory of 208 1436 Mgaokl32.exe 99 PID 1436 wrote to memory of 208 1436 Mgaokl32.exe 99 PID 1436 wrote to memory of 208 1436 Mgaokl32.exe 99 PID 208 wrote to memory of 532 208 Mchppmij.exe 100 PID 208 wrote to memory of 532 208 Mchppmij.exe 100 PID 208 wrote to memory of 532 208 Mchppmij.exe 100 PID 532 wrote to memory of 228 532 Megljppl.exe 101 PID 532 wrote to memory of 228 532 Megljppl.exe 101 PID 532 wrote to memory of 228 532 Megljppl.exe 101 PID 228 wrote to memory of 1300 228 Nclikl32.exe 102 PID 228 wrote to memory of 1300 228 Nclikl32.exe 102 PID 228 wrote to memory of 1300 228 Nclikl32.exe 102 PID 1300 wrote to memory of 3452 1300 Nlfnaicd.exe 103 PID 1300 wrote to memory of 3452 1300 Nlfnaicd.exe 103 PID 1300 wrote to memory of 3452 1300 Nlfnaicd.exe 103 PID 3452 wrote to memory of 1964 3452 Nmigoagp.exe 104 PID 3452 wrote to memory of 1964 3452 Nmigoagp.exe 104 PID 3452 wrote to memory of 1964 3452 Nmigoagp.exe 104 PID 1964 wrote to memory of 960 1964 Nagpeo32.exe 105 PID 1964 wrote to memory of 960 1964 Nagpeo32.exe 105 PID 1964 wrote to memory of 960 1964 Nagpeo32.exe 105 PID 960 wrote to memory of 4812 960 Najmjokc.exe 106 PID 960 wrote to memory of 4812 960 Najmjokc.exe 106 PID 960 wrote to memory of 4812 960 Najmjokc.exe 106 PID 4812 wrote to memory of 4964 4812 Ohfami32.exe 107 PID 4812 wrote to memory of 4964 4812 Ohfami32.exe 107 PID 4812 wrote to memory of 4964 4812 Ohfami32.exe 107 PID 4964 wrote to memory of 1008 4964 Bepmoh32.exe 108 PID 4964 wrote to memory of 1008 4964 Bepmoh32.exe 108 PID 4964 wrote to memory of 1008 4964 Bepmoh32.exe 108 PID 1008 wrote to memory of 3044 1008 Coohhlpe.exe 109 PID 1008 wrote to memory of 3044 1008 Coohhlpe.exe 109 PID 1008 wrote to memory of 3044 1008 Coohhlpe.exe 109 PID 3044 wrote to memory of 764 3044 Cfkmkf32.exe 110 PID 3044 wrote to memory of 764 3044 Cfkmkf32.exe 110 PID 3044 wrote to memory of 764 3044 Cfkmkf32.exe 110 PID 764 wrote to memory of 3392 764 Cfnjpfcl.exe 111 PID 764 wrote to memory of 3392 764 Cfnjpfcl.exe 111 PID 764 wrote to memory of 3392 764 Cfnjpfcl.exe 111 PID 3392 wrote to memory of 1288 3392 Cljobphg.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe"C:\Users\Admin\AppData\Local\Temp\a9595ee720cd6a52352378091a774baed7c5e6cb364bc896841aab84fcd35fd7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe23⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe24⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe25⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe26⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe28⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe31⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe32⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe35⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe42⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe43⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe44⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe45⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe46⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe47⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe48⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe49⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe50⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe51⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe52⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe54⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe55⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe57⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe58⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe62⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe63⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe64⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe65⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe66⤵PID:1368
-
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe67⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe68⤵PID:748
-
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe69⤵PID:2648
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe70⤵PID:4608
-
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe71⤵PID:4000
-
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe72⤵PID:3464
-
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe73⤵PID:2832
-
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4696 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5008 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe78⤵PID:4760
-
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe79⤵PID:3496
-
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe80⤵PID:3228
-
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe81⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe82⤵PID:1540
-
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe83⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe85⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe86⤵PID:5276
-
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe88⤵PID:5360
-
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe89⤵PID:5408
-
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe90⤵PID:5452
-
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe91⤵PID:5496
-
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe92⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe93⤵PID:5580
-
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe94⤵PID:5624
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe95⤵PID:5664
-
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe96⤵PID:5708
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe98⤵PID:5792
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe99⤵PID:5832
-
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe101⤵PID:5912
-
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe102⤵PID:5952
-
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe103⤵PID:5992
-
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe104⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe106⤵PID:6116
-
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe107⤵PID:3848
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe108⤵PID:5216
-
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe110⤵PID:5260
-
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe111⤵PID:5400
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe112⤵PID:5460
-
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe114⤵PID:5612
-
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe115⤵PID:5672
-
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe117⤵PID:5812
-
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe118⤵PID:5476
-
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe119⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe120⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe121⤵PID:6072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-