Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 23:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe
-
Size
64KB
-
MD5
c5f1c64f136f52ec96d84c21dd80c220
-
SHA1
471f892ce255ea605af592b460423dabd206514b
-
SHA256
6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8
-
SHA512
9444c119b9f89135766e553631f28016e896069840c2762064a98af1b43e31af82d16d5c6ef55ea9e04ff076529afe687a25b12c9bfa80e99f74033856d78984
-
SSDEEP
1536:X4b9S2Hasba5OyEa/VL2tLinEf2LclrDWBi:aY2HasYtL2tLin5I2Bi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joifam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naoniipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1236 Aplpai32.exe 2588 Ajbdna32.exe 2708 Abmibdlh.exe 2504 Ajdadamj.exe 2784 Alenki32.exe 2728 Admemg32.exe 2956 Aiinen32.exe 1436 Alhjai32.exe 2840 Aepojo32.exe 2216 Boiccdnf.exe 1976 Bebkpn32.exe 1320 Bhahlj32.exe 1512 Baildokg.exe 2016 Bdhhqk32.exe 2688 Balijo32.exe 484 Bkdmcdoe.exe 2304 Banepo32.exe 2316 Bpafkknm.exe 1072 Bkfjhd32.exe 1772 Baqbenep.exe 1096 Cjlgiqbk.exe 344 Cljcelan.exe 1344 Cdakgibq.exe 2044 Cfbhnaho.exe 2432 Coklgg32.exe 2332 Cgbdhd32.exe 2760 Clomqk32.exe 3048 Cfgaiaci.exe 2536 Claifkkf.exe 2528 Ckdjbh32.exe 2124 Cbnbobin.exe 2752 Cfinoq32.exe 2816 Cobbhfhg.exe 1632 Dflkdp32.exe 468 Ddokpmfo.exe 1736 Dhjgal32.exe 1576 Dkhcmgnl.exe 1680 Dngoibmo.exe 2132 Dbbkja32.exe 2900 Ddagfm32.exe 764 Dgodbh32.exe 1508 Djnpnc32.exe 2392 Dbehoa32.exe 444 Dqhhknjp.exe 832 Dcfdgiid.exe 980 Dgaqgh32.exe 2344 Djpmccqq.exe 2404 Dnlidb32.exe 3020 Ddeaalpg.exe 2916 Dfgmhd32.exe 2604 Dnneja32.exe 2724 Dqlafm32.exe 2844 Dcknbh32.exe 2500 Dgfjbgmh.exe 2548 Djefobmk.exe 2540 Djefobmk.exe 2732 Emcbkn32.exe 1964 Epaogi32.exe 2212 Ebpkce32.exe 340 Ejgcdb32.exe 1580 Eijcpoac.exe 1188 Ekholjqg.exe 1276 Ecpgmhai.exe 2888 Ebbgid32.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 1236 Aplpai32.exe 1236 Aplpai32.exe 2588 Ajbdna32.exe 2588 Ajbdna32.exe 2708 Abmibdlh.exe 2708 Abmibdlh.exe 2504 Ajdadamj.exe 2504 Ajdadamj.exe 2784 Alenki32.exe 2784 Alenki32.exe 2728 Admemg32.exe 2728 Admemg32.exe 2956 Aiinen32.exe 2956 Aiinen32.exe 1436 Alhjai32.exe 1436 Alhjai32.exe 2840 Aepojo32.exe 2840 Aepojo32.exe 2216 Boiccdnf.exe 2216 Boiccdnf.exe 1976 Bebkpn32.exe 1976 Bebkpn32.exe 1320 Bhahlj32.exe 1320 Bhahlj32.exe 1512 Baildokg.exe 1512 Baildokg.exe 2016 Bdhhqk32.exe 2016 Bdhhqk32.exe 2688 Balijo32.exe 2688 Balijo32.exe 484 Bkdmcdoe.exe 484 Bkdmcdoe.exe 2304 Banepo32.exe 2304 Banepo32.exe 2316 Bpafkknm.exe 2316 Bpafkknm.exe 1072 Bkfjhd32.exe 1072 Bkfjhd32.exe 1772 Baqbenep.exe 1772 Baqbenep.exe 1096 Cjlgiqbk.exe 1096 Cjlgiqbk.exe 344 Cljcelan.exe 344 Cljcelan.exe 1344 Cdakgibq.exe 1344 Cdakgibq.exe 2044 Cfbhnaho.exe 2044 Cfbhnaho.exe 2432 Coklgg32.exe 2432 Coklgg32.exe 2332 Cgbdhd32.exe 2332 Cgbdhd32.exe 2760 Clomqk32.exe 2760 Clomqk32.exe 3048 Cfgaiaci.exe 3048 Cfgaiaci.exe 2536 Claifkkf.exe 2536 Claifkkf.exe 2528 Ckdjbh32.exe 2528 Ckdjbh32.exe 2124 Cbnbobin.exe 2124 Cbnbobin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgmhlp32.dll Dcfdgiid.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Imfqjbli.exe Ijgdngmf.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Ckoilb32.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Eccmffjf.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dggcffhg.exe File created C:\Windows\SysWOW64\Eaklqfem.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Galmmc32.dll Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Dolnad32.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Hknach32.exe Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lahkigca.exe File created C:\Windows\SysWOW64\Ocimgp32.exe Olpdjf32.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pqhpdhcc.exe File created C:\Windows\SysWOW64\Lhnffb32.dll Piphee32.exe File opened for modification C:\Windows\SysWOW64\Ahdaee32.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Enfenplo.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Djnpnc32.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Alhjai32.exe File created C:\Windows\SysWOW64\Kmaled32.exe Kjcpii32.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Amfidj32.dll Egllae32.exe File opened for modification C:\Windows\SysWOW64\Ddokpmfo.exe Dflkdp32.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Ffpmnf32.exe File created C:\Windows\SysWOW64\Glfhll32.exe Gelppaof.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qfahhm32.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Qjdijm32.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Ahgnke32.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Chnqkg32.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Doehqead.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hknach32.exe File created C:\Windows\SysWOW64\Hellne32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Feocmm32.dll Jjojofgn.exe File created C:\Windows\SysWOW64\Moiklogi.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Aadloj32.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Phoccb32.dll Jokcgmee.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Albjlcao.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5024 4836 WerFault.exe 441 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mpdnkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdkao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Jnclnihj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdipg32.dll" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmahkol.dll" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddeaalpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Abjebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Blgpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciifc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1236 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 28 PID 1960 wrote to memory of 1236 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 28 PID 1960 wrote to memory of 1236 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 28 PID 1960 wrote to memory of 1236 1960 6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe 28 PID 1236 wrote to memory of 2588 1236 Aplpai32.exe 29 PID 1236 wrote to memory of 2588 1236 Aplpai32.exe 29 PID 1236 wrote to memory of 2588 1236 Aplpai32.exe 29 PID 1236 wrote to memory of 2588 1236 Aplpai32.exe 29 PID 2588 wrote to memory of 2708 2588 Ajbdna32.exe 30 PID 2588 wrote to memory of 2708 2588 Ajbdna32.exe 30 PID 2588 wrote to memory of 2708 2588 Ajbdna32.exe 30 PID 2588 wrote to memory of 2708 2588 Ajbdna32.exe 30 PID 2708 wrote to memory of 2504 2708 Abmibdlh.exe 31 PID 2708 wrote to memory of 2504 2708 Abmibdlh.exe 31 PID 2708 wrote to memory of 2504 2708 Abmibdlh.exe 31 PID 2708 wrote to memory of 2504 2708 Abmibdlh.exe 31 PID 2504 wrote to memory of 2784 2504 Ajdadamj.exe 32 PID 2504 wrote to memory of 2784 2504 Ajdadamj.exe 32 PID 2504 wrote to memory of 2784 2504 Ajdadamj.exe 32 PID 2504 wrote to memory of 2784 2504 Ajdadamj.exe 32 PID 2784 wrote to memory of 2728 2784 Alenki32.exe 33 PID 2784 wrote to memory of 2728 2784 Alenki32.exe 33 PID 2784 wrote to memory of 2728 2784 Alenki32.exe 33 PID 2784 wrote to memory of 2728 2784 Alenki32.exe 33 PID 2728 wrote to memory of 2956 2728 Admemg32.exe 34 PID 2728 wrote to memory of 2956 2728 Admemg32.exe 34 PID 2728 wrote to memory of 2956 2728 Admemg32.exe 34 PID 2728 wrote to memory of 2956 2728 Admemg32.exe 34 PID 2956 wrote to memory of 1436 2956 Aiinen32.exe 35 PID 2956 wrote to memory of 1436 2956 Aiinen32.exe 35 PID 2956 wrote to memory of 1436 2956 Aiinen32.exe 35 PID 2956 wrote to memory of 1436 2956 Aiinen32.exe 35 PID 1436 wrote to memory of 2840 1436 Alhjai32.exe 36 PID 1436 wrote to memory of 2840 1436 Alhjai32.exe 36 PID 1436 wrote to memory of 2840 1436 Alhjai32.exe 36 PID 1436 wrote to memory of 2840 1436 Alhjai32.exe 36 PID 2840 wrote to memory of 2216 2840 Aepojo32.exe 37 PID 2840 wrote to memory of 2216 2840 Aepojo32.exe 37 PID 2840 wrote to memory of 2216 2840 Aepojo32.exe 37 PID 2840 wrote to memory of 2216 2840 Aepojo32.exe 37 PID 2216 wrote to memory of 1976 2216 Boiccdnf.exe 38 PID 2216 wrote to memory of 1976 2216 Boiccdnf.exe 38 PID 2216 wrote to memory of 1976 2216 Boiccdnf.exe 38 PID 2216 wrote to memory of 1976 2216 Boiccdnf.exe 38 PID 1976 wrote to memory of 1320 1976 Bebkpn32.exe 39 PID 1976 wrote to memory of 1320 1976 Bebkpn32.exe 39 PID 1976 wrote to memory of 1320 1976 Bebkpn32.exe 39 PID 1976 wrote to memory of 1320 1976 Bebkpn32.exe 39 PID 1320 wrote to memory of 1512 1320 Bhahlj32.exe 40 PID 1320 wrote to memory of 1512 1320 Bhahlj32.exe 40 PID 1320 wrote to memory of 1512 1320 Bhahlj32.exe 40 PID 1320 wrote to memory of 1512 1320 Bhahlj32.exe 40 PID 1512 wrote to memory of 2016 1512 Baildokg.exe 41 PID 1512 wrote to memory of 2016 1512 Baildokg.exe 41 PID 1512 wrote to memory of 2016 1512 Baildokg.exe 41 PID 1512 wrote to memory of 2016 1512 Baildokg.exe 41 PID 2016 wrote to memory of 2688 2016 Bdhhqk32.exe 42 PID 2016 wrote to memory of 2688 2016 Bdhhqk32.exe 42 PID 2016 wrote to memory of 2688 2016 Bdhhqk32.exe 42 PID 2016 wrote to memory of 2688 2016 Bdhhqk32.exe 42 PID 2688 wrote to memory of 484 2688 Balijo32.exe 43 PID 2688 wrote to memory of 484 2688 Balijo32.exe 43 PID 2688 wrote to memory of 484 2688 Balijo32.exe 43 PID 2688 wrote to memory of 484 2688 Balijo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe"C:\Users\Admin\AppData\Local\Temp\6bd3536016867d2697330e1f678e2734aa0b6263d53ee6a2ddda57788b6208d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe33⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe34⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe36⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe37⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe39⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe40⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe42⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe45⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe47⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe48⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe49⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe51⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe52⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe53⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe55⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe58⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe61⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe62⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe63⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe64⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe67⤵PID:1848
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe68⤵PID:2352
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe69⤵PID:2136
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe71⤵PID:2904
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe72⤵PID:2252
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe73⤵PID:2928
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe74⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe76⤵PID:2800
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe78⤵PID:2484
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe79⤵PID:2672
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe81⤵PID:1256
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe83⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe84⤵PID:1904
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe85⤵PID:828
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe86⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe88⤵PID:1328
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe89⤵PID:2880
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe91⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe93⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe94⤵PID:2608
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe95⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe96⤵PID:2596
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe97⤵PID:2972
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe99⤵PID:1528
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe100⤵PID:2260
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe101⤵PID:1080
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe103⤵PID:636
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1340 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe105⤵PID:840
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe106⤵PID:3012
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe107⤵PID:1696
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe108⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe109⤵PID:2660
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe110⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe111⤵PID:744
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe112⤵PID:2308
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe113⤵PID:2280
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe114⤵PID:2448
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe115⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe116⤵PID:3060
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe119⤵PID:748
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe120⤵PID:2600
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe121⤵PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-