Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 00:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe
-
Size
1.1MB
-
MD5
1dc7c1b11a5ba72d85d21a20eb6199e1
-
SHA1
12df91eb5cdd54ce82c13b9c25db2da307d8217b
-
SHA256
9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e
-
SHA512
fda1d360b97b420e4ea0d97367cda1ec4ba306ee15d0f52d4cd598188193b65f78c64e6b42ef77c874ab5368854b740ff15b8b2761fbe3257e3bbbc86c9418f6
-
SSDEEP
12288:daDVvVm05XEvGdXEvG6IveDVqvQ6IvYvc6+:daq6X1dX1q5h3B
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhideol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcbnanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgohna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcpacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naopaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkolakkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikhgqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckdlnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe -
Executes dropped EXE 64 IoCs
pid Process 1336 Hdncgbnl.exe 2156 Iqgqacam.exe 2968 Iqljlb32.exe 1964 Ienoff32.exe 2704 Jbdlejmn.exe 2588 Jgcabqic.exe 2900 Jjfgjk32.exe 2468 Kcahhq32.exe 1796 Kfoedl32.exe 2856 Kjcgco32.exe 2732 Lhlqhb32.exe 1872 Lpjbad32.exe 1444 Mhgclfje.exe 1284 Mlgigdoh.exe 2268 Mkobnqan.exe 768 Nfkpdn32.exe 1484 Nbdnoo32.exe 1840 Nkmbgdfl.exe 952 Nccjhafn.exe 1248 Onmkio32.exe 1564 Oicpfh32.exe 984 Okalbc32.exe 356 Ojficpfn.exe 2224 Oqqapjnk.exe 2260 Oqcnfjli.exe 2428 Ocajbekl.exe 2624 Pgobhcac.exe 2496 Pipopl32.exe 2148 Pchpbded.exe 2784 Piehkkcl.exe 2672 Pelipl32.exe 2684 Phjelg32.exe 2652 Qjknnbed.exe 1732 Qdccfh32.exe 2844 Qecoqk32.exe 2288 Ahakmf32.exe 2636 Ajbdna32.exe 1672 Ampqjm32.exe 1628 Admemg32.exe 2752 Afkbib32.exe 1592 Amejeljk.exe 2232 Aepojo32.exe 2040 Bhahlj32.exe 696 Bkodhe32.exe 1088 Bkaqmeah.exe 1804 Bnpmipql.exe 2328 Bhfagipa.exe 1596 Bkdmcdoe.exe 868 Bdlblj32.exe 908 Bjijdadm.exe 2144 Bnefdp32.exe 352 Cgmkmecg.exe 1760 Cdakgibq.exe 1720 Cfbhnaho.exe 2296 Cnippoha.exe 2804 Cphlljge.exe 2364 Cciemedf.exe 1676 Chemfl32.exe 2532 Chhjkl32.exe 2256 Clcflkic.exe 3044 Cobbhfhg.exe 2840 Dkhcmgnl.exe 1688 Dngoibmo.exe 2076 Dhmcfkme.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 1336 Hdncgbnl.exe 1336 Hdncgbnl.exe 2156 Iqgqacam.exe 2156 Iqgqacam.exe 2968 Iqljlb32.exe 2968 Iqljlb32.exe 1964 Ienoff32.exe 1964 Ienoff32.exe 2704 Jbdlejmn.exe 2704 Jbdlejmn.exe 2588 Jgcabqic.exe 2588 Jgcabqic.exe 2900 Jjfgjk32.exe 2900 Jjfgjk32.exe 2468 Kcahhq32.exe 2468 Kcahhq32.exe 1796 Kfoedl32.exe 1796 Kfoedl32.exe 2856 Kjcgco32.exe 2856 Kjcgco32.exe 2732 Lhlqhb32.exe 2732 Lhlqhb32.exe 1872 Lpjbad32.exe 1872 Lpjbad32.exe 1444 Mhgclfje.exe 1444 Mhgclfje.exe 1284 Mlgigdoh.exe 1284 Mlgigdoh.exe 2268 Mkobnqan.exe 2268 Mkobnqan.exe 768 Nfkpdn32.exe 768 Nfkpdn32.exe 1484 Nbdnoo32.exe 1484 Nbdnoo32.exe 1840 Nkmbgdfl.exe 1840 Nkmbgdfl.exe 952 Nccjhafn.exe 952 Nccjhafn.exe 1248 Onmkio32.exe 1248 Onmkio32.exe 1564 Oicpfh32.exe 1564 Oicpfh32.exe 984 Okalbc32.exe 984 Okalbc32.exe 356 Ojficpfn.exe 356 Ojficpfn.exe 2224 Oqqapjnk.exe 2224 Oqqapjnk.exe 2260 Oqcnfjli.exe 2260 Oqcnfjli.exe 2428 Ocajbekl.exe 2428 Ocajbekl.exe 2624 Pgobhcac.exe 2624 Pgobhcac.exe 2496 Pipopl32.exe 2496 Pipopl32.exe 2148 Pchpbded.exe 2148 Pchpbded.exe 2784 Piehkkcl.exe 2784 Piehkkcl.exe 2672 Pelipl32.exe 2672 Pelipl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqijej32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Abkhkgbb.exe Amnocpdk.exe File opened for modification C:\Windows\SysWOW64\Ohdfqbio.exe Opialpld.exe File created C:\Windows\SysWOW64\Jclnhnji.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Gfbliabl.dll Nggggoda.exe File created C:\Windows\SysWOW64\Ongdpbkl.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Jdmqokqf.dll Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Meppiblm.exe Mlhkpm32.exe File created C:\Windows\SysWOW64\Ikekpn32.dll Ohkaco32.exe File opened for modification C:\Windows\SysWOW64\Ljmlbfhi.exe Lmikibio.exe File opened for modification C:\Windows\SysWOW64\Ccdmnj32.exe Cjlheehe.exe File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Ekdjjm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Odhhgkib.exe Okpcoe32.exe File created C:\Windows\SysWOW64\Golbnm32.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Khadpa32.exe Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Mimemp32.exe Mikhgqbi.exe File created C:\Windows\SysWOW64\Ingkdeak.exe Iacjjacb.exe File opened for modification C:\Windows\SysWOW64\Lgpdglhn.exe Ldahkaij.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Pchpbded.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qdccfh32.exe File created C:\Windows\SysWOW64\Fpcqaf32.exe Ffklhqao.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Lklejh32.exe Lbcpac32.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Process not Found File created C:\Windows\SysWOW64\Jcjnfdbp.exe Jonbee32.exe File created C:\Windows\SysWOW64\Bleeioil.exe Bbmapj32.exe File created C:\Windows\SysWOW64\Lbnpkmfg.exe Lkdhoc32.exe File opened for modification C:\Windows\SysWOW64\Lkgkoiqc.exe Lclgjg32.exe File created C:\Windows\SysWOW64\Gbohehoj.exe Gkephn32.exe File created C:\Windows\SysWOW64\Mjpbcokk.dll Oibmpl32.exe File created C:\Windows\SysWOW64\Jpmmfp32.exe Jajmjcoe.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Inngcfid.exe Iokfhi32.exe File created C:\Windows\SysWOW64\Nihcog32.exe Nggggoda.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Npdjje32.exe File created C:\Windows\SysWOW64\Hdlhjl32.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Egnhob32.dll Ngdifkpi.exe File created C:\Windows\SysWOW64\Onecbg32.exe Oqacic32.exe File opened for modification C:\Windows\SysWOW64\Pjpnbg32.exe Pmlmic32.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Hejodhmc.dll Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Akncimmh.exe Ajmfad32.exe File created C:\Windows\SysWOW64\Kopnegcl.dll Hnbopmnm.exe File created C:\Windows\SysWOW64\Njbdea32.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Bcbfbp32.exe Bjjaikoa.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Melfncqb.exe Moanaiie.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Jjmoilnn.dll Pjpnbg32.exe File created C:\Windows\SysWOW64\Fqcfnhjb.exe Fjjnan32.exe File created C:\Windows\SysWOW64\Jlamphei.dll Ccpcckck.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Edqocbkp.exe Enfgfh32.exe File created C:\Windows\SysWOW64\Bgikembl.dll Phfoee32.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Ndemjoae.exe File created C:\Windows\SysWOW64\Aniimjbo.exe Qqeicede.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Ajhddk32.exe File created C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1352 5344 Process not Found 1108 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgikembl.dll" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdioqoen.dll" Ofnpnkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edibhmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefmne32.dll" Qgjqjjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njemfifg.dll" Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effeckcj.dll" Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgkdjfb.dll" Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekhacbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjoeeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhocpkj.dll" Nocpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnfdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joihjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiakgcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll" Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkhkgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biolanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdncgbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefpcolp.dll" Qndigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accpqnab.dll" Mjkndb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhoice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kllnhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkkja32.dll" Jcpkpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnogjahn.dll" Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoghjmf.dll" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flapkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifmimch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqljlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbamma32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1336 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 28 PID 1700 wrote to memory of 1336 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 28 PID 1700 wrote to memory of 1336 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 28 PID 1700 wrote to memory of 1336 1700 9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe 28 PID 1336 wrote to memory of 2156 1336 Hdncgbnl.exe 29 PID 1336 wrote to memory of 2156 1336 Hdncgbnl.exe 29 PID 1336 wrote to memory of 2156 1336 Hdncgbnl.exe 29 PID 1336 wrote to memory of 2156 1336 Hdncgbnl.exe 29 PID 2156 wrote to memory of 2968 2156 Iqgqacam.exe 30 PID 2156 wrote to memory of 2968 2156 Iqgqacam.exe 30 PID 2156 wrote to memory of 2968 2156 Iqgqacam.exe 30 PID 2156 wrote to memory of 2968 2156 Iqgqacam.exe 30 PID 2968 wrote to memory of 1964 2968 Iqljlb32.exe 31 PID 2968 wrote to memory of 1964 2968 Iqljlb32.exe 31 PID 2968 wrote to memory of 1964 2968 Iqljlb32.exe 31 PID 2968 wrote to memory of 1964 2968 Iqljlb32.exe 31 PID 1964 wrote to memory of 2704 1964 Ienoff32.exe 32 PID 1964 wrote to memory of 2704 1964 Ienoff32.exe 32 PID 1964 wrote to memory of 2704 1964 Ienoff32.exe 32 PID 1964 wrote to memory of 2704 1964 Ienoff32.exe 32 PID 2704 wrote to memory of 2588 2704 Jbdlejmn.exe 33 PID 2704 wrote to memory of 2588 2704 Jbdlejmn.exe 33 PID 2704 wrote to memory of 2588 2704 Jbdlejmn.exe 33 PID 2704 wrote to memory of 2588 2704 Jbdlejmn.exe 33 PID 2588 wrote to memory of 2900 2588 Jgcabqic.exe 34 PID 2588 wrote to memory of 2900 2588 Jgcabqic.exe 34 PID 2588 wrote to memory of 2900 2588 Jgcabqic.exe 34 PID 2588 wrote to memory of 2900 2588 Jgcabqic.exe 34 PID 2900 wrote to memory of 2468 2900 Jjfgjk32.exe 35 PID 2900 wrote to memory of 2468 2900 Jjfgjk32.exe 35 PID 2900 wrote to memory of 2468 2900 Jjfgjk32.exe 35 PID 2900 wrote to memory of 2468 2900 Jjfgjk32.exe 35 PID 2468 wrote to memory of 1796 2468 Kcahhq32.exe 36 PID 2468 wrote to memory of 1796 2468 Kcahhq32.exe 36 PID 2468 wrote to memory of 1796 2468 Kcahhq32.exe 36 PID 2468 wrote to memory of 1796 2468 Kcahhq32.exe 36 PID 1796 wrote to memory of 2856 1796 Kfoedl32.exe 37 PID 1796 wrote to memory of 2856 1796 Kfoedl32.exe 37 PID 1796 wrote to memory of 2856 1796 Kfoedl32.exe 37 PID 1796 wrote to memory of 2856 1796 Kfoedl32.exe 37 PID 2856 wrote to memory of 2732 2856 Kjcgco32.exe 38 PID 2856 wrote to memory of 2732 2856 Kjcgco32.exe 38 PID 2856 wrote to memory of 2732 2856 Kjcgco32.exe 38 PID 2856 wrote to memory of 2732 2856 Kjcgco32.exe 38 PID 2732 wrote to memory of 1872 2732 Lhlqhb32.exe 39 PID 2732 wrote to memory of 1872 2732 Lhlqhb32.exe 39 PID 2732 wrote to memory of 1872 2732 Lhlqhb32.exe 39 PID 2732 wrote to memory of 1872 2732 Lhlqhb32.exe 39 PID 1872 wrote to memory of 1444 1872 Lpjbad32.exe 40 PID 1872 wrote to memory of 1444 1872 Lpjbad32.exe 40 PID 1872 wrote to memory of 1444 1872 Lpjbad32.exe 40 PID 1872 wrote to memory of 1444 1872 Lpjbad32.exe 40 PID 1444 wrote to memory of 1284 1444 Mhgclfje.exe 41 PID 1444 wrote to memory of 1284 1444 Mhgclfje.exe 41 PID 1444 wrote to memory of 1284 1444 Mhgclfje.exe 41 PID 1444 wrote to memory of 1284 1444 Mhgclfje.exe 41 PID 1284 wrote to memory of 2268 1284 Mlgigdoh.exe 42 PID 1284 wrote to memory of 2268 1284 Mlgigdoh.exe 42 PID 1284 wrote to memory of 2268 1284 Mlgigdoh.exe 42 PID 1284 wrote to memory of 2268 1284 Mlgigdoh.exe 42 PID 2268 wrote to memory of 768 2268 Mkobnqan.exe 43 PID 2268 wrote to memory of 768 2268 Mkobnqan.exe 43 PID 2268 wrote to memory of 768 2268 Mkobnqan.exe 43 PID 2268 wrote to memory of 768 2268 Mkobnqan.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe"C:\Users\Admin\AppData\Local\Temp\9a1d8922ca9611c8b58d84ba763509e36adbe87ef593f43314cd446412f0339e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:356 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe34⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe36⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe37⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe38⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe40⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe41⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe42⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe44⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe45⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe46⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe48⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe49⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe51⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe52⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe53⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe54⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe55⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe56⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe58⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe59⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe61⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe62⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe63⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe64⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe65⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe66⤵PID:2872
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe67⤵PID:1548
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe68⤵PID:1264
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe69⤵PID:1388
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe70⤵PID:288
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe71⤵PID:1836
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe72⤵PID:1340
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe73⤵PID:1616
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe74⤵PID:544
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe75⤵PID:2024
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe76⤵PID:1508
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe77⤵PID:108
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe78⤵PID:2644
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe79⤵PID:2016
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe80⤵PID:2828
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe81⤵PID:2892
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe82⤵PID:2924
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe83⤵PID:1156
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe84⤵PID:2100
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe86⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe87⤵PID:1756
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe88⤵PID:1364
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe90⤵PID:1352
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe91⤵PID:1032
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe92⤵PID:1764
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe93⤵PID:1716
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe94⤵PID:1304
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe96⤵PID:1848
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe98⤵PID:1580
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe99⤵PID:1972
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe100⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe101⤵PID:1524
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe102⤵PID:2236
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe103⤵PID:988
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe104⤵PID:628
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe105⤵PID:1540
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe106⤵PID:2264
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe107⤵PID:2204
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe108⤵PID:2436
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe109⤵PID:2176
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe110⤵PID:2440
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe111⤵PID:1600
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe112⤵PID:2552
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe113⤵PID:3024
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe114⤵PID:2928
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe115⤵
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe116⤵PID:3048
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe117⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe118⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe119⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe120⤵PID:2184
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe121⤵PID:1860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-