Analysis
-
max time kernel
98s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe
-
Size
428KB
-
MD5
aa89b238538c9d827d67c8a58e2189f1
-
SHA1
02a6a579b0a181d7d5720825e4f22873ac2b2b45
-
SHA256
b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e
-
SHA512
645ef29bad3b518b6901e4f310b73fb4e22c5cabb81e31c8f40389b368a2a75dc4cfed2252182dbedf93b9708ebbebb89bb4d876b0c88596923074e12a595fe9
-
SSDEEP
12288:ayzX95hjtFrNF5h0EJtws15tPWu5Ls15tw:aCX95hjLZF5h0E/Tge
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehbpjjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgoelnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocjpkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfcbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlbdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdfff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbnhihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmofjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfobmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikelhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbklabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeaoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofbhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcqep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdipfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaolm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2692 Gmbfggdo.exe 2064 Gfmgelil.exe 2872 Hlafnbal.exe 2564 Hmeolj32.exe 2700 Ihmpobck.exe 2524 Ifdjeoep.exe 2420 Jlelhe32.exe 1012 Jaeafklf.exe 2552 Kdjccf32.exe 1724 Knbhlkkc.exe 1248 Kbgjkn32.exe 1796 Kllnhg32.exe 940 Lkdhoc32.exe 1556 Ldoimh32.exe 2172 Ljnnko32.exe 1344 Mjpkqonj.exe 1596 Mbkpeake.exe 2208 Najpll32.exe 1552 Niedqnen.exe 1776 Nfidjbdg.exe 1788 Nbpeoc32.exe 1200 Oagoep32.exe 2284 Okpcoe32.exe 2076 Olophhjd.exe 1716 Odmabj32.exe 2764 Oijjka32.exe 2688 Pgnjde32.exe 2768 Pnjofo32.exe 2912 Pgbdodnh.exe 2576 Palepb32.exe 2484 Pkdihhag.exe 2184 Pdmnam32.exe 2404 Qackpado.exe 840 Abegfa32.exe 2776 Acfdnihk.exe 2348 Aciqcifh.exe 2684 Aqmamm32.exe 2096 Aggiigmn.exe 908 Amcbankf.exe 1648 Aijbfo32.exe 1756 Akiobk32.exe 288 Bfncpcoc.exe 2724 Bofgii32.exe 2148 Bgblmk32.exe 2540 Bnqned32.exe 1676 Cjgoje32.exe 2904 Cfnoogbo.exe 1316 Cacclpae.exe 652 Ciohqa32.exe 1564 Ccdmnj32.exe 1992 Cpkmcldj.exe 884 Cehfkb32.exe 2272 Cpmjhk32.exe 2204 Dejbqb32.exe 1612 Dbncjf32.exe 2804 Doecog32.exe 2440 Dfphcj32.exe 2384 Dmjqpdje.exe 2780 Dddimn32.exe 1804 Dpkibo32.exe 2480 Dgeaoinb.exe 2528 Dmojkc32.exe 2944 Edibhmml.exe 1364 Eiekpd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 2692 Gmbfggdo.exe 2692 Gmbfggdo.exe 2064 Gfmgelil.exe 2064 Gfmgelil.exe 2872 Hlafnbal.exe 2872 Hlafnbal.exe 2564 Hmeolj32.exe 2564 Hmeolj32.exe 2700 Ihmpobck.exe 2700 Ihmpobck.exe 2524 Ifdjeoep.exe 2524 Ifdjeoep.exe 2420 Jlelhe32.exe 2420 Jlelhe32.exe 1012 Jaeafklf.exe 1012 Jaeafklf.exe 2552 Kdjccf32.exe 2552 Kdjccf32.exe 1724 Knbhlkkc.exe 1724 Knbhlkkc.exe 1248 Kbgjkn32.exe 1248 Kbgjkn32.exe 1796 Kllnhg32.exe 1796 Kllnhg32.exe 940 Lkdhoc32.exe 940 Lkdhoc32.exe 1556 Ldoimh32.exe 1556 Ldoimh32.exe 2172 Ljnnko32.exe 2172 Ljnnko32.exe 1344 Mjpkqonj.exe 1344 Mjpkqonj.exe 1596 Mbkpeake.exe 1596 Mbkpeake.exe 2208 Najpll32.exe 2208 Najpll32.exe 1552 Niedqnen.exe 1552 Niedqnen.exe 1776 Nfidjbdg.exe 1776 Nfidjbdg.exe 1788 Nbpeoc32.exe 1788 Nbpeoc32.exe 1200 Oagoep32.exe 1200 Oagoep32.exe 2284 Okpcoe32.exe 2284 Okpcoe32.exe 2076 Olophhjd.exe 2076 Olophhjd.exe 1716 Odmabj32.exe 1716 Odmabj32.exe 2764 Oijjka32.exe 2764 Oijjka32.exe 2688 Pgnjde32.exe 2688 Pgnjde32.exe 2768 Pnjofo32.exe 2768 Pnjofo32.exe 2912 Pgbdodnh.exe 2912 Pgbdodnh.exe 2576 Palepb32.exe 2576 Palepb32.exe 2484 Pkdihhag.exe 2484 Pkdihhag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ljpqlqmd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Meffjjln.exe Mddibb32.exe File created C:\Windows\SysWOW64\Ndkacjme.dll Process not Found File created C:\Windows\SysWOW64\Npabemib.dll Bpboinpd.exe File created C:\Windows\SysWOW64\Enfbchek.dll Process not Found File created C:\Windows\SysWOW64\Engplgdp.dll Fmaqgaae.exe File created C:\Windows\SysWOW64\Meljbqna.exe Mkgeehnl.exe File opened for modification C:\Windows\SysWOW64\Fnadkjlc.exe Ffjljmla.exe File opened for modification C:\Windows\SysWOW64\Qfkgdd32.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Lgiobadq.exe Ljeoimeg.exe File opened for modification C:\Windows\SysWOW64\Kihpmnbb.exe Kfidqb32.exe File opened for modification C:\Windows\SysWOW64\Oecnkk32.exe Onmfin32.exe File created C:\Windows\SysWOW64\Ajapoqmf.exe Acggbffj.exe File opened for modification C:\Windows\SysWOW64\Ceacoqfi.exe Cdqfgh32.exe File opened for modification C:\Windows\SysWOW64\Neghdg32.exe Nkbcgnie.exe File created C:\Windows\SysWOW64\Odaqikaa.exe Process not Found File created C:\Windows\SysWOW64\Niedqnen.exe Najpll32.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Kbncof32.exe Kfgcieii.exe File opened for modification C:\Windows\SysWOW64\Qackpado.exe Pdmnam32.exe File created C:\Windows\SysWOW64\Noingpnc.dll Dnkhfnck.exe File opened for modification C:\Windows\SysWOW64\Inmpklpj.exe Ihpgce32.exe File opened for modification C:\Windows\SysWOW64\Jbakpi32.exe Jldbgb32.exe File opened for modification C:\Windows\SysWOW64\Gecpnp32.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Eobjmken.dll Bcfmfc32.exe File opened for modification C:\Windows\SysWOW64\Jpigonhd.exe Jklnggjm.exe File created C:\Windows\SysWOW64\Achjibcl.exe Alnalh32.exe File created C:\Windows\SysWOW64\Iecdji32.exe Idbgbahq.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cmkfji32.exe File created C:\Windows\SysWOW64\Ljndga32.exe Process not Found File created C:\Windows\SysWOW64\Penjdien.exe Phjjkefd.exe File created C:\Windows\SysWOW64\Cmboecje.dll Ejiadgkl.exe File created C:\Windows\SysWOW64\Qoqhncgp.exe Qgiplffm.exe File created C:\Windows\SysWOW64\Cbljgpja.exe Biceoj32.exe File created C:\Windows\SysWOW64\Obckihng.dll Process not Found File created C:\Windows\SysWOW64\Lcbkjeif.dll Process not Found File created C:\Windows\SysWOW64\Knbhlkkc.exe Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Ogohdeam.exe Oabplobe.exe File opened for modification C:\Windows\SysWOW64\Dhbdleol.exe Dfcgbb32.exe File opened for modification C:\Windows\SysWOW64\Kkmmlgik.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Cfpqgmpi.dll Gidhbgag.exe File opened for modification C:\Windows\SysWOW64\Doecog32.exe Dbncjf32.exe File opened for modification C:\Windows\SysWOW64\Dfpfke32.exe Dpcnbn32.exe File created C:\Windows\SysWOW64\Mkjhmf32.dll Mhhiiloh.exe File opened for modification C:\Windows\SysWOW64\Pdecoa32.exe Phobjp32.exe File created C:\Windows\SysWOW64\Cmkfji32.exe Cgnnab32.exe File created C:\Windows\SysWOW64\Dbmiil32.dll Kbgjkn32.exe File created C:\Windows\SysWOW64\Doecog32.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Gepafc32.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Ddaemh32.exe File opened for modification C:\Windows\SysWOW64\Fibcoalf.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Dejbqb32.exe Cpmjhk32.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Docopbaf.exe File created C:\Windows\SysWOW64\Ejgeogmn.exe Edjlgq32.exe File created C:\Windows\SysWOW64\Ljeabf32.exe Lnopmegg.exe File created C:\Windows\SysWOW64\Cegfepjn.dll Kmcjedcg.exe File created C:\Windows\SysWOW64\Fnjkec32.dll Ncfmjc32.exe File opened for modification C:\Windows\SysWOW64\Iaobkf32.exe Hhfmbq32.exe File created C:\Windows\SysWOW64\Nkbcgnie.exe Nhcgkbja.exe File opened for modification C:\Windows\SysWOW64\Cpcpjbah.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljplkonl.exe Knikfnih.exe File created C:\Windows\SysWOW64\Cplffidh.dll Gmnngl32.exe File opened for modification C:\Windows\SysWOW64\Dpjbgh32.exe Deenjpcd.exe File opened for modification C:\Windows\SysWOW64\Elbmkm32.exe Egeecf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1428 4532 Process not Found 1315 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fichqckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcnbhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipkema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oighcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjbb32.dll" Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ninlepim.dll" Mojbaham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjqfmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onipqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmllpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamdkfnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedpgc32.dll" Dcmnja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnqpj32.dll" Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipollp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmkfaia.dll" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglaha32.dll" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pibgfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfpln32.dll" Dmecokhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjlbg32.dll" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkcanhb.dll" Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepjoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpqjfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncamen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkppcmjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naionh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjiobnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnmiaib.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnonqai.dll" Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll" Celbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkablj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcbd32.dll" Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblola32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghlaj32.dll" Mdadjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcilp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2692 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 28 PID 2748 wrote to memory of 2692 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 28 PID 2748 wrote to memory of 2692 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 28 PID 2748 wrote to memory of 2692 2748 b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe 28 PID 2692 wrote to memory of 2064 2692 Gmbfggdo.exe 29 PID 2692 wrote to memory of 2064 2692 Gmbfggdo.exe 29 PID 2692 wrote to memory of 2064 2692 Gmbfggdo.exe 29 PID 2692 wrote to memory of 2064 2692 Gmbfggdo.exe 29 PID 2064 wrote to memory of 2872 2064 Gfmgelil.exe 30 PID 2064 wrote to memory of 2872 2064 Gfmgelil.exe 30 PID 2064 wrote to memory of 2872 2064 Gfmgelil.exe 30 PID 2064 wrote to memory of 2872 2064 Gfmgelil.exe 30 PID 2872 wrote to memory of 2564 2872 Hlafnbal.exe 31 PID 2872 wrote to memory of 2564 2872 Hlafnbal.exe 31 PID 2872 wrote to memory of 2564 2872 Hlafnbal.exe 31 PID 2872 wrote to memory of 2564 2872 Hlafnbal.exe 31 PID 2564 wrote to memory of 2700 2564 Hmeolj32.exe 32 PID 2564 wrote to memory of 2700 2564 Hmeolj32.exe 32 PID 2564 wrote to memory of 2700 2564 Hmeolj32.exe 32 PID 2564 wrote to memory of 2700 2564 Hmeolj32.exe 32 PID 2700 wrote to memory of 2524 2700 Ihmpobck.exe 33 PID 2700 wrote to memory of 2524 2700 Ihmpobck.exe 33 PID 2700 wrote to memory of 2524 2700 Ihmpobck.exe 33 PID 2700 wrote to memory of 2524 2700 Ihmpobck.exe 33 PID 2524 wrote to memory of 2420 2524 Ifdjeoep.exe 34 PID 2524 wrote to memory of 2420 2524 Ifdjeoep.exe 34 PID 2524 wrote to memory of 2420 2524 Ifdjeoep.exe 34 PID 2524 wrote to memory of 2420 2524 Ifdjeoep.exe 34 PID 2420 wrote to memory of 1012 2420 Jlelhe32.exe 35 PID 2420 wrote to memory of 1012 2420 Jlelhe32.exe 35 PID 2420 wrote to memory of 1012 2420 Jlelhe32.exe 35 PID 2420 wrote to memory of 1012 2420 Jlelhe32.exe 35 PID 1012 wrote to memory of 2552 1012 Jaeafklf.exe 36 PID 1012 wrote to memory of 2552 1012 Jaeafklf.exe 36 PID 1012 wrote to memory of 2552 1012 Jaeafklf.exe 36 PID 1012 wrote to memory of 2552 1012 Jaeafklf.exe 36 PID 2552 wrote to memory of 1724 2552 Kdjccf32.exe 37 PID 2552 wrote to memory of 1724 2552 Kdjccf32.exe 37 PID 2552 wrote to memory of 1724 2552 Kdjccf32.exe 37 PID 2552 wrote to memory of 1724 2552 Kdjccf32.exe 37 PID 1724 wrote to memory of 1248 1724 Knbhlkkc.exe 38 PID 1724 wrote to memory of 1248 1724 Knbhlkkc.exe 38 PID 1724 wrote to memory of 1248 1724 Knbhlkkc.exe 38 PID 1724 wrote to memory of 1248 1724 Knbhlkkc.exe 38 PID 1248 wrote to memory of 1796 1248 Kbgjkn32.exe 39 PID 1248 wrote to memory of 1796 1248 Kbgjkn32.exe 39 PID 1248 wrote to memory of 1796 1248 Kbgjkn32.exe 39 PID 1248 wrote to memory of 1796 1248 Kbgjkn32.exe 39 PID 1796 wrote to memory of 940 1796 Kllnhg32.exe 40 PID 1796 wrote to memory of 940 1796 Kllnhg32.exe 40 PID 1796 wrote to memory of 940 1796 Kllnhg32.exe 40 PID 1796 wrote to memory of 940 1796 Kllnhg32.exe 40 PID 940 wrote to memory of 1556 940 Lkdhoc32.exe 41 PID 940 wrote to memory of 1556 940 Lkdhoc32.exe 41 PID 940 wrote to memory of 1556 940 Lkdhoc32.exe 41 PID 940 wrote to memory of 1556 940 Lkdhoc32.exe 41 PID 1556 wrote to memory of 2172 1556 Ldoimh32.exe 42 PID 1556 wrote to memory of 2172 1556 Ldoimh32.exe 42 PID 1556 wrote to memory of 2172 1556 Ldoimh32.exe 42 PID 1556 wrote to memory of 2172 1556 Ldoimh32.exe 42 PID 2172 wrote to memory of 1344 2172 Ljnnko32.exe 43 PID 2172 wrote to memory of 1344 2172 Ljnnko32.exe 43 PID 2172 wrote to memory of 1344 2172 Ljnnko32.exe 43 PID 2172 wrote to memory of 1344 2172 Ljnnko32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe"C:\Users\Admin\AppData\Local\Temp\b0343a75a86de0aae786e8f584563bffa905ad2b667f3b3972138a1c50ce1d4e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe34⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe35⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe37⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe38⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe40⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe41⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe44⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe45⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe46⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe48⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe49⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe50⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe52⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe53⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe59⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe60⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe63⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe65⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe66⤵PID:1484
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe67⤵PID:1036
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe68⤵PID:2124
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe69⤵PID:3004
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe70⤵PID:2320
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe71⤵PID:2924
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe72⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe73⤵PID:1508
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe74⤵PID:2896
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe76⤵PID:2640
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe78⤵PID:2596
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe79⤵PID:2232
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe80⤵PID:2236
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe81⤵PID:1732
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe82⤵PID:1372
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe83⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe85⤵PID:1548
-
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe86⤵PID:792
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe87⤵PID:1820
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe88⤵PID:1680
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe89⤵PID:2296
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe90⤵PID:2852
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe91⤵PID:2508
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe92⤵PID:2588
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe94⤵PID:1048
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe95⤵PID:2976
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe96⤵PID:808
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe98⤵PID:1016
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe99⤵PID:2328
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe100⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe101⤵PID:576
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe102⤵PID:1328
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe103⤵PID:2240
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe104⤵PID:2732
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe105⤵PID:1996
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe106⤵PID:2632
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe108⤵PID:2620
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe109⤵PID:2624
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe110⤵PID:2648
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe112⤵PID:2396
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe113⤵PID:1816
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe114⤵PID:1964
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe115⤵PID:2140
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe116⤵PID:2728
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe117⤵PID:932
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe119⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe120⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe121⤵
- Modifies registry class
PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-