Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 14:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34b21e6fcb38a5c6f7d98ea95092eb8f.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
34b21e6fcb38a5c6f7d98ea95092eb8f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
34b21e6fcb38a5c6f7d98ea95092eb8f.exe
-
Size
224KB
-
MD5
34b21e6fcb38a5c6f7d98ea95092eb8f
-
SHA1
16aa83b5d609e11f9d612b6bb81d02aac1c1ac37
-
SHA256
38d2b8d5e4721401d33a15514edec77c8d395dd98cb8a163d42db0884cd068e4
-
SHA512
57364b7de5f5f9f46e79924f981261e9eaea2ba1cb71ebdc46607a17b3a2513863ff5b58f5b405640a8cb10c4010896283aaf6c4677325f9e1894d7a18b66417
-
SSDEEP
6144:V1SV9tRKoZMXE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:m3toBUaAD6RrI1+lDML
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjbgnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhaqogk.exe -
Executes dropped EXE 64 IoCs
pid Process 1804 Pmqdkj32.exe 2640 Pbmmcq32.exe 2712 Pelipl32.exe 1276 Qbbfopeg.exe 2676 Qjmkcbcb.exe 2508 Qecoqk32.exe 2976 Ankdiqih.exe 2988 Affhncfc.exe 1536 Aalmklfi.exe 2584 Ajdadamj.exe 1948 Admemg32.exe 2728 Aiinen32.exe 832 Afmonbqk.exe 1616 Ailkjmpo.exe 2192 Bhahlj32.exe 1092 Bbflib32.exe 2468 Bdjefj32.exe 2380 Bkdmcdoe.exe 1364 Bpafkknm.exe 1344 Bhhnli32.exe 2184 Bnefdp32.exe 552 Bpcbqk32.exe 1740 Cljcelan.exe 540 Cgpgce32.exe 1796 Cllpkl32.exe 2212 Cgbdhd32.exe 3056 Cpjiajeb.exe 2636 Comimg32.exe 2624 Cjbmjplb.exe 2656 Ckdjbh32.exe 2780 Ckffgg32.exe 2572 Cobbhfhg.exe 1376 Dgmglh32.exe 1780 Dngoibmo.exe 2092 Dqelenlc.exe 2004 Dgodbh32.exe 328 Djnpnc32.exe 1952 Djpmccqq.exe 1924 Dchali32.exe 1568 Djbiicon.exe 1504 Dnneja32.exe 1096 Dfijnd32.exe 824 Eihfjo32.exe 2188 Epaogi32.exe 2132 Eflgccbp.exe 2044 Eijcpoac.exe 888 Ekholjqg.exe 3008 Efncicpm.exe 1828 Eilpeooq.exe 1416 Epfhbign.exe 2220 Ebedndfa.exe 2800 Egamfkdh.exe 2760 Epieghdk.exe 2504 Eajaoq32.exe 2632 Eiaiqn32.exe 2608 Ejbfhfaj.exe 2392 Ebinic32.exe 2252 Fhffaj32.exe 2812 Fjdbnf32.exe 1928 Fejgko32.exe 2720 Fjgoce32.exe 1572 Fmekoalh.exe 1752 Faagpp32.exe 576 Fdoclk32.exe -
Loads dropped DLL 64 IoCs
pid Process 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 1804 Pmqdkj32.exe 1804 Pmqdkj32.exe 2640 Pbmmcq32.exe 2640 Pbmmcq32.exe 2712 Pelipl32.exe 2712 Pelipl32.exe 1276 Qbbfopeg.exe 1276 Qbbfopeg.exe 2676 Qjmkcbcb.exe 2676 Qjmkcbcb.exe 2508 Qecoqk32.exe 2508 Qecoqk32.exe 2976 Ankdiqih.exe 2976 Ankdiqih.exe 2988 Affhncfc.exe 2988 Affhncfc.exe 1536 Aalmklfi.exe 1536 Aalmklfi.exe 2584 Ajdadamj.exe 2584 Ajdadamj.exe 1948 Admemg32.exe 1948 Admemg32.exe 2728 Aiinen32.exe 2728 Aiinen32.exe 832 Afmonbqk.exe 832 Afmonbqk.exe 1616 Ailkjmpo.exe 1616 Ailkjmpo.exe 2192 Bhahlj32.exe 2192 Bhahlj32.exe 1092 Bbflib32.exe 1092 Bbflib32.exe 2468 Bdjefj32.exe 2468 Bdjefj32.exe 2380 Bkdmcdoe.exe 2380 Bkdmcdoe.exe 1364 Bpafkknm.exe 1364 Bpafkknm.exe 1344 Bhhnli32.exe 1344 Bhhnli32.exe 2184 Bnefdp32.exe 2184 Bnefdp32.exe 552 Bpcbqk32.exe 552 Bpcbqk32.exe 1740 Cljcelan.exe 1740 Cljcelan.exe 540 Cgpgce32.exe 540 Cgpgce32.exe 1796 Cllpkl32.exe 1796 Cllpkl32.exe 2212 Cgbdhd32.exe 2212 Cgbdhd32.exe 3056 Cpjiajeb.exe 3056 Cpjiajeb.exe 2636 Comimg32.exe 2636 Comimg32.exe 2624 Cjbmjplb.exe 2624 Cjbmjplb.exe 2656 Ckdjbh32.exe 2656 Ckdjbh32.exe 2780 Ckffgg32.exe 2780 Ckffgg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnpmlfkm.dll Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Lliflp32.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jbjochdi.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File opened for modification C:\Windows\SysWOW64\Inngcfid.exe Ihankokm.exe File created C:\Windows\SysWOW64\Copeil32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Mmahdggc.exe Mkclhl32.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qjmkcbcb.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Ebedndfa.exe Epfhbign.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Kemejc32.exe Kaaijdgn.exe File created C:\Windows\SysWOW64\Lghniakc.dll Olmhdf32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Efaibbij.exe Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pgplkb32.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Naoniipe.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Befkmkob.dll Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Mgnfhlin.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Aefeijle.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aibajhdn.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Geolea32.exe File created C:\Windows\SysWOW64\Oacima32.dll Mihiih32.exe File created C:\Windows\SysWOW64\Omdneebf.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Pbmmcq32.exe Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Jkoginch.dll Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Bbflib32.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Moiklogi.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Biicik32.exe Bbokmqie.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Djpmccqq.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Ihankokm.exe Idfbkq32.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File created C:\Windows\SysWOW64\Cbnnqb32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kcihlong.exe File created C:\Windows\SysWOW64\Mpdcoomf.dll Chpmpg32.exe File created C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Epfhbign.exe Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dgodbh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4604 4580 WerFault.exe 357 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldflna32.dll" Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhmfm32.dll" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgplkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajjcbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 34b21e6fcb38a5c6f7d98ea95092eb8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pbmmcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geolea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 616 wrote to memory of 1804 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 28 PID 616 wrote to memory of 1804 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 28 PID 616 wrote to memory of 1804 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 28 PID 616 wrote to memory of 1804 616 34b21e6fcb38a5c6f7d98ea95092eb8f.exe 28 PID 1804 wrote to memory of 2640 1804 Pmqdkj32.exe 29 PID 1804 wrote to memory of 2640 1804 Pmqdkj32.exe 29 PID 1804 wrote to memory of 2640 1804 Pmqdkj32.exe 29 PID 1804 wrote to memory of 2640 1804 Pmqdkj32.exe 29 PID 2640 wrote to memory of 2712 2640 Pbmmcq32.exe 30 PID 2640 wrote to memory of 2712 2640 Pbmmcq32.exe 30 PID 2640 wrote to memory of 2712 2640 Pbmmcq32.exe 30 PID 2640 wrote to memory of 2712 2640 Pbmmcq32.exe 30 PID 2712 wrote to memory of 1276 2712 Pelipl32.exe 31 PID 2712 wrote to memory of 1276 2712 Pelipl32.exe 31 PID 2712 wrote to memory of 1276 2712 Pelipl32.exe 31 PID 2712 wrote to memory of 1276 2712 Pelipl32.exe 31 PID 1276 wrote to memory of 2676 1276 Qbbfopeg.exe 32 PID 1276 wrote to memory of 2676 1276 Qbbfopeg.exe 32 PID 1276 wrote to memory of 2676 1276 Qbbfopeg.exe 32 PID 1276 wrote to memory of 2676 1276 Qbbfopeg.exe 32 PID 2676 wrote to memory of 2508 2676 Qjmkcbcb.exe 33 PID 2676 wrote to memory of 2508 2676 Qjmkcbcb.exe 33 PID 2676 wrote to memory of 2508 2676 Qjmkcbcb.exe 33 PID 2676 wrote to memory of 2508 2676 Qjmkcbcb.exe 33 PID 2508 wrote to memory of 2976 2508 Qecoqk32.exe 34 PID 2508 wrote to memory of 2976 2508 Qecoqk32.exe 34 PID 2508 wrote to memory of 2976 2508 Qecoqk32.exe 34 PID 2508 wrote to memory of 2976 2508 Qecoqk32.exe 34 PID 2976 wrote to memory of 2988 2976 Ankdiqih.exe 35 PID 2976 wrote to memory of 2988 2976 Ankdiqih.exe 35 PID 2976 wrote to memory of 2988 2976 Ankdiqih.exe 35 PID 2976 wrote to memory of 2988 2976 Ankdiqih.exe 35 PID 2988 wrote to memory of 1536 2988 Affhncfc.exe 36 PID 2988 wrote to memory of 1536 2988 Affhncfc.exe 36 PID 2988 wrote to memory of 1536 2988 Affhncfc.exe 36 PID 2988 wrote to memory of 1536 2988 Affhncfc.exe 36 PID 1536 wrote to memory of 2584 1536 Aalmklfi.exe 37 PID 1536 wrote to memory of 2584 1536 Aalmklfi.exe 37 PID 1536 wrote to memory of 2584 1536 Aalmklfi.exe 37 PID 1536 wrote to memory of 2584 1536 Aalmklfi.exe 37 PID 2584 wrote to memory of 1948 2584 Ajdadamj.exe 38 PID 2584 wrote to memory of 1948 2584 Ajdadamj.exe 38 PID 2584 wrote to memory of 1948 2584 Ajdadamj.exe 38 PID 2584 wrote to memory of 1948 2584 Ajdadamj.exe 38 PID 1948 wrote to memory of 2728 1948 Admemg32.exe 39 PID 1948 wrote to memory of 2728 1948 Admemg32.exe 39 PID 1948 wrote to memory of 2728 1948 Admemg32.exe 39 PID 1948 wrote to memory of 2728 1948 Admemg32.exe 39 PID 2728 wrote to memory of 832 2728 Aiinen32.exe 40 PID 2728 wrote to memory of 832 2728 Aiinen32.exe 40 PID 2728 wrote to memory of 832 2728 Aiinen32.exe 40 PID 2728 wrote to memory of 832 2728 Aiinen32.exe 40 PID 832 wrote to memory of 1616 832 Afmonbqk.exe 41 PID 832 wrote to memory of 1616 832 Afmonbqk.exe 41 PID 832 wrote to memory of 1616 832 Afmonbqk.exe 41 PID 832 wrote to memory of 1616 832 Afmonbqk.exe 41 PID 1616 wrote to memory of 2192 1616 Ailkjmpo.exe 42 PID 1616 wrote to memory of 2192 1616 Ailkjmpo.exe 42 PID 1616 wrote to memory of 2192 1616 Ailkjmpo.exe 42 PID 1616 wrote to memory of 2192 1616 Ailkjmpo.exe 42 PID 2192 wrote to memory of 1092 2192 Bhahlj32.exe 43 PID 2192 wrote to memory of 1092 2192 Bhahlj32.exe 43 PID 2192 wrote to memory of 1092 2192 Bhahlj32.exe 43 PID 2192 wrote to memory of 1092 2192 Bhahlj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\34b21e6fcb38a5c6f7d98ea95092eb8f.exe"C:\Users\Admin\AppData\Local\Temp\34b21e6fcb38a5c6f7d98ea95092eb8f.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe34⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe35⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe36⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe40⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe41⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe42⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe43⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe44⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe45⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe46⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe47⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe53⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe54⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe58⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe65⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe67⤵PID:444
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe68⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe69⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe71⤵PID:2296
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe72⤵PID:2232
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe74⤵PID:2500
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe76⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe77⤵PID:1988
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe78⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe79⤵PID:1520
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe80⤵PID:2476
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe81⤵PID:1788
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe83⤵PID:2236
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe86⤵PID:2588
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe87⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe89⤵PID:1048
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe91⤵PID:2536
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe93⤵PID:1844
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe94⤵PID:2836
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe95⤵PID:1676
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe96⤵PID:1460
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe97⤵PID:1124
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe98⤵PID:1732
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe99⤵PID:1916
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe100⤵PID:2944
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe101⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe103⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe104⤵PID:2748
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe110⤵PID:268
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe112⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe113⤵PID:1848
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe114⤵PID:1940
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe115⤵PID:1216
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe116⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe117⤵PID:2980
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe119⤵PID:556
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe120⤵PID:568
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe121⤵PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-