Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe
-
Size
69KB
-
MD5
0d2f206777e31d9ebc434fd961bb4690
-
SHA1
0219634c78b95dfa0130f213fede6d9525761cdd
-
SHA256
9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2
-
SHA512
7bf73178f5185943adc523a91fbbf83199f42f23a0575ac6edafaa9c2c9d8a35f5dafb046f934a618bc8fb5f382387955c877133ba250e4d63bd6375432fd462
-
SSDEEP
1536:USq9/IP6O0xoAB36eVqGfoM1Hfrrf4ONein/GFZCeDAyY:USu/7xoAB36eVqx4zrf9NFn/GFZC1yY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe -
Executes dropped EXE 64 IoCs
pid Process 2016 Bokphdld.exe 2572 Bdhhqk32.exe 2784 Bnpmipql.exe 2544 Bdjefj32.exe 2228 Bghabf32.exe 2476 Bopicc32.exe 2596 Bpafkknm.exe 2164 Bgknheej.exe 2516 Bnefdp32.exe 384 Bdooajdc.exe 1200 Cgmkmecg.exe 1732 Cljcelan.exe 844 Ccdlbf32.exe 1756 Cjndop32.exe 2404 Cllpkl32.exe 2800 Cgbdhd32.exe 592 Cjpqdp32.exe 1472 Clomqk32.exe 1420 Comimg32.exe 1144 Cfgaiaci.exe 3040 Chemfl32.exe 1828 Claifkkf.exe 1752 Cdlnkmha.exe 2024 Cobbhfhg.exe 2280 Ddokpmfo.exe 1596 Dgmglh32.exe 2152 Dkhcmgnl.exe 2660 Dngoibmo.exe 1320 Dqelenlc.exe 2608 Dgodbh32.exe 2456 Dbehoa32.exe 2600 Ddcdkl32.exe 1620 Djpmccqq.exe 2728 Dqjepm32.exe 1576 Dchali32.exe 1808 Dgdmmgpj.exe 2196 Dnneja32.exe 1636 Dqlafm32.exe 1516 Doobajme.exe 2020 Dgfjbgmh.exe 2064 Djefobmk.exe 840 Emcbkn32.exe 1476 Ecmkghcl.exe 1096 Eflgccbp.exe 2372 Emeopn32.exe 1356 Epdkli32.exe 740 Ebbgid32.exe 2192 Ebbgid32.exe 1236 Efncicpm.exe 2000 Eeqdep32.exe 2112 Ekklaj32.exe 2584 Epfhbign.exe 2984 Efppoc32.exe 2448 Eiomkn32.exe 2436 Epieghdk.exe 2592 Ebgacddo.exe 2500 Eiaiqn32.exe 1628 Eiaiqn32.exe 1508 Ejbfhfaj.exe 380 Ennaieib.exe 2216 Ealnephf.exe 1040 Fhffaj32.exe 2084 Fjdbnf32.exe 2140 Fnpnndgp.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 2016 Bokphdld.exe 2016 Bokphdld.exe 2572 Bdhhqk32.exe 2572 Bdhhqk32.exe 2784 Bnpmipql.exe 2784 Bnpmipql.exe 2544 Bdjefj32.exe 2544 Bdjefj32.exe 2228 Bghabf32.exe 2228 Bghabf32.exe 2476 Bopicc32.exe 2476 Bopicc32.exe 2596 Bpafkknm.exe 2596 Bpafkknm.exe 2164 Bgknheej.exe 2164 Bgknheej.exe 2516 Bnefdp32.exe 2516 Bnefdp32.exe 384 Bdooajdc.exe 384 Bdooajdc.exe 1200 Cgmkmecg.exe 1200 Cgmkmecg.exe 1732 Cljcelan.exe 1732 Cljcelan.exe 844 Ccdlbf32.exe 844 Ccdlbf32.exe 1756 Cjndop32.exe 1756 Cjndop32.exe 2404 Cllpkl32.exe 2404 Cllpkl32.exe 2800 Cgbdhd32.exe 2800 Cgbdhd32.exe 592 Cjpqdp32.exe 592 Cjpqdp32.exe 1472 Clomqk32.exe 1472 Clomqk32.exe 1420 Comimg32.exe 1420 Comimg32.exe 1144 Cfgaiaci.exe 1144 Cfgaiaci.exe 3040 Chemfl32.exe 3040 Chemfl32.exe 1828 Claifkkf.exe 1828 Claifkkf.exe 1752 Cdlnkmha.exe 1752 Cdlnkmha.exe 2024 Cobbhfhg.exe 2024 Cobbhfhg.exe 2280 Ddokpmfo.exe 2280 Ddokpmfo.exe 1596 Dgmglh32.exe 1596 Dgmglh32.exe 2152 Dkhcmgnl.exe 2152 Dkhcmgnl.exe 2660 Dngoibmo.exe 2660 Dngoibmo.exe 1320 Dqelenlc.exe 1320 Dqelenlc.exe 2608 Dgodbh32.exe 2608 Dgodbh32.exe 2456 Dbehoa32.exe 2456 Dbehoa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cppkph32.exe File created C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Jcbellac.exe Jmhmpb32.exe File created C:\Windows\SysWOW64\Jooclokl.dll Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Lhbcfa32.exe Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Oqkqkdne.exe Olpdjf32.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pggbla32.exe File created C:\Windows\SysWOW64\Jaegglem.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Ldflna32.dll Joifam32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Keanebkb.exe File created C:\Windows\SysWOW64\Geofbffe.dll Kahojc32.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lflmci32.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cnkicn32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Oeeonk32.dll Cljcelan.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Djefobmk.exe File created C:\Windows\SysWOW64\Mnjdbp32.dll Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Hdihmjpf.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mgqcmlgl.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bblogakg.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Cddaphkn.exe File created C:\Windows\SysWOW64\Njabih32.dll Boqbfb32.exe File created C:\Windows\SysWOW64\Iefmgahq.dll Baakhm32.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Pqhmfm32.dll Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Pikkiijf.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Oglegn32.dll Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kafbec32.exe File created C:\Windows\SysWOW64\Onmddnil.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Biamilfj.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Joplbl32.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Pedleg32.exe Pbfpik32.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Lghniakc.dll Onjgiiad.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ijeghgoh.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Lecgje32.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Dgodbh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4684 4992 WerFault.exe 455 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejinjob.dll" Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnoomqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmjak32.dll" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkdeggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Lafndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll" Edpmjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll" Dcadac32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2016 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 28 PID 2972 wrote to memory of 2016 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 28 PID 2972 wrote to memory of 2016 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 28 PID 2972 wrote to memory of 2016 2972 9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe 28 PID 2016 wrote to memory of 2572 2016 Bokphdld.exe 29 PID 2016 wrote to memory of 2572 2016 Bokphdld.exe 29 PID 2016 wrote to memory of 2572 2016 Bokphdld.exe 29 PID 2016 wrote to memory of 2572 2016 Bokphdld.exe 29 PID 2572 wrote to memory of 2784 2572 Bdhhqk32.exe 30 PID 2572 wrote to memory of 2784 2572 Bdhhqk32.exe 30 PID 2572 wrote to memory of 2784 2572 Bdhhqk32.exe 30 PID 2572 wrote to memory of 2784 2572 Bdhhqk32.exe 30 PID 2784 wrote to memory of 2544 2784 Bnpmipql.exe 31 PID 2784 wrote to memory of 2544 2784 Bnpmipql.exe 31 PID 2784 wrote to memory of 2544 2784 Bnpmipql.exe 31 PID 2784 wrote to memory of 2544 2784 Bnpmipql.exe 31 PID 2544 wrote to memory of 2228 2544 Bdjefj32.exe 32 PID 2544 wrote to memory of 2228 2544 Bdjefj32.exe 32 PID 2544 wrote to memory of 2228 2544 Bdjefj32.exe 32 PID 2544 wrote to memory of 2228 2544 Bdjefj32.exe 32 PID 2228 wrote to memory of 2476 2228 Bghabf32.exe 33 PID 2228 wrote to memory of 2476 2228 Bghabf32.exe 33 PID 2228 wrote to memory of 2476 2228 Bghabf32.exe 33 PID 2228 wrote to memory of 2476 2228 Bghabf32.exe 33 PID 2476 wrote to memory of 2596 2476 Bopicc32.exe 34 PID 2476 wrote to memory of 2596 2476 Bopicc32.exe 34 PID 2476 wrote to memory of 2596 2476 Bopicc32.exe 34 PID 2476 wrote to memory of 2596 2476 Bopicc32.exe 34 PID 2596 wrote to memory of 2164 2596 Bpafkknm.exe 35 PID 2596 wrote to memory of 2164 2596 Bpafkknm.exe 35 PID 2596 wrote to memory of 2164 2596 Bpafkknm.exe 35 PID 2596 wrote to memory of 2164 2596 Bpafkknm.exe 35 PID 2164 wrote to memory of 2516 2164 Bgknheej.exe 36 PID 2164 wrote to memory of 2516 2164 Bgknheej.exe 36 PID 2164 wrote to memory of 2516 2164 Bgknheej.exe 36 PID 2164 wrote to memory of 2516 2164 Bgknheej.exe 36 PID 2516 wrote to memory of 384 2516 Bnefdp32.exe 37 PID 2516 wrote to memory of 384 2516 Bnefdp32.exe 37 PID 2516 wrote to memory of 384 2516 Bnefdp32.exe 37 PID 2516 wrote to memory of 384 2516 Bnefdp32.exe 37 PID 384 wrote to memory of 1200 384 Bdooajdc.exe 38 PID 384 wrote to memory of 1200 384 Bdooajdc.exe 38 PID 384 wrote to memory of 1200 384 Bdooajdc.exe 38 PID 384 wrote to memory of 1200 384 Bdooajdc.exe 38 PID 1200 wrote to memory of 1732 1200 Cgmkmecg.exe 39 PID 1200 wrote to memory of 1732 1200 Cgmkmecg.exe 39 PID 1200 wrote to memory of 1732 1200 Cgmkmecg.exe 39 PID 1200 wrote to memory of 1732 1200 Cgmkmecg.exe 39 PID 1732 wrote to memory of 844 1732 Cljcelan.exe 40 PID 1732 wrote to memory of 844 1732 Cljcelan.exe 40 PID 1732 wrote to memory of 844 1732 Cljcelan.exe 40 PID 1732 wrote to memory of 844 1732 Cljcelan.exe 40 PID 844 wrote to memory of 1756 844 Ccdlbf32.exe 41 PID 844 wrote to memory of 1756 844 Ccdlbf32.exe 41 PID 844 wrote to memory of 1756 844 Ccdlbf32.exe 41 PID 844 wrote to memory of 1756 844 Ccdlbf32.exe 41 PID 1756 wrote to memory of 2404 1756 Cjndop32.exe 42 PID 1756 wrote to memory of 2404 1756 Cjndop32.exe 42 PID 1756 wrote to memory of 2404 1756 Cjndop32.exe 42 PID 1756 wrote to memory of 2404 1756 Cjndop32.exe 42 PID 2404 wrote to memory of 2800 2404 Cllpkl32.exe 43 PID 2404 wrote to memory of 2800 2404 Cllpkl32.exe 43 PID 2404 wrote to memory of 2800 2404 Cllpkl32.exe 43 PID 2404 wrote to memory of 2800 2404 Cllpkl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe"C:\Users\Admin\AppData\Local\Temp\9cb69ea9323009b7017646e816404ae11f9b8325994192549e7f2d88b7fa90e2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe35⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe40⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe41⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe43⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe44⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe46⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe47⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe52⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe53⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe54⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe55⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe58⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe59⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe62⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe65⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe67⤵PID:1820
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe68⤵PID:1164
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe69⤵PID:1548
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe70⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe71⤵PID:2264
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe73⤵PID:2992
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe75⤵PID:2484
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe76⤵PID:320
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe77⤵PID:2212
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe78⤵PID:2344
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe81⤵PID:540
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe83⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe85⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe86⤵PID:1792
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe87⤵PID:2144
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe88⤵PID:2656
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe89⤵PID:2940
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe90⤵PID:2548
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe92⤵PID:1804
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe93⤵PID:696
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe94⤵PID:2320
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe97⤵PID:1856
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe98⤵PID:1736
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe99⤵PID:1964
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe100⤵PID:1364
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe101⤵PID:2328
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe102⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe103⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe106⤵PID:1696
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe107⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe108⤵PID:1396
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe109⤵PID:2240
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe110⤵PID:2160
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe111⤵PID:704
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe113⤵PID:2104
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe115⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe116⤵PID:1316
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe117⤵PID:2168
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe118⤵PID:1656
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe119⤵PID:776
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe120⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe121⤵PID:1012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-