Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/06/2024, 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe
-
Size
844KB
-
MD5
fcb138ef4c2d634ae7443181a8451b1f
-
SHA1
70829e4e3dba824da3b64f50827b9daa9e4ce406
-
SHA256
d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb
-
SHA512
2f85ff4d332ab854397220f45167a6d24014cd3846ddd2ee62d6afc698c90f347252a7a700399fdbdeefa44c42c06ed8a0c8d7f03ac988ec186716a4efa4ae4c
-
SSDEEP
24576:/5H5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:/5H5W3TbQihw+cdX2x46uhqllMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpemgbqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefijfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 Kpemgbqf.exe 2560 Knjiin32.exe 2064 Kbhbom32.exe 2464 Klqfhbbe.exe 2368 Ldnhad32.exe 2408 Labhkh32.exe 1376 Lmkfei32.exe 2660 Lgdjnofi.exe 660 Mpolmdkg.exe 276 Mhjpaf32.exe 1232 Mhnjle32.exe 2024 Mnkbdlbd.exe 2044 Ncmdhb32.exe 2312 Nleiqhcg.exe 1404 Nfpjomgd.exe 2788 Nohnhc32.exe 3068 Obigjnkf.exe 1104 Odgcfijj.exe 1676 Ogfpbeim.exe 1544 Oqndkj32.exe 1212 Obnqem32.exe 2944 Ocomlemo.exe 1724 Okfencna.exe 872 Omgaek32.exe 2140 Ongnonkb.exe 2648 Pminkk32.exe 2936 Pipopl32.exe 2036 Paggai32.exe 2524 Ppjglfon.exe 2488 Pmnhfjmg.exe 2420 Peiljl32.exe 2396 Piehkkcl.exe 356 Phjelg32.exe 2672 Ppamme32.exe 2700 Qlhnbf32.exe 1820 Qnfjna32.exe 2248 Qaefjm32.exe 2184 Qmlgonbe.exe 1332 Afdlhchf.exe 2744 Aplpai32.exe 2748 Affhncfc.exe 1412 Aalmklfi.exe 1752 Abmibdlh.exe 2912 Ajdadamj.exe 3060 Admemg32.exe 1720 Afkbib32.exe 1256 Aiinen32.exe 916 Aoffmd32.exe 2200 Ahokfj32.exe 2300 Bpfcgg32.exe 1992 Bbdocc32.exe 2872 Bebkpn32.exe 2472 Bhahlj32.exe 2600 Bkodhe32.exe 2604 Baildokg.exe 2800 Bdhhqk32.exe 2000 Bommnc32.exe 2544 Bdjefj32.exe 1816 Bghabf32.exe 2296 Bopicc32.exe 2100 Bdlblj32.exe 2460 Bnefdp32.exe 1888 Bcaomf32.exe 1420 Cngcjo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 2456 Kpemgbqf.exe 2456 Kpemgbqf.exe 2560 Knjiin32.exe 2560 Knjiin32.exe 2064 Kbhbom32.exe 2064 Kbhbom32.exe 2464 Klqfhbbe.exe 2464 Klqfhbbe.exe 2368 Ldnhad32.exe 2368 Ldnhad32.exe 2408 Labhkh32.exe 2408 Labhkh32.exe 1376 Lmkfei32.exe 1376 Lmkfei32.exe 2660 Lgdjnofi.exe 2660 Lgdjnofi.exe 660 Mpolmdkg.exe 660 Mpolmdkg.exe 276 Mhjpaf32.exe 276 Mhjpaf32.exe 1232 Mhnjle32.exe 1232 Mhnjle32.exe 2024 Mnkbdlbd.exe 2024 Mnkbdlbd.exe 2044 Ncmdhb32.exe 2044 Ncmdhb32.exe 2312 Nleiqhcg.exe 2312 Nleiqhcg.exe 1404 Nfpjomgd.exe 1404 Nfpjomgd.exe 2788 Nohnhc32.exe 2788 Nohnhc32.exe 3068 Obigjnkf.exe 3068 Obigjnkf.exe 1104 Odgcfijj.exe 1104 Odgcfijj.exe 1676 Ogfpbeim.exe 1676 Ogfpbeim.exe 1544 Oqndkj32.exe 1544 Oqndkj32.exe 1212 Obnqem32.exe 1212 Obnqem32.exe 2944 Ocomlemo.exe 2944 Ocomlemo.exe 1724 Okfencna.exe 1724 Okfencna.exe 872 Omgaek32.exe 872 Omgaek32.exe 2140 Ongnonkb.exe 2140 Ongnonkb.exe 2648 Pminkk32.exe 2648 Pminkk32.exe 2936 Pipopl32.exe 2936 Pipopl32.exe 2036 Paggai32.exe 2036 Paggai32.exe 2524 Ppjglfon.exe 2524 Ppjglfon.exe 2488 Pmnhfjmg.exe 2488 Pmnhfjmg.exe 2420 Peiljl32.exe 2420 Peiljl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Epjomppp.dll Djklnnaj.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Nhfipcid.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Ndpfkdmf.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Bkodhe32.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dqlafm32.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jbllihbf.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kcdnao32.exe File created C:\Windows\SysWOW64\Oklkmnbp.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dnneja32.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Mgimmm32.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Aplifb32.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Odgcfijj.exe Obigjnkf.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Mmhodf32.exe Mcbjgn32.exe File created C:\Windows\SysWOW64\Lflmci32.exe Loeebl32.exe File created C:\Windows\SysWOW64\Minceo32.dll Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Affhncfc.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Pnlilc32.dll Loeebl32.exe File created C:\Windows\SysWOW64\Mgljbm32.exe Mpbaebdd.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pciifc32.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pminkk32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Gbhfilfi.dll Cfeddafl.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Emeopn32.exe File created C:\Windows\SysWOW64\Adpkee32.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Dfdjhndl.exe File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Peiljl32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe Eccmffjf.exe File created C:\Windows\SysWOW64\Obigjnkf.exe Nohnhc32.exe File opened for modification C:\Windows\SysWOW64\Lecgje32.exe Llkbap32.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pfjbgnme.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Fahgfoih.dll Cghggc32.exe File created C:\Windows\SysWOW64\Addnil32.dll Ghfbqn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4168 4188 WerFault.exe 376 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcqpmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebfbaj.dll" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpemgbqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekkkkhe.dll" Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccobp32.dll" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhjpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eliele32.dll" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfggf32.dll" Kbhbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efppoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2456 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 28 PID 2232 wrote to memory of 2456 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 28 PID 2232 wrote to memory of 2456 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 28 PID 2232 wrote to memory of 2456 2232 d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe 28 PID 2456 wrote to memory of 2560 2456 Kpemgbqf.exe 29 PID 2456 wrote to memory of 2560 2456 Kpemgbqf.exe 29 PID 2456 wrote to memory of 2560 2456 Kpemgbqf.exe 29 PID 2456 wrote to memory of 2560 2456 Kpemgbqf.exe 29 PID 2560 wrote to memory of 2064 2560 Knjiin32.exe 30 PID 2560 wrote to memory of 2064 2560 Knjiin32.exe 30 PID 2560 wrote to memory of 2064 2560 Knjiin32.exe 30 PID 2560 wrote to memory of 2064 2560 Knjiin32.exe 30 PID 2064 wrote to memory of 2464 2064 Kbhbom32.exe 31 PID 2064 wrote to memory of 2464 2064 Kbhbom32.exe 31 PID 2064 wrote to memory of 2464 2064 Kbhbom32.exe 31 PID 2064 wrote to memory of 2464 2064 Kbhbom32.exe 31 PID 2464 wrote to memory of 2368 2464 Klqfhbbe.exe 32 PID 2464 wrote to memory of 2368 2464 Klqfhbbe.exe 32 PID 2464 wrote to memory of 2368 2464 Klqfhbbe.exe 32 PID 2464 wrote to memory of 2368 2464 Klqfhbbe.exe 32 PID 2368 wrote to memory of 2408 2368 Ldnhad32.exe 33 PID 2368 wrote to memory of 2408 2368 Ldnhad32.exe 33 PID 2368 wrote to memory of 2408 2368 Ldnhad32.exe 33 PID 2368 wrote to memory of 2408 2368 Ldnhad32.exe 33 PID 2408 wrote to memory of 1376 2408 Labhkh32.exe 34 PID 2408 wrote to memory of 1376 2408 Labhkh32.exe 34 PID 2408 wrote to memory of 1376 2408 Labhkh32.exe 34 PID 2408 wrote to memory of 1376 2408 Labhkh32.exe 34 PID 1376 wrote to memory of 2660 1376 Lmkfei32.exe 35 PID 1376 wrote to memory of 2660 1376 Lmkfei32.exe 35 PID 1376 wrote to memory of 2660 1376 Lmkfei32.exe 35 PID 1376 wrote to memory of 2660 1376 Lmkfei32.exe 35 PID 2660 wrote to memory of 660 2660 Lgdjnofi.exe 36 PID 2660 wrote to memory of 660 2660 Lgdjnofi.exe 36 PID 2660 wrote to memory of 660 2660 Lgdjnofi.exe 36 PID 2660 wrote to memory of 660 2660 Lgdjnofi.exe 36 PID 660 wrote to memory of 276 660 Mpolmdkg.exe 37 PID 660 wrote to memory of 276 660 Mpolmdkg.exe 37 PID 660 wrote to memory of 276 660 Mpolmdkg.exe 37 PID 660 wrote to memory of 276 660 Mpolmdkg.exe 37 PID 276 wrote to memory of 1232 276 Mhjpaf32.exe 38 PID 276 wrote to memory of 1232 276 Mhjpaf32.exe 38 PID 276 wrote to memory of 1232 276 Mhjpaf32.exe 38 PID 276 wrote to memory of 1232 276 Mhjpaf32.exe 38 PID 1232 wrote to memory of 2024 1232 Mhnjle32.exe 39 PID 1232 wrote to memory of 2024 1232 Mhnjle32.exe 39 PID 1232 wrote to memory of 2024 1232 Mhnjle32.exe 39 PID 1232 wrote to memory of 2024 1232 Mhnjle32.exe 39 PID 2024 wrote to memory of 2044 2024 Mnkbdlbd.exe 40 PID 2024 wrote to memory of 2044 2024 Mnkbdlbd.exe 40 PID 2024 wrote to memory of 2044 2024 Mnkbdlbd.exe 40 PID 2024 wrote to memory of 2044 2024 Mnkbdlbd.exe 40 PID 2044 wrote to memory of 2312 2044 Ncmdhb32.exe 41 PID 2044 wrote to memory of 2312 2044 Ncmdhb32.exe 41 PID 2044 wrote to memory of 2312 2044 Ncmdhb32.exe 41 PID 2044 wrote to memory of 2312 2044 Ncmdhb32.exe 41 PID 2312 wrote to memory of 1404 2312 Nleiqhcg.exe 42 PID 2312 wrote to memory of 1404 2312 Nleiqhcg.exe 42 PID 2312 wrote to memory of 1404 2312 Nleiqhcg.exe 42 PID 2312 wrote to memory of 1404 2312 Nleiqhcg.exe 42 PID 1404 wrote to memory of 2788 1404 Nfpjomgd.exe 43 PID 1404 wrote to memory of 2788 1404 Nfpjomgd.exe 43 PID 1404 wrote to memory of 2788 1404 Nfpjomgd.exe 43 PID 1404 wrote to memory of 2788 1404 Nfpjomgd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe"C:\Users\Admin\AppData\Local\Temp\d8baa72f6024d600d34cd8a665610e5eb4f6b6bf783a5166bbf8dbf6911072eb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe33⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe34⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe35⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe36⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe40⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe43⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe45⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe47⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe48⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe51⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe52⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe53⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe55⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe58⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe59⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe60⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe64⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe66⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe70⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe71⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe72⤵PID:1432
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe73⤵PID:1980
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe74⤵PID:2552
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe75⤵PID:2372
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe76⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe77⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe78⤵PID:2584
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe79⤵PID:1784
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe80⤵
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe81⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe82⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe83⤵PID:700
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe85⤵PID:1128
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe90⤵PID:2520
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe92⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe93⤵PID:2340
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe94⤵PID:1832
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe95⤵PID:3008
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe96⤵PID:1252
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe97⤵PID:2276
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe98⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe99⤵PID:1216
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe100⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe101⤵PID:1996
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe102⤵PID:2752
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe103⤵PID:1896
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe104⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe105⤵PID:2688
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe106⤵PID:556
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe107⤵PID:1572
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe108⤵PID:1000
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe109⤵PID:1804
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe110⤵PID:1824
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe111⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe112⤵PID:2952
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe113⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe114⤵PID:1928
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:360 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe116⤵PID:2216
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe117⤵PID:2632
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe118⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe119⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-