Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe
-
Size
1.3MB
-
MD5
4ce58d20ab8483b8c258b7b6577edae2
-
SHA1
dd73599ac65b8a6474aae45366d6cf9227653cc1
-
SHA256
83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad
-
SHA512
74d07d13a11a21d4925cf7e2aef6b43d7aab46d1a7a46ed8e388c371f4c42345c47ab1bcc1ea812d00d518888a697e3662cd33bf0c8c5400593557fbaf0dc7d2
-
SSDEEP
24576:cBNLCPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWtDICdG:cBNLsbazR0vKLXZncCY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbcen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaelanmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhjdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picnndmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfnhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddajoelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhibino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmiig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flehkhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhohda32.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Gaqcoc32.exe 2680 Hiqbndpb.exe 2564 Hggomh32.exe 2772 Ilknfn32.exe 2668 Inngcfid.exe 2472 Idhopq32.exe 1956 Ikbgmj32.exe 1912 Inqcif32.exe 2744 Idklfpon.exe 2904 Idmhkpml.exe 2204 Jnemdecl.exe 2232 Jofiln32.exe 336 Jjlnif32.exe 1104 Jmjjea32.exe 3036 Jbgbni32.exe 2792 Jbjochdi.exe 2040 Jmocpado.exe 3064 Jnqphi32.exe 3004 Jejhecaj.exe 1660 Joplbl32.exe 764 Kemejc32.exe 1856 Kkgmgmfd.exe 2152 Kbqecg32.exe 2176 Kgnnln32.exe 1360 Kcdnao32.exe 1152 Kahojc32.exe 1588 Kgbggnhc.exe 1780 Kmopod32.exe 2240 Kblhgk32.exe 1936 Kmaled32.exe 2768 Lckdanld.exe 2584 Lemaif32.exe 2888 Llfifq32.exe 2868 Lhmjkaoc.exe 2020 Leajdfnm.exe 2404 Lbeknj32.exe 2108 Lkppbl32.exe 2272 Mhdplq32.exe 3012 Mppepcfg.exe 752 Mkeimlfm.exe 620 Maoajf32.exe 2076 Mbpnanch.exe 2160 Mijfnh32.exe 2264 Mpdnkb32.exe 2624 Mgnfhlin.exe 2428 Mmhodf32.exe 2008 Mcegmm32.exe 596 Miooigfo.exe 3116 Mpigfa32.exe 3172 Najdnj32.exe 3244 Nhdlkdkg.exe 3316 Ncjqhmkm.exe 3372 Ndkmpe32.exe 3436 Nkeelohh.exe 3508 Naoniipe.exe 3568 Ndmjedoi.exe 3624 Nkgbbo32.exe 3688 Npdjje32.exe 3752 Nkiogn32.exe 3808 Nnhkcj32.exe 3868 Ndbcpd32.exe 3940 Ngpolo32.exe 4008 Onjgiiad.exe 4068 Ocgpappk.exe -
Loads dropped DLL 64 IoCs
pid Process 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 2820 Gaqcoc32.exe 2820 Gaqcoc32.exe 2680 Hiqbndpb.exe 2680 Hiqbndpb.exe 2564 Hggomh32.exe 2564 Hggomh32.exe 2772 Ilknfn32.exe 2772 Ilknfn32.exe 2668 Inngcfid.exe 2668 Inngcfid.exe 2472 Idhopq32.exe 2472 Idhopq32.exe 1956 Ikbgmj32.exe 1956 Ikbgmj32.exe 1912 Inqcif32.exe 1912 Inqcif32.exe 2744 Idklfpon.exe 2744 Idklfpon.exe 2904 Idmhkpml.exe 2904 Idmhkpml.exe 2204 Jnemdecl.exe 2204 Jnemdecl.exe 2232 Jofiln32.exe 2232 Jofiln32.exe 336 Jjlnif32.exe 336 Jjlnif32.exe 1104 Jmjjea32.exe 1104 Jmjjea32.exe 3036 Jbgbni32.exe 3036 Jbgbni32.exe 2792 Jbjochdi.exe 2792 Jbjochdi.exe 2040 Jmocpado.exe 2040 Jmocpado.exe 3064 Jnqphi32.exe 3064 Jnqphi32.exe 3004 Jejhecaj.exe 3004 Jejhecaj.exe 1660 Joplbl32.exe 1660 Joplbl32.exe 764 Kemejc32.exe 764 Kemejc32.exe 1856 Kkgmgmfd.exe 1856 Kkgmgmfd.exe 2152 Kbqecg32.exe 2152 Kbqecg32.exe 2176 Kgnnln32.exe 2176 Kgnnln32.exe 1360 Kcdnao32.exe 1360 Kcdnao32.exe 1152 Kahojc32.exe 1152 Kahojc32.exe 1588 Kgbggnhc.exe 1588 Kgbggnhc.exe 1780 Kmopod32.exe 1780 Kmopod32.exe 2240 Kblhgk32.exe 2240 Kblhgk32.exe 1936 Kmaled32.exe 1936 Kmaled32.exe 2768 Lckdanld.exe 2768 Lckdanld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Iaelanmg.exe Iogoec32.exe File created C:\Windows\SysWOW64\Qcpofbjl.exe Qmfgjh32.exe File opened for modification C:\Windows\SysWOW64\Qlkdkd32.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe Qbbhgi32.exe File created C:\Windows\SysWOW64\Mfpoaelb.dll Hpmiig32.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Boidnh32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pbfpik32.exe File opened for modification C:\Windows\SysWOW64\Ijbdha32.exe Ichllgfb.exe File created C:\Windows\SysWOW64\Mmneda32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Mifdih32.dll Gihniioc.exe File created C:\Windows\SysWOW64\Jaqddb32.dll Enhacojl.exe File created C:\Windows\SysWOW64\Afnagk32.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Niehmp32.dll Cckdlnjg.exe File opened for modification C:\Windows\SysWOW64\Boidnh32.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Bnnjlmid.dll Dgiaefgg.exe File created C:\Windows\SysWOW64\Aoaqogml.dll Dpeiligo.exe File created C:\Windows\SysWOW64\Elhnof32.exe Ejjbbkpj.exe File created C:\Windows\SysWOW64\Jofial32.dll Lngpog32.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Linphc32.exe Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Egikjh32.exe Eobchk32.exe File created C:\Windows\SysWOW64\Jmjjea32.exe Jjlnif32.exe File created C:\Windows\SysWOW64\Eneegl32.dll Pnchhllf.exe File opened for modification C:\Windows\SysWOW64\Hafock32.exe Gjlgfaco.exe File created C:\Windows\SysWOW64\Fgiefb32.dll Heokmmgb.exe File created C:\Windows\SysWOW64\Ijkocg32.exe Ieofkp32.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ocgpappk.exe File opened for modification C:\Windows\SysWOW64\Nkbalifo.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Nofdklgl.exe Nhllob32.exe File created C:\Windows\SysWOW64\Cddjebgb.exe Clmbddgp.exe File created C:\Windows\SysWOW64\Epobdneg.dll Ehoocgeb.exe File opened for modification C:\Windows\SysWOW64\Dnjoco32.exe Dlifadkk.exe File opened for modification C:\Windows\SysWOW64\Llfifq32.exe Lemaif32.exe File created C:\Windows\SysWOW64\Bnielm32.exe Bmhideol.exe File created C:\Windows\SysWOW64\Bbdofg32.dll Gekfnoog.exe File created C:\Windows\SysWOW64\Kbqecg32.exe Kkgmgmfd.exe File opened for modification C:\Windows\SysWOW64\Ifkacb32.exe Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Kkpqlm32.exe Koipglep.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gonale32.exe File created C:\Windows\SysWOW64\Aonghnnp.dll Ncjqhmkm.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pkndaa32.exe File opened for modification C:\Windows\SysWOW64\Alhmjbhj.exe Aijpnfif.exe File created C:\Windows\SysWOW64\Bdkbmk32.dll Hbqoqbho.exe File created C:\Windows\SysWOW64\Fplheofl.dll Egikjh32.exe File opened for modification C:\Windows\SysWOW64\Koipglep.exe Keqkofno.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Icjhagdp.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jgcdki32.exe File created C:\Windows\SysWOW64\Jbhihkig.dll Ogkkfmml.exe File created C:\Windows\SysWOW64\Fnndan32.exe Egdlec32.exe File created C:\Windows\SysWOW64\Mcknhm32.exe Mlafkb32.exe File created C:\Windows\SysWOW64\Iigpciig.dll Nkgbbo32.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Hbidne32.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Acnlgajg.exe Aclpaali.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3664 5440 WerFault.exe 781 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbkba32.dll" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpome32.dll" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcenaf32.dll" Gcglec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqpflded.dll" Lboiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnjoco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elhnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jelfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiiogja.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deliip32.dll" Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elacliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaaeimj.dll" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijjok32.dll" Hbidne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clooiddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpig32.dll" Eqamje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2820 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 28 PID 1464 wrote to memory of 2820 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 28 PID 1464 wrote to memory of 2820 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 28 PID 1464 wrote to memory of 2820 1464 83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe 28 PID 2820 wrote to memory of 2680 2820 Gaqcoc32.exe 29 PID 2820 wrote to memory of 2680 2820 Gaqcoc32.exe 29 PID 2820 wrote to memory of 2680 2820 Gaqcoc32.exe 29 PID 2820 wrote to memory of 2680 2820 Gaqcoc32.exe 29 PID 2680 wrote to memory of 2564 2680 Hiqbndpb.exe 30 PID 2680 wrote to memory of 2564 2680 Hiqbndpb.exe 30 PID 2680 wrote to memory of 2564 2680 Hiqbndpb.exe 30 PID 2680 wrote to memory of 2564 2680 Hiqbndpb.exe 30 PID 2564 wrote to memory of 2772 2564 Hggomh32.exe 31 PID 2564 wrote to memory of 2772 2564 Hggomh32.exe 31 PID 2564 wrote to memory of 2772 2564 Hggomh32.exe 31 PID 2564 wrote to memory of 2772 2564 Hggomh32.exe 31 PID 2772 wrote to memory of 2668 2772 Ilknfn32.exe 32 PID 2772 wrote to memory of 2668 2772 Ilknfn32.exe 32 PID 2772 wrote to memory of 2668 2772 Ilknfn32.exe 32 PID 2772 wrote to memory of 2668 2772 Ilknfn32.exe 32 PID 2668 wrote to memory of 2472 2668 Inngcfid.exe 33 PID 2668 wrote to memory of 2472 2668 Inngcfid.exe 33 PID 2668 wrote to memory of 2472 2668 Inngcfid.exe 33 PID 2668 wrote to memory of 2472 2668 Inngcfid.exe 33 PID 2472 wrote to memory of 1956 2472 Idhopq32.exe 34 PID 2472 wrote to memory of 1956 2472 Idhopq32.exe 34 PID 2472 wrote to memory of 1956 2472 Idhopq32.exe 34 PID 2472 wrote to memory of 1956 2472 Idhopq32.exe 34 PID 1956 wrote to memory of 1912 1956 Ikbgmj32.exe 35 PID 1956 wrote to memory of 1912 1956 Ikbgmj32.exe 35 PID 1956 wrote to memory of 1912 1956 Ikbgmj32.exe 35 PID 1956 wrote to memory of 1912 1956 Ikbgmj32.exe 35 PID 1912 wrote to memory of 2744 1912 Inqcif32.exe 36 PID 1912 wrote to memory of 2744 1912 Inqcif32.exe 36 PID 1912 wrote to memory of 2744 1912 Inqcif32.exe 36 PID 1912 wrote to memory of 2744 1912 Inqcif32.exe 36 PID 2744 wrote to memory of 2904 2744 Idklfpon.exe 37 PID 2744 wrote to memory of 2904 2744 Idklfpon.exe 37 PID 2744 wrote to memory of 2904 2744 Idklfpon.exe 37 PID 2744 wrote to memory of 2904 2744 Idklfpon.exe 37 PID 2904 wrote to memory of 2204 2904 Idmhkpml.exe 38 PID 2904 wrote to memory of 2204 2904 Idmhkpml.exe 38 PID 2904 wrote to memory of 2204 2904 Idmhkpml.exe 38 PID 2904 wrote to memory of 2204 2904 Idmhkpml.exe 38 PID 2204 wrote to memory of 2232 2204 Jnemdecl.exe 39 PID 2204 wrote to memory of 2232 2204 Jnemdecl.exe 39 PID 2204 wrote to memory of 2232 2204 Jnemdecl.exe 39 PID 2204 wrote to memory of 2232 2204 Jnemdecl.exe 39 PID 2232 wrote to memory of 336 2232 Jofiln32.exe 40 PID 2232 wrote to memory of 336 2232 Jofiln32.exe 40 PID 2232 wrote to memory of 336 2232 Jofiln32.exe 40 PID 2232 wrote to memory of 336 2232 Jofiln32.exe 40 PID 336 wrote to memory of 1104 336 Jjlnif32.exe 41 PID 336 wrote to memory of 1104 336 Jjlnif32.exe 41 PID 336 wrote to memory of 1104 336 Jjlnif32.exe 41 PID 336 wrote to memory of 1104 336 Jjlnif32.exe 41 PID 1104 wrote to memory of 3036 1104 Jmjjea32.exe 42 PID 1104 wrote to memory of 3036 1104 Jmjjea32.exe 42 PID 1104 wrote to memory of 3036 1104 Jmjjea32.exe 42 PID 1104 wrote to memory of 3036 1104 Jmjjea32.exe 42 PID 3036 wrote to memory of 2792 3036 Jbgbni32.exe 43 PID 3036 wrote to memory of 2792 3036 Jbgbni32.exe 43 PID 3036 wrote to memory of 2792 3036 Jbgbni32.exe 43 PID 3036 wrote to memory of 2792 3036 Jbgbni32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe"C:\Users\Admin\AppData\Local\Temp\83d0996e57f644d7581d375a2936771121a7994227aca186685d7adae605b5ad.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe34⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe35⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe36⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe37⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe39⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe40⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe43⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe44⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe45⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe46⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe49⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe50⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe51⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe52⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe54⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe55⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe56⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe57⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe59⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe60⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe61⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe62⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe63⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe66⤵PID:2068
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe67⤵PID:1300
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe69⤵PID:1700
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe71⤵PID:2628
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe72⤵PID:1996
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe73⤵PID:400
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe74⤵
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe75⤵PID:3196
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe76⤵PID:3232
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe77⤵
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe78⤵
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe80⤵PID:3496
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe81⤵PID:3632
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe82⤵PID:3684
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe83⤵PID:3788
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe85⤵
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe86⤵PID:4000
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe87⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe88⤵PID:1840
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe89⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe90⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe91⤵PID:1800
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe92⤵PID:2976
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe93⤵PID:1812
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe94⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe95⤵PID:3144
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe96⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe97⤵PID:3312
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3428 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe99⤵PID:3448
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe100⤵PID:1404
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe101⤵PID:3620
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe103⤵PID:3836
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe104⤵PID:3852
-
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe105⤵PID:3972
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe106⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe108⤵PID:1712
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe109⤵PID:2832
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe110⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe111⤵PID:2496
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe112⤵PID:1720
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3132 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe114⤵PID:3180
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe115⤵PID:3280
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe116⤵PID:2280
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe117⤵PID:3416
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe118⤵
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe119⤵PID:2712
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe120⤵PID:3704
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-