Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe
Resource
win10v2004-20240508-en
General
-
Target
185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe
-
Size
264KB
-
MD5
fddeecfbd04da152c146abfb580c54c9
-
SHA1
6beec793f33034bfad3962588584f42b32e88219
-
SHA256
185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057
-
SHA512
1ae2c85ede0ac1692df88cf3fa9e0c37d87a00cfd31b3daf34d626df3538098584b01d11b0018b1a61903f66f675e092f85f0acce510832d7129d7f6e25e8d64
-
SSDEEP
6144:hF01tzWxlasohxd2Quohdbd0zscwIGUKfvUJ43ewmxteZekR+1b/KVC0C:X0TJxdzZdxGwsYI
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmjnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjahd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkndb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpjba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaopqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nblpfepo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgkoiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foahmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajinjff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfmllbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojojl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjcic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opialpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpkmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nledoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnfop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jniefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe -
Executes dropped EXE 64 IoCs
pid Process 1700 Blaopqpo.exe 1100 Bobhal32.exe 2764 Cilibi32.exe 2604 Cgbfamff.exe 2828 Cegcbjkn.exe 2592 Cckdlnjg.exe 664 Dacnbjml.exe 680 Dognlnlf.exe 2776 Dpjgifpa.exe 2280 Dnnhbjnk.exe 1704 Ecnmpa32.exe 1360 Eqamje32.exe 2676 Emkkdf32.exe 1576 Efcomkcl.exe 1456 Ekpheb32.exe 1872 Fblmglgm.exe 1696 Fjjnan32.exe 3056 Fjlkgn32.exe 2328 Fcdopc32.exe 688 Giahhj32.exe 972 Glbqje32.exe 2956 Gifaciae.exe 1636 Gnbjlpom.exe 3048 Gjijqa32.exe 2060 Ghmkjedk.exe 2860 Gmjcblbb.exe 1960 Hfbhkb32.exe 2200 Hpkldg32.exe 2556 Hajinjff.exe 3000 Hifmbmda.exe 2824 Hppfog32.exe 1860 Hoebpc32.exe 2488 Iogoec32.exe 2484 Iknpkd32.exe 684 Ioilkblq.exe 1196 Ikpmpc32.exe 1364 Iefamlak.exe 832 Inafbooe.exe 536 Idknoi32.exe 856 Jnfomn32.exe 1432 Jhamckel.exe 1488 Jajala32.exe 1136 Jonbee32.exe 2264 Jlbboiip.exe 1724 Kfjggo32.exe 2324 Kglcogeo.exe 1916 Kqdhhm32.exe 2372 Kgnpeg32.exe 1764 Kqfdnljm.exe 1532 Kklikejc.exe 3052 Kfeikcfa.exe 1932 Kmobhmnn.exe 2188 Kgefefnd.exe 2840 Lqmjnk32.exe 2744 Lkgkoiqc.exe 3032 Lflplbpi.exe 2768 Liklhmom.exe 2620 Lbcpac32.exe 2924 Liminmmk.exe 2152 Lpgajgeg.exe 2544 Lahmbo32.exe 1684 Llnaoh32.exe 1928 Lnlnlc32.exe 2960 Mlpneh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 1700 Blaopqpo.exe 1700 Blaopqpo.exe 1100 Bobhal32.exe 1100 Bobhal32.exe 2764 Cilibi32.exe 2764 Cilibi32.exe 2604 Cgbfamff.exe 2604 Cgbfamff.exe 2828 Cegcbjkn.exe 2828 Cegcbjkn.exe 2592 Cckdlnjg.exe 2592 Cckdlnjg.exe 664 Dacnbjml.exe 664 Dacnbjml.exe 680 Dognlnlf.exe 680 Dognlnlf.exe 2776 Dpjgifpa.exe 2776 Dpjgifpa.exe 2280 Dnnhbjnk.exe 2280 Dnnhbjnk.exe 1704 Ecnmpa32.exe 1704 Ecnmpa32.exe 1360 Eqamje32.exe 1360 Eqamje32.exe 2676 Emkkdf32.exe 2676 Emkkdf32.exe 1576 Efcomkcl.exe 1576 Efcomkcl.exe 1456 Ekpheb32.exe 1456 Ekpheb32.exe 1872 Fblmglgm.exe 1872 Fblmglgm.exe 1696 Fjjnan32.exe 1696 Fjjnan32.exe 3056 Fjlkgn32.exe 3056 Fjlkgn32.exe 2328 Fcdopc32.exe 2328 Fcdopc32.exe 688 Giahhj32.exe 688 Giahhj32.exe 972 Glbqje32.exe 972 Glbqje32.exe 2956 Gifaciae.exe 2956 Gifaciae.exe 1636 Gnbjlpom.exe 1636 Gnbjlpom.exe 3048 Gjijqa32.exe 3048 Gjijqa32.exe 2060 Ghmkjedk.exe 2060 Ghmkjedk.exe 2860 Gmjcblbb.exe 2860 Gmjcblbb.exe 1960 Hfbhkb32.exe 1960 Hfbhkb32.exe 2200 Hpkldg32.exe 2200 Hpkldg32.exe 2556 Hajinjff.exe 2556 Hajinjff.exe 3000 Hifmbmda.exe 3000 Hifmbmda.exe 2824 Hppfog32.exe 2824 Hppfog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ifpcchai.exe Iacjjacb.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Padhdm32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Kjahej32.exe File created C:\Windows\SysWOW64\Lgingm32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Ginaep32.dll Aobpfb32.exe File created C:\Windows\SysWOW64\Olpgconp.exe Opifnm32.exe File opened for modification C:\Windows\SysWOW64\Dahkok32.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Ampjoj32.dll Lcfbdd32.exe File created C:\Windows\SysWOW64\Hakkgc32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Jijokbfp.exe Jbpfnh32.exe File created C:\Windows\SysWOW64\Kqfdnljm.exe Kgnpeg32.exe File created C:\Windows\SysWOW64\Phbgcnig.exe Pnmcfeia.exe File opened for modification C:\Windows\SysWOW64\Bleeioil.exe Bekmle32.exe File opened for modification C:\Windows\SysWOW64\Bhbkpgbf.exe Boifga32.exe File opened for modification C:\Windows\SysWOW64\Kgefefnd.exe Kmobhmnn.exe File opened for modification C:\Windows\SysWOW64\Daipqhdg.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Ggcaiqhj.exe File created C:\Windows\SysWOW64\Aigmnqgm.exe Akcldl32.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lljpjchg.exe File opened for modification C:\Windows\SysWOW64\Mopbgn32.exe Momfan32.exe File created C:\Windows\SysWOW64\Gcokiaji.exe Gjfgqk32.exe File created C:\Windows\SysWOW64\Ifffkncm.exe Iegjqk32.exe File created C:\Windows\SysWOW64\Aobpfb32.exe Aejlnmkm.exe File created C:\Windows\SysWOW64\Bkijnbae.dll Mfjoeeeh.exe File opened for modification C:\Windows\SysWOW64\Objjnkie.exe Olpbaa32.exe File opened for modification C:\Windows\SysWOW64\Odbeilbg.exe Nhlddkmc.exe File created C:\Windows\SysWOW64\Fheabelm.exe Fgcejm32.exe File opened for modification C:\Windows\SysWOW64\Fbdlkj32.exe Filgbdfd.exe File created C:\Windows\SysWOW64\Iedfqeka.exe Illbhp32.exe File created C:\Windows\SysWOW64\Obokcqhk.exe Opqoge32.exe File created C:\Windows\SysWOW64\Ojgfoglc.dll Cglalbbi.exe File created C:\Windows\SysWOW64\Fbdlkj32.exe Filgbdfd.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Dmgkgeah.exe Ddnfop32.exe File created C:\Windows\SysWOW64\Lppjddce.dll Ehgbhbgn.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Egikjh32.exe File created C:\Windows\SysWOW64\Mmdgbp32.exe Mfjoeeeh.exe File created C:\Windows\SysWOW64\Ifgkmbho.dll Bnhoag32.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Pldebkhj.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hqiqjlga.exe File created C:\Windows\SysWOW64\Ancefgfd.exe Aigmnqgm.exe File created C:\Windows\SysWOW64\Aennba32.exe Ancefgfd.exe File created C:\Windows\SysWOW64\Dhplhc32.exe Dcccpl32.exe File opened for modification C:\Windows\SysWOW64\Ioakoq32.exe Ifffkncm.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Calcpm32.exe File created C:\Windows\SysWOW64\Plijimee.exe Olgmcmgh.exe File opened for modification C:\Windows\SysWOW64\Ekcaonhe.exe Ddiibc32.exe File created C:\Windows\SysWOW64\Fbcqem32.dll Egahen32.exe File created C:\Windows\SysWOW64\Imlmlm32.dll Nijnln32.exe File created C:\Windows\SysWOW64\Lqilpbfo.dll Ecploipa.exe File opened for modification C:\Windows\SysWOW64\Fblmglgm.exe Ekpheb32.exe File created C:\Windows\SysWOW64\Dahkok32.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Cdbhodcb.dll Hfbaql32.exe File created C:\Windows\SysWOW64\Nmnclmoj.exe Nhakcfab.exe File opened for modification C:\Windows\SysWOW64\Dlgjldnm.exe Difqji32.exe File opened for modification C:\Windows\SysWOW64\Enkpahon.exe Egahen32.exe File opened for modification C:\Windows\SysWOW64\Lcblan32.exe Ljigih32.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Dcjpqlpe.dll Cgbfamff.exe File created C:\Windows\SysWOW64\Gjijqa32.exe Gnbjlpom.exe File opened for modification C:\Windows\SysWOW64\Ilcalnii.exe Ipmqgmcd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1148 2996 WerFault.exe 546 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illhhf32.dll" Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocohkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll" Gkcekfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheocfji.dll" Odjdmjgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpelefj.dll" Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcog32.dll" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoomf32.dll" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqilpbfo.dll" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnghnbki.dll" Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmfjhcj.dll" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofjjbcd.dll" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmohi32.dll" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjknmf32.dll" Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcdkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfeho32.dll" Mmfdhojb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekmle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojgdjqe.dll" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foahmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adhffc32.dll" Kfeikcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnejk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjqf32.dll" Lnjldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaheeecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfigck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdjmc32.dll" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcgndfi.dll" Gdcjpncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefpcolp.dll" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcpac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcaonhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdmdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodgdaah.dll" Dojddmec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1700 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 28 PID 2160 wrote to memory of 1700 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 28 PID 2160 wrote to memory of 1700 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 28 PID 2160 wrote to memory of 1700 2160 185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe 28 PID 1700 wrote to memory of 1100 1700 Blaopqpo.exe 29 PID 1700 wrote to memory of 1100 1700 Blaopqpo.exe 29 PID 1700 wrote to memory of 1100 1700 Blaopqpo.exe 29 PID 1700 wrote to memory of 1100 1700 Blaopqpo.exe 29 PID 1100 wrote to memory of 2764 1100 Bobhal32.exe 30 PID 1100 wrote to memory of 2764 1100 Bobhal32.exe 30 PID 1100 wrote to memory of 2764 1100 Bobhal32.exe 30 PID 1100 wrote to memory of 2764 1100 Bobhal32.exe 30 PID 2764 wrote to memory of 2604 2764 Cilibi32.exe 31 PID 2764 wrote to memory of 2604 2764 Cilibi32.exe 31 PID 2764 wrote to memory of 2604 2764 Cilibi32.exe 31 PID 2764 wrote to memory of 2604 2764 Cilibi32.exe 31 PID 2604 wrote to memory of 2828 2604 Cgbfamff.exe 32 PID 2604 wrote to memory of 2828 2604 Cgbfamff.exe 32 PID 2604 wrote to memory of 2828 2604 Cgbfamff.exe 32 PID 2604 wrote to memory of 2828 2604 Cgbfamff.exe 32 PID 2828 wrote to memory of 2592 2828 Cegcbjkn.exe 33 PID 2828 wrote to memory of 2592 2828 Cegcbjkn.exe 33 PID 2828 wrote to memory of 2592 2828 Cegcbjkn.exe 33 PID 2828 wrote to memory of 2592 2828 Cegcbjkn.exe 33 PID 2592 wrote to memory of 664 2592 Cckdlnjg.exe 34 PID 2592 wrote to memory of 664 2592 Cckdlnjg.exe 34 PID 2592 wrote to memory of 664 2592 Cckdlnjg.exe 34 PID 2592 wrote to memory of 664 2592 Cckdlnjg.exe 34 PID 664 wrote to memory of 680 664 Dacnbjml.exe 35 PID 664 wrote to memory of 680 664 Dacnbjml.exe 35 PID 664 wrote to memory of 680 664 Dacnbjml.exe 35 PID 664 wrote to memory of 680 664 Dacnbjml.exe 35 PID 680 wrote to memory of 2776 680 Dognlnlf.exe 36 PID 680 wrote to memory of 2776 680 Dognlnlf.exe 36 PID 680 wrote to memory of 2776 680 Dognlnlf.exe 36 PID 680 wrote to memory of 2776 680 Dognlnlf.exe 36 PID 2776 wrote to memory of 2280 2776 Dpjgifpa.exe 37 PID 2776 wrote to memory of 2280 2776 Dpjgifpa.exe 37 PID 2776 wrote to memory of 2280 2776 Dpjgifpa.exe 37 PID 2776 wrote to memory of 2280 2776 Dpjgifpa.exe 37 PID 2280 wrote to memory of 1704 2280 Dnnhbjnk.exe 38 PID 2280 wrote to memory of 1704 2280 Dnnhbjnk.exe 38 PID 2280 wrote to memory of 1704 2280 Dnnhbjnk.exe 38 PID 2280 wrote to memory of 1704 2280 Dnnhbjnk.exe 38 PID 1704 wrote to memory of 1360 1704 Ecnmpa32.exe 39 PID 1704 wrote to memory of 1360 1704 Ecnmpa32.exe 39 PID 1704 wrote to memory of 1360 1704 Ecnmpa32.exe 39 PID 1704 wrote to memory of 1360 1704 Ecnmpa32.exe 39 PID 1360 wrote to memory of 2676 1360 Eqamje32.exe 40 PID 1360 wrote to memory of 2676 1360 Eqamje32.exe 40 PID 1360 wrote to memory of 2676 1360 Eqamje32.exe 40 PID 1360 wrote to memory of 2676 1360 Eqamje32.exe 40 PID 2676 wrote to memory of 1576 2676 Emkkdf32.exe 41 PID 2676 wrote to memory of 1576 2676 Emkkdf32.exe 41 PID 2676 wrote to memory of 1576 2676 Emkkdf32.exe 41 PID 2676 wrote to memory of 1576 2676 Emkkdf32.exe 41 PID 1576 wrote to memory of 1456 1576 Efcomkcl.exe 42 PID 1576 wrote to memory of 1456 1576 Efcomkcl.exe 42 PID 1576 wrote to memory of 1456 1576 Efcomkcl.exe 42 PID 1576 wrote to memory of 1456 1576 Efcomkcl.exe 42 PID 1456 wrote to memory of 1872 1456 Ekpheb32.exe 43 PID 1456 wrote to memory of 1872 1456 Ekpheb32.exe 43 PID 1456 wrote to memory of 1872 1456 Ekpheb32.exe 43 PID 1456 wrote to memory of 1872 1456 Ekpheb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe"C:\Users\Admin\AppData\Local\Temp\185032caa1e79b4e21e2109d56fa7d9a394696d9cee44a1ea28c22253216d057.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe33⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe34⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe36⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe37⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe38⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe39⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe40⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe41⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe42⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe43⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe45⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe46⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe47⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe48⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe50⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe54⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe57⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe60⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe61⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe62⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe63⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe64⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe65⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe67⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe68⤵PID:2340
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe69⤵PID:764
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe70⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe71⤵PID:760
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe72⤵PID:552
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe73⤵PID:1012
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe74⤵PID:2432
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe76⤵PID:2812
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe79⤵PID:2600
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:468 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe82⤵PID:2680
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe83⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe85⤵PID:2072
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe86⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe88⤵PID:3064
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe89⤵PID:3008
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe90⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe91⤵PID:1236
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe92⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe93⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe94⤵PID:1708
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe95⤵PID:2804
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe97⤵PID:2028
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe98⤵PID:1020
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe99⤵PID:876
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe100⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe101⤵PID:932
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe103⤵PID:1088
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe104⤵PID:1604
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe107⤵PID:1452
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe108⤵PID:2136
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe109⤵PID:2424
-
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe110⤵PID:2348
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe112⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe113⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe114⤵PID:1368
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe115⤵PID:2248
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe116⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe117⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe118⤵PID:1796
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe119⤵PID:2016
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe121⤵PID:2360
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe122⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-