Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 00:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe
-
Size
391KB
-
MD5
6a85787b2d5ac8e81049bcd6892ced6c
-
SHA1
61a8669d709fb503260d88e06476d0e52a0d96cb
-
SHA256
963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c
-
SHA512
35105066df80397259195bb37363f286030ac8841f366f0360a16d547d10ea92fdf92b8172947c545bc386eb1894e69e6fb2a8ac82e55b6ccc746f7aeccaf6cd
-
SSDEEP
6144:Wi+8jVPyTRWCaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL:g8jQRBmNtuhUNP3cOK3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caqfiloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdfmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koejqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkmdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjebjjck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Docopbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjfmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaplfinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdglfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgeahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliklgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnbeokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflkaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npechhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magfjebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdhck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pniohk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmldfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnenk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmibjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cheido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbodjofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihilqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcikog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemmenhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codbqonk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcppidk.exe -
Executes dropped EXE 64 IoCs
pid Process 2004 Ljkomfjl.exe 1652 Mooaljkh.exe 2696 Mbpgggol.exe 1300 Mlhkpm32.exe 1600 Ngfflj32.exe 3000 Npojdpef.exe 2036 Nenobfak.exe 2800 Neplhf32.exe 2780 Nkmdpm32.exe 2144 Ohhkjp32.exe 808 Odoloalf.exe 1640 Pngphgbf.exe 2752 Pqjfoa32.exe 1660 Qflhbhgg.exe 1656 Qjnmlk32.exe 2948 Aganeoip.exe 2656 Amqccfed.exe 2308 Acmhepko.exe 932 Aeqabgoj.exe 2032 Bbdallnd.exe 1308 Blmfea32.exe 876 Bhdgjb32.exe 1104 Bbikgk32.exe 2216 Bjdplm32.exe 2908 Bmeimhdj.exe 856 Cpfaocal.exe 1728 Cophko32.exe 2424 Dcnqanhd.exe 2140 Ddomif32.exe 2712 Deojci32.exe 2848 Daejhjkj.exe 2772 Dknoaoaj.exe 2396 Dahgni32.exe 668 Dgdpfp32.exe 2828 Enqdhj32.exe 3004 Eflill32.exe 468 Efnfbl32.exe 920 Elhnof32.exe 2224 Enlglnci.exe 2568 Fokdfajl.exe 1336 Fqmpni32.exe 1748 Fkbdkb32.exe 2100 Fjgalndh.exe 2208 Ffnbaojm.exe 2576 Ffqofohj.exe 1664 Fcdopc32.exe 1208 Gmmdiind.exe 1332 Gcglec32.exe 2092 Gehhmkko.exe 3052 Gnpmfqap.exe 1792 Gifaciae.exe 3040 Gldmoepi.exe 1812 Gaafhloq.exe 1720 Ghkndf32.exe 1224 Gacbmk32.exe 1700 Gjlgfaco.exe 2628 Gmjcblbb.exe 1292 Hahlhkhi.exe 2564 Hicqmmfc.exe 2496 Hjcmgp32.exe 2816 Hldjnhce.exe 2244 Hdkape32.exe 2432 Hlffdh32.exe 936 Hflkaq32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 2004 Ljkomfjl.exe 2004 Ljkomfjl.exe 1652 Mooaljkh.exe 1652 Mooaljkh.exe 2696 Mbpgggol.exe 2696 Mbpgggol.exe 1300 Mlhkpm32.exe 1300 Mlhkpm32.exe 1600 Ngfflj32.exe 1600 Ngfflj32.exe 3000 Npojdpef.exe 3000 Npojdpef.exe 2036 Nenobfak.exe 2036 Nenobfak.exe 2800 Neplhf32.exe 2800 Neplhf32.exe 2780 Nkmdpm32.exe 2780 Nkmdpm32.exe 2144 Ohhkjp32.exe 2144 Ohhkjp32.exe 808 Odoloalf.exe 808 Odoloalf.exe 1640 Pngphgbf.exe 1640 Pngphgbf.exe 2752 Pqjfoa32.exe 2752 Pqjfoa32.exe 1660 Qflhbhgg.exe 1660 Qflhbhgg.exe 1656 Qjnmlk32.exe 1656 Qjnmlk32.exe 2948 Aganeoip.exe 2948 Aganeoip.exe 2656 Amqccfed.exe 2656 Amqccfed.exe 2308 Acmhepko.exe 2308 Acmhepko.exe 932 Aeqabgoj.exe 932 Aeqabgoj.exe 2032 Bbdallnd.exe 2032 Bbdallnd.exe 1308 Blmfea32.exe 1308 Blmfea32.exe 876 Bhdgjb32.exe 876 Bhdgjb32.exe 1104 Bbikgk32.exe 1104 Bbikgk32.exe 2216 Bjdplm32.exe 2216 Bjdplm32.exe 2908 Bmeimhdj.exe 2908 Bmeimhdj.exe 856 Cpfaocal.exe 856 Cpfaocal.exe 1728 Cophko32.exe 1728 Cophko32.exe 2424 Dcnqanhd.exe 2424 Dcnqanhd.exe 2140 Ddomif32.exe 2140 Ddomif32.exe 2712 Deojci32.exe 2712 Deojci32.exe 2848 Daejhjkj.exe 2848 Daejhjkj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chmkkf32.exe Caccnllf.exe File opened for modification C:\Windows\SysWOW64\Fdpjcaij.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mcendc32.exe Process not Found File created C:\Windows\SysWOW64\Adifpk32.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Ffeejokj.dll Kbppdfmk.exe File opened for modification C:\Windows\SysWOW64\Nfncad32.exe Process not Found File created C:\Windows\SysWOW64\Dbafjlaa.exe Dgjfek32.exe File created C:\Windows\SysWOW64\Odjgna32.dll Jkopndcb.exe File created C:\Windows\SysWOW64\Bpnmhiij.dll Process not Found File created C:\Windows\SysWOW64\Caolfcmm.dll Kmfklepl.exe File created C:\Windows\SysWOW64\Qkeofnfk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bqopmbed.exe Process not Found File created C:\Windows\SysWOW64\Ngoinfao.exe Process not Found File created C:\Windows\SysWOW64\Knmflijn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Bfqpecma.exe File opened for modification C:\Windows\SysWOW64\Pnmdbi32.exe Pdhpdq32.exe File created C:\Windows\SysWOW64\Lnkmkbpj.dll Nkaane32.exe File opened for modification C:\Windows\SysWOW64\Ihkifi32.exe Ihilqi32.exe File created C:\Windows\SysWOW64\Moelcodj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Knkbimbg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlfebcnd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iibfajdc.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Aknlofim.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Ceeieced.exe File created C:\Windows\SysWOW64\Ckdpinhf.exe Process not Found File created C:\Windows\SysWOW64\Kiccle32.exe Process not Found File created C:\Windows\SysWOW64\Cghangih.dll Process not Found File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mphiqbon.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Cmhjdiap.exe File created C:\Windows\SysWOW64\Njnehjal.dll Goocenaa.exe File opened for modification C:\Windows\SysWOW64\Idmkdh32.exe Iihfgp32.exe File created C:\Windows\SysWOW64\Mjjdacik.exe Mdpldi32.exe File created C:\Windows\SysWOW64\Daplkmbg.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Kqfdnljm.exe Kjllab32.exe File opened for modification C:\Windows\SysWOW64\Qobdgo32.exe Popgboae.exe File created C:\Windows\SysWOW64\Aigggf32.dll Jnhnmckc.exe File opened for modification C:\Windows\SysWOW64\Bjfkbhae.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aebmjo32.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Pjnpoh32.dll Lhimji32.exe File opened for modification C:\Windows\SysWOW64\Pmmcfi32.exe Pbhoip32.exe File created C:\Windows\SysWOW64\Oophlpag.exe Oomlfpdi.exe File created C:\Windows\SysWOW64\Hnomkloi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjijkmbi.exe Jjfmem32.exe File created C:\Windows\SysWOW64\Lodpeepd.dll Jknicnpf.exe File created C:\Windows\SysWOW64\Cblmfa32.dll Kgoebmip.exe File created C:\Windows\SysWOW64\Pgjdmc32.exe Pqplqile.exe File created C:\Windows\SysWOW64\Aebjaj32.exe Agnjge32.exe File created C:\Windows\SysWOW64\Djaedbnj.exe Process not Found File created C:\Windows\SysWOW64\Gjhoogoe.dll Ibillk32.exe File created C:\Windows\SysWOW64\Gefjjk32.exe Gednek32.exe File created C:\Windows\SysWOW64\Mainndaq.exe Mdendpbg.exe File opened for modification C:\Windows\SysWOW64\Jknicnpf.exe Jnjhjj32.exe File opened for modification C:\Windows\SysWOW64\Npppaejj.exe Ndiomdde.exe File opened for modification C:\Windows\SysWOW64\Ckdpinhf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eapfagno.exe Eheecbia.exe File opened for modification C:\Windows\SysWOW64\Oppbjn32.exe Npneeocq.exe File opened for modification C:\Windows\SysWOW64\Ikmibjkm.exe Iaddid32.exe File opened for modification C:\Windows\SysWOW64\Qcjjakip.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpncbjqj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kfaljjdj.exe Kkkhmadd.exe File created C:\Windows\SysWOW64\Fejhdhpb.dll Jndhddaf.exe File created C:\Windows\SysWOW64\Plheil32.exe Process not Found File created C:\Windows\SysWOW64\Pgaimd32.dll Oecnkk32.exe File created C:\Windows\SysWOW64\Oeckdc32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4160 4712 Process not Found 1423 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqfkln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofilgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gednek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foafdoag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhamo32.dll" Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daplkmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhplhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dakmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphqlc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpief32.dll" Jopbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjhhiqm.dll" Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciodpf32.dll" Ijopjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbodjofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lopfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikocoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ageompfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foookanl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdnmfb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odffndaf.dll" Efpbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamopnkl.dll" Iebmpcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namefclq.dll" Mgegfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejklan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhglil32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfhkenj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockglf32.dll" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnfbmgcj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2004 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 28 PID 2196 wrote to memory of 2004 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 28 PID 2196 wrote to memory of 2004 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 28 PID 2196 wrote to memory of 2004 2196 963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe 28 PID 2004 wrote to memory of 1652 2004 Ljkomfjl.exe 29 PID 2004 wrote to memory of 1652 2004 Ljkomfjl.exe 29 PID 2004 wrote to memory of 1652 2004 Ljkomfjl.exe 29 PID 2004 wrote to memory of 1652 2004 Ljkomfjl.exe 29 PID 1652 wrote to memory of 2696 1652 Mooaljkh.exe 30 PID 1652 wrote to memory of 2696 1652 Mooaljkh.exe 30 PID 1652 wrote to memory of 2696 1652 Mooaljkh.exe 30 PID 1652 wrote to memory of 2696 1652 Mooaljkh.exe 30 PID 2696 wrote to memory of 1300 2696 Mbpgggol.exe 31 PID 2696 wrote to memory of 1300 2696 Mbpgggol.exe 31 PID 2696 wrote to memory of 1300 2696 Mbpgggol.exe 31 PID 2696 wrote to memory of 1300 2696 Mbpgggol.exe 31 PID 1300 wrote to memory of 1600 1300 Mlhkpm32.exe 32 PID 1300 wrote to memory of 1600 1300 Mlhkpm32.exe 32 PID 1300 wrote to memory of 1600 1300 Mlhkpm32.exe 32 PID 1300 wrote to memory of 1600 1300 Mlhkpm32.exe 32 PID 1600 wrote to memory of 3000 1600 Ngfflj32.exe 33 PID 1600 wrote to memory of 3000 1600 Ngfflj32.exe 33 PID 1600 wrote to memory of 3000 1600 Ngfflj32.exe 33 PID 1600 wrote to memory of 3000 1600 Ngfflj32.exe 33 PID 3000 wrote to memory of 2036 3000 Npojdpef.exe 34 PID 3000 wrote to memory of 2036 3000 Npojdpef.exe 34 PID 3000 wrote to memory of 2036 3000 Npojdpef.exe 34 PID 3000 wrote to memory of 2036 3000 Npojdpef.exe 34 PID 2036 wrote to memory of 2800 2036 Nenobfak.exe 35 PID 2036 wrote to memory of 2800 2036 Nenobfak.exe 35 PID 2036 wrote to memory of 2800 2036 Nenobfak.exe 35 PID 2036 wrote to memory of 2800 2036 Nenobfak.exe 35 PID 2800 wrote to memory of 2780 2800 Neplhf32.exe 36 PID 2800 wrote to memory of 2780 2800 Neplhf32.exe 36 PID 2800 wrote to memory of 2780 2800 Neplhf32.exe 36 PID 2800 wrote to memory of 2780 2800 Neplhf32.exe 36 PID 2780 wrote to memory of 2144 2780 Nkmdpm32.exe 37 PID 2780 wrote to memory of 2144 2780 Nkmdpm32.exe 37 PID 2780 wrote to memory of 2144 2780 Nkmdpm32.exe 37 PID 2780 wrote to memory of 2144 2780 Nkmdpm32.exe 37 PID 2144 wrote to memory of 808 2144 Ohhkjp32.exe 38 PID 2144 wrote to memory of 808 2144 Ohhkjp32.exe 38 PID 2144 wrote to memory of 808 2144 Ohhkjp32.exe 38 PID 2144 wrote to memory of 808 2144 Ohhkjp32.exe 38 PID 808 wrote to memory of 1640 808 Odoloalf.exe 39 PID 808 wrote to memory of 1640 808 Odoloalf.exe 39 PID 808 wrote to memory of 1640 808 Odoloalf.exe 39 PID 808 wrote to memory of 1640 808 Odoloalf.exe 39 PID 1640 wrote to memory of 2752 1640 Pngphgbf.exe 40 PID 1640 wrote to memory of 2752 1640 Pngphgbf.exe 40 PID 1640 wrote to memory of 2752 1640 Pngphgbf.exe 40 PID 1640 wrote to memory of 2752 1640 Pngphgbf.exe 40 PID 2752 wrote to memory of 1660 2752 Pqjfoa32.exe 41 PID 2752 wrote to memory of 1660 2752 Pqjfoa32.exe 41 PID 2752 wrote to memory of 1660 2752 Pqjfoa32.exe 41 PID 2752 wrote to memory of 1660 2752 Pqjfoa32.exe 41 PID 1660 wrote to memory of 1656 1660 Qflhbhgg.exe 42 PID 1660 wrote to memory of 1656 1660 Qflhbhgg.exe 42 PID 1660 wrote to memory of 1656 1660 Qflhbhgg.exe 42 PID 1660 wrote to memory of 1656 1660 Qflhbhgg.exe 42 PID 1656 wrote to memory of 2948 1656 Qjnmlk32.exe 43 PID 1656 wrote to memory of 2948 1656 Qjnmlk32.exe 43 PID 1656 wrote to memory of 2948 1656 Qjnmlk32.exe 43 PID 1656 wrote to memory of 2948 1656 Qjnmlk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe"C:\Users\Admin\AppData\Local\Temp\963a0baaa456d419723e0cedca3257aac5fd7ad84af539f4c54b65c1eb87535c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe34⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe35⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe36⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe37⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe38⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe39⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe40⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe41⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe42⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe43⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe46⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe47⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe48⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe49⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe51⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe52⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe53⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe54⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe55⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe56⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe57⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe59⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe60⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe61⤵PID:2288
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe62⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe63⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe65⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe67⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe68⤵PID:2384
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe69⤵PID:2368
-
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe70⤵PID:928
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe71⤵PID:2940
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe72⤵PID:2332
-
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe73⤵PID:2052
-
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe74⤵PID:1952
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe75⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe76⤵PID:1580
-
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe77⤵PID:2212
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe78⤵PID:2608
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe79⤵PID:2756
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe80⤵PID:2484
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe81⤵PID:2328
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe82⤵PID:1828
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe83⤵PID:2392
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe84⤵PID:3012
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe85⤵PID:1232
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe87⤵PID:428
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe88⤵PID:2320
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe89⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe90⤵PID:2996
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe91⤵PID:1692
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe92⤵PID:2272
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe93⤵PID:2720
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe94⤵PID:1532
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe95⤵PID:2584
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe96⤵PID:1960
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe97⤵PID:836
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe98⤵PID:2488
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe99⤵PID:2524
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe100⤵PID:744
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe101⤵PID:1736
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe102⤵PID:1252
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe103⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe104⤵PID:1008
-
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe105⤵PID:2860
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe106⤵PID:1540
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe107⤵PID:2768
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe108⤵PID:1772
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe110⤵PID:1760
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe111⤵PID:868
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe112⤵PID:860
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe113⤵PID:1268
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe114⤵PID:2920
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe115⤵PID:1136
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe116⤵PID:2476
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe117⤵PID:1584
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe118⤵PID:3068
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe119⤵PID:700
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe120⤵PID:2652
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe121⤵PID:592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-