Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 02:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe
-
Size
352KB
-
MD5
4bbc7872ecc3acde0b9e8aa773a9122d
-
SHA1
52f5a03a6b5122691902a40576ac8ed73933afd9
-
SHA256
cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4
-
SHA512
0284b5f65ab4860bc0e517f034e0c6565875a92ad51ae49cc81143c5ab27fd96505481aa757593d1d1bfc0b8c43e92414dc712c9ac9ea496b979a969c05a05cd
-
SSDEEP
6144:xAsWXZBWCpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFf52S7:PMZBZrCZYE6YYBHpd0uD319ZvSntnhpn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlnlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpkldg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cophko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpcjnabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcdhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djclbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pokieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocalkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioooiack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofejpmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqpdm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2160 Chhjkl32.exe 3040 Dhjgal32.exe 2736 Dhmcfkme.exe 2772 Dbehoa32.exe 2860 Dqjepm32.exe 2536 Djbiicon.exe 2580 Djefobmk.exe 352 Ebpkce32.exe 2712 Epdkli32.exe 1964 Emhlfmgj.exe 1744 Epfhbign.exe 1232 Eloemi32.exe 2312 Flabbihl.exe 2088 Ffkcbgek.exe 772 Fnbkddem.exe 1808 Fmhheqje.exe 688 Fmlapp32.exe 2500 Gonnhhln.exe 1976 Ghfbqn32.exe 1604 Gopkmhjk.exe 1648 Gieojq32.exe 928 Gldkfl32.exe 2924 Gobgcg32.exe 1996 Glfhll32.exe 1772 Gacpdbej.exe 2032 Gdamqndn.exe 2360 Gmjaic32.exe 1708 Gphmeo32.exe 2732 Hahjpbad.exe 2540 Hcifgjgc.exe 2568 Hpmgqnfl.exe 2236 Hckcmjep.exe 2444 Hpocfncj.exe 1924 Hgilchkf.exe 1672 Hpapln32.exe 1960 Hacmcfge.exe 2244 Icbimi32.exe 1668 Ieqeidnl.exe 2956 Inljnfkg.exe 2096 Ifcbodli.exe 2272 Iqmcpahh.exe 2324 Ihdkao32.exe 1496 Inqcif32.exe 1252 Idklfpon.exe 672 Icmlam32.exe 1536 Ikddbj32.exe 1692 Imfqjbli.exe 1276 Idmhkpml.exe 1044 Ifnechbj.exe 1768 Jnemdecl.exe 2432 Jcbellac.exe 2220 Jjlnif32.exe 2720 Jqfffqpm.exe 2680 Joifam32.exe 2728 Jjojofgn.exe 2800 Jiakjb32.exe 2564 Jcgogk32.exe 1832 Jfekcg32.exe 2424 Jmocpado.exe 1984 Jonplmcb.exe 1900 Jnqphi32.exe 1528 Jifdebic.exe 2120 Jkdpanhg.exe 2304 Jnclnihj.exe -
Loads dropped DLL 64 IoCs
pid Process 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 2160 Chhjkl32.exe 2160 Chhjkl32.exe 3040 Dhjgal32.exe 3040 Dhjgal32.exe 2736 Dhmcfkme.exe 2736 Dhmcfkme.exe 2772 Dbehoa32.exe 2772 Dbehoa32.exe 2860 Dqjepm32.exe 2860 Dqjepm32.exe 2536 Djbiicon.exe 2536 Djbiicon.exe 2580 Djefobmk.exe 2580 Djefobmk.exe 352 Ebpkce32.exe 352 Ebpkce32.exe 2712 Epdkli32.exe 2712 Epdkli32.exe 1964 Emhlfmgj.exe 1964 Emhlfmgj.exe 1744 Epfhbign.exe 1744 Epfhbign.exe 1232 Eloemi32.exe 1232 Eloemi32.exe 2312 Flabbihl.exe 2312 Flabbihl.exe 2088 Ffkcbgek.exe 2088 Ffkcbgek.exe 772 Fnbkddem.exe 772 Fnbkddem.exe 1808 Fmhheqje.exe 1808 Fmhheqje.exe 688 Fmlapp32.exe 688 Fmlapp32.exe 2500 Gonnhhln.exe 2500 Gonnhhln.exe 1976 Ghfbqn32.exe 1976 Ghfbqn32.exe 1604 Gopkmhjk.exe 1604 Gopkmhjk.exe 1648 Gieojq32.exe 1648 Gieojq32.exe 928 Gldkfl32.exe 928 Gldkfl32.exe 2924 Gobgcg32.exe 2924 Gobgcg32.exe 1996 Glfhll32.exe 1996 Glfhll32.exe 1772 Gacpdbej.exe 1772 Gacpdbej.exe 2032 Gdamqndn.exe 2032 Gdamqndn.exe 2360 Gmjaic32.exe 2360 Gmjaic32.exe 1708 Gphmeo32.exe 1708 Gphmeo32.exe 2732 Hahjpbad.exe 2732 Hahjpbad.exe 2540 Hcifgjgc.exe 2540 Hcifgjgc.exe 2568 Hpmgqnfl.exe 2568 Hpmgqnfl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nbhfke32.exe Npijoj32.exe File opened for modification C:\Windows\SysWOW64\Ieigfk32.exe Ioooiack.exe File created C:\Windows\SysWOW64\Mbnljqic.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Jqilooij.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Kcopdb32.exe Kpadhg32.exe File created C:\Windows\SysWOW64\Gmhdjk32.dll Okgjodmi.exe File opened for modification C:\Windows\SysWOW64\Agfgqo32.exe Aaloddnn.exe File created C:\Windows\SysWOW64\Okhlbmkc.dll Kbokgpgg.exe File opened for modification C:\Windows\SysWOW64\Enfgfh32.exe Ekhkjm32.exe File created C:\Windows\SysWOW64\Dliijipn.exe Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Ilncom32.exe Iedkbc32.exe File created C:\Windows\SysWOW64\Nhadao32.dll Qjhmfekp.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Process not Found File created C:\Windows\SysWOW64\Fcjcfe32.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Beejng32.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Eoqbnm32.dll Bnkbam32.exe File created C:\Windows\SysWOW64\Pafbadcm.exe Pkljdj32.exe File created C:\Windows\SysWOW64\Hipmmg32.exe Heealhla.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Ohagbj32.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Process not Found File created C:\Windows\SysWOW64\Monhhk32.exe Mggpgmof.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Bfcampgf.exe File opened for modification C:\Windows\SysWOW64\Lfhfab32.exe Kqknil32.exe File created C:\Windows\SysWOW64\Mbhjlbbh.exe Lnlnlc32.exe File opened for modification C:\Windows\SysWOW64\Eeielfhk.exe Enbnkigh.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Abmbhn32.exe File created C:\Windows\SysWOW64\Jhamckel.exe Jgqpkc32.exe File opened for modification C:\Windows\SysWOW64\Hoopae32.exe Hlqdei32.exe File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe Apdhjq32.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Befkmkob.dll Afcenm32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File created C:\Windows\SysWOW64\Lclgjg32.exe Lopkjhko.exe File created C:\Windows\SysWOW64\Gqfgjogd.dll Mbcmpfhi.exe File created C:\Windows\SysWOW64\Aoecna32.dll Hdlkcdog.exe File created C:\Windows\SysWOW64\Lqilpbfo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Process not Found File created C:\Windows\SysWOW64\Pofkha32.exe Process not Found File created C:\Windows\SysWOW64\Nodmbemj.dll Bhajdblk.exe File created C:\Windows\SysWOW64\Egdlec32.exe Efcomkcl.exe File created C:\Windows\SysWOW64\Aebfidim.dll Process not Found File created C:\Windows\SysWOW64\Aekqmbod.exe Abmdafpp.exe File created C:\Windows\SysWOW64\Lngkoe32.dll Process not Found File created C:\Windows\SysWOW64\Efcomkcl.exe Eoigpa32.exe File created C:\Windows\SysWOW64\Macalohk.dll Mmihhelk.exe File created C:\Windows\SysWOW64\Dcccpl32.exe Dpegcq32.exe File opened for modification C:\Windows\SysWOW64\Hipmmg32.exe Heealhla.exe File created C:\Windows\SysWOW64\Jhafhe32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Process not Found File created C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Hnjplo32.exe Hfbhkb32.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Qhmcmk32.exe File created C:\Windows\SysWOW64\Ninmfc32.dll Process not Found File created C:\Windows\SysWOW64\Mjcaimgg.exe Process not Found File created C:\Windows\SysWOW64\Eifppipg.dll Process not Found File created C:\Windows\SysWOW64\Boljgg32.exe Process not Found File created C:\Windows\SysWOW64\Bdeeqehb.exe Bmkmdk32.exe File opened for modification C:\Windows\SysWOW64\Npijoj32.exe Nmkncofl.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll Process not Found File created C:\Windows\SysWOW64\Fnqkpajk.dll Mbpgggol.exe File opened for modification C:\Windows\SysWOW64\Kncofa32.exe Jlbboiip.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5176 4372 Process not Found 1385 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohaeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dldhdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadlijdb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlgfnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odlojanh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfedqagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmglf32.dll" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mlibjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgilkf32.dll" Pkcpei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcamjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaohl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfehan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkdiq32.dll" Glpdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijamjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiacp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caphpgkj.dll" Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfefh32.dll" Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcdopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmihhelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2160 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 28 PID 2144 wrote to memory of 2160 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 28 PID 2144 wrote to memory of 2160 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 28 PID 2144 wrote to memory of 2160 2144 cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe 28 PID 2160 wrote to memory of 3040 2160 Chhjkl32.exe 29 PID 2160 wrote to memory of 3040 2160 Chhjkl32.exe 29 PID 2160 wrote to memory of 3040 2160 Chhjkl32.exe 29 PID 2160 wrote to memory of 3040 2160 Chhjkl32.exe 29 PID 3040 wrote to memory of 2736 3040 Dhjgal32.exe 30 PID 3040 wrote to memory of 2736 3040 Dhjgal32.exe 30 PID 3040 wrote to memory of 2736 3040 Dhjgal32.exe 30 PID 3040 wrote to memory of 2736 3040 Dhjgal32.exe 30 PID 2736 wrote to memory of 2772 2736 Dhmcfkme.exe 31 PID 2736 wrote to memory of 2772 2736 Dhmcfkme.exe 31 PID 2736 wrote to memory of 2772 2736 Dhmcfkme.exe 31 PID 2736 wrote to memory of 2772 2736 Dhmcfkme.exe 31 PID 2772 wrote to memory of 2860 2772 Dbehoa32.exe 32 PID 2772 wrote to memory of 2860 2772 Dbehoa32.exe 32 PID 2772 wrote to memory of 2860 2772 Dbehoa32.exe 32 PID 2772 wrote to memory of 2860 2772 Dbehoa32.exe 32 PID 2860 wrote to memory of 2536 2860 Dqjepm32.exe 33 PID 2860 wrote to memory of 2536 2860 Dqjepm32.exe 33 PID 2860 wrote to memory of 2536 2860 Dqjepm32.exe 33 PID 2860 wrote to memory of 2536 2860 Dqjepm32.exe 33 PID 2536 wrote to memory of 2580 2536 Djbiicon.exe 34 PID 2536 wrote to memory of 2580 2536 Djbiicon.exe 34 PID 2536 wrote to memory of 2580 2536 Djbiicon.exe 34 PID 2536 wrote to memory of 2580 2536 Djbiicon.exe 34 PID 2580 wrote to memory of 352 2580 Djefobmk.exe 35 PID 2580 wrote to memory of 352 2580 Djefobmk.exe 35 PID 2580 wrote to memory of 352 2580 Djefobmk.exe 35 PID 2580 wrote to memory of 352 2580 Djefobmk.exe 35 PID 352 wrote to memory of 2712 352 Ebpkce32.exe 36 PID 352 wrote to memory of 2712 352 Ebpkce32.exe 36 PID 352 wrote to memory of 2712 352 Ebpkce32.exe 36 PID 352 wrote to memory of 2712 352 Ebpkce32.exe 36 PID 2712 wrote to memory of 1964 2712 Epdkli32.exe 37 PID 2712 wrote to memory of 1964 2712 Epdkli32.exe 37 PID 2712 wrote to memory of 1964 2712 Epdkli32.exe 37 PID 2712 wrote to memory of 1964 2712 Epdkli32.exe 37 PID 1964 wrote to memory of 1744 1964 Emhlfmgj.exe 38 PID 1964 wrote to memory of 1744 1964 Emhlfmgj.exe 38 PID 1964 wrote to memory of 1744 1964 Emhlfmgj.exe 38 PID 1964 wrote to memory of 1744 1964 Emhlfmgj.exe 38 PID 1744 wrote to memory of 1232 1744 Epfhbign.exe 39 PID 1744 wrote to memory of 1232 1744 Epfhbign.exe 39 PID 1744 wrote to memory of 1232 1744 Epfhbign.exe 39 PID 1744 wrote to memory of 1232 1744 Epfhbign.exe 39 PID 1232 wrote to memory of 2312 1232 Eloemi32.exe 40 PID 1232 wrote to memory of 2312 1232 Eloemi32.exe 40 PID 1232 wrote to memory of 2312 1232 Eloemi32.exe 40 PID 1232 wrote to memory of 2312 1232 Eloemi32.exe 40 PID 2312 wrote to memory of 2088 2312 Flabbihl.exe 41 PID 2312 wrote to memory of 2088 2312 Flabbihl.exe 41 PID 2312 wrote to memory of 2088 2312 Flabbihl.exe 41 PID 2312 wrote to memory of 2088 2312 Flabbihl.exe 41 PID 2088 wrote to memory of 772 2088 Ffkcbgek.exe 42 PID 2088 wrote to memory of 772 2088 Ffkcbgek.exe 42 PID 2088 wrote to memory of 772 2088 Ffkcbgek.exe 42 PID 2088 wrote to memory of 772 2088 Ffkcbgek.exe 42 PID 772 wrote to memory of 1808 772 Fnbkddem.exe 43 PID 772 wrote to memory of 1808 772 Fnbkddem.exe 43 PID 772 wrote to memory of 1808 772 Fnbkddem.exe 43 PID 772 wrote to memory of 1808 772 Fnbkddem.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe"C:\Users\Admin\AppData\Local\Temp\cf6ae98d4de2e5f3acab538fe5eca27c98c45ee8f7fde42762133632472d97a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe33⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe34⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe35⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe36⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe37⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe38⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe39⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe41⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe42⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe44⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe45⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe46⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe47⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe48⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe49⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe50⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe51⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe52⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe53⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe55⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe58⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe59⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe62⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe64⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe65⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe66⤵PID:2900
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe67⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe68⤵PID:1088
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe69⤵PID:280
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe70⤵PID:2080
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe71⤵PID:3008
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe72⤵PID:2932
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe73⤵PID:872
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe74⤵PID:1592
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe75⤵PID:1312
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe77⤵PID:2004
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe78⤵PID:2552
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe80⤵PID:1948
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe82⤵PID:1600
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe83⤵PID:2276
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe85⤵PID:2480
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe86⤵PID:1168
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe87⤵PID:748
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe88⤵PID:2128
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe89⤵PID:2440
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe90⤵PID:1552
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe91⤵PID:2656
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe92⤵PID:2716
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe94⤵PID:2824
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe96⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe97⤵PID:572
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe98⤵PID:1632
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe99⤵PID:1016
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe100⤵PID:1640
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe101⤵PID:984
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe102⤵PID:1716
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe103⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe104⤵PID:2344
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe105⤵PID:2676
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe106⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe107⤵PID:2576
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe108⤵PID:2600
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe109⤵PID:2856
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe110⤵PID:1436
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe111⤵PID:2008
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe112⤵PID:776
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe113⤵PID:3020
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe114⤵PID:1812
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe115⤵PID:1388
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe116⤵PID:2020
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe118⤵PID:2884
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe119⤵PID:2456
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe120⤵PID:2412
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe121⤵PID:1248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-