Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe
-
Size
576KB
-
MD5
578498f80914be923fdb544a99e50938
-
SHA1
943db5793fde1ed21cad20884f7c3a5a835f58fe
-
SHA256
b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860
-
SHA512
eda44051a108637e667d4504c4a64773a1c17c0e1e60e8c139e9cccf35d8823d776ff8e1207c5b07dfd8a9ffd6f9b6de5daada06dbc9e883fe44b6b892dde914
-
SSDEEP
12288:3KGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:6GyXsGG1ws5ipX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebepion.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbmcbbki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habfipdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnplpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Ibmfdkcf.exe 2968 Ienoff32.exe 2692 Jgnhga32.exe 1988 Jebiaelb.exe 2944 Jmpjkggj.exe 2496 Jjdkdl32.exe 2996 Kbalnnam.exe 1512 Kebepion.exe 2656 Khcnad32.exe 2404 Kjcgco32.exe 1892 Loapim32.exe 1372 Ldqegd32.exe 2220 Lganiohl.exe 1800 Lmkfei32.exe 1108 Mhgclfje.exe 908 Maphdl32.exe 2916 Mofecpnl.exe 2008 Mepnpj32.exe 604 Magnek32.exe 1344 Mdejaf32.exe 1960 Mkobnqan.exe 1272 Naikkk32.exe 688 Ndgggf32.exe 2892 Nnplpl32.exe 1732 Npnhlg32.exe 1228 Njgldmdc.exe 1700 Nfmmin32.exe 1596 Nofabc32.exe 2272 Nbdnoo32.exe 2584 Nccjhafn.exe 2740 Ohqbqhde.exe 2744 Oojknblb.exe 2644 Okalbc32.exe 2556 Onphoo32.exe 2536 Okchhc32.exe 620 Obnqem32.exe 1196 Ojieip32.exe 1220 Ocajbekl.exe 284 Ongnonkb.exe 1612 Pphjgfqq.exe 1308 Pipopl32.exe 2276 Pcfcmd32.exe 2452 Pjpkjond.exe 476 Pchpbded.exe 1072 Plcdgfbo.exe 1576 Pnbacbac.exe 1316 Pelipl32.exe 1508 Plfamfpm.exe 2888 Pabjem32.exe 1268 Pijbfj32.exe 2124 Qjknnbed.exe 1492 Qaefjm32.exe 876 Qhooggdn.exe 2984 Qnigda32.exe 2620 Qagcpljo.exe 2352 Ajphib32.exe 2636 Aajpelhl.exe 2480 Ahchbf32.exe 2512 Ajbdna32.exe 2928 Apomfh32.exe 2548 Abmibdlh.exe 2808 Aigaon32.exe 1568 Ambmpmln.exe 1620 Afkbib32.exe -
Loads dropped DLL 64 IoCs
pid Process 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 3004 Ibmfdkcf.exe 3004 Ibmfdkcf.exe 2968 Ienoff32.exe 2968 Ienoff32.exe 2692 Jgnhga32.exe 2692 Jgnhga32.exe 1988 Jebiaelb.exe 1988 Jebiaelb.exe 2944 Jmpjkggj.exe 2944 Jmpjkggj.exe 2496 Jjdkdl32.exe 2496 Jjdkdl32.exe 2996 Kbalnnam.exe 2996 Kbalnnam.exe 1512 Kebepion.exe 1512 Kebepion.exe 2656 Khcnad32.exe 2656 Khcnad32.exe 2404 Kjcgco32.exe 2404 Kjcgco32.exe 1892 Loapim32.exe 1892 Loapim32.exe 1372 Ldqegd32.exe 1372 Ldqegd32.exe 2220 Lganiohl.exe 2220 Lganiohl.exe 1800 Lmkfei32.exe 1800 Lmkfei32.exe 1108 Mhgclfje.exe 1108 Mhgclfje.exe 908 Maphdl32.exe 908 Maphdl32.exe 2916 Mofecpnl.exe 2916 Mofecpnl.exe 2008 Mepnpj32.exe 2008 Mepnpj32.exe 604 Magnek32.exe 604 Magnek32.exe 1344 Mdejaf32.exe 1344 Mdejaf32.exe 1960 Mkobnqan.exe 1960 Mkobnqan.exe 1272 Naikkk32.exe 1272 Naikkk32.exe 688 Ndgggf32.exe 688 Ndgggf32.exe 2892 Nnplpl32.exe 2892 Nnplpl32.exe 1732 Npnhlg32.exe 1732 Npnhlg32.exe 1228 Njgldmdc.exe 1228 Njgldmdc.exe 1700 Nfmmin32.exe 1700 Nfmmin32.exe 1596 Nofabc32.exe 1596 Nofabc32.exe 2272 Nbdnoo32.exe 2272 Nbdnoo32.exe 2584 Nccjhafn.exe 2584 Nccjhafn.exe 2740 Ohqbqhde.exe 2740 Ohqbqhde.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bneqdoee.dll Ckjpacfp.exe File opened for modification C:\Windows\SysWOW64\Giieco32.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Hdildlie.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Lmgocb32.exe Lfmffhde.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Jonplmcb.exe Jmocpado.exe File created C:\Windows\SysWOW64\Pcefke32.dll Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Inkccpgk.exe File created C:\Windows\SysWOW64\Kocbkk32.exe Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Kebepion.exe Kbalnnam.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Qagcpljo.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Okgnab32.exe File created C:\Windows\SysWOW64\Cljcelan.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Miikgeea.dll Npdjje32.exe File created C:\Windows\SysWOW64\Anccmo32.exe Ahikqd32.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Hakphqja.exe Hlngpjlj.exe File created C:\Windows\SysWOW64\Acpmei32.dll Eloemi32.exe File created C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Knpemf32.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Okchhc32.exe Onphoo32.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jejhecaj.exe File created C:\Windows\SysWOW64\Bommnc32.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mcbjgn32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File created C:\Windows\SysWOW64\Pphjgfqq.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Hojgfemq.exe Ghqnjk32.exe File opened for modification C:\Windows\SysWOW64\Kbalnnam.exe Jjdkdl32.exe File opened for modification C:\Windows\SysWOW64\Ldqegd32.exe Loapim32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Anccmo32.exe File created C:\Windows\SysWOW64\Padajbnl.dll Kklpekno.exe File opened for modification C:\Windows\SysWOW64\Jgnhga32.exe Ienoff32.exe File created C:\Windows\SysWOW64\Oacima32.dll Mihiih32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Maphdl32.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Bkkepg32.dll Fmmkcoap.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Llcefjgf.exe File created C:\Windows\SysWOW64\Fibkpd32.dll Ngdifkpi.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Jgidao32.exe File created C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Jcbellac.exe Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Nglfapnl.exe Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Bnefdp32.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Dhpiojfb.exe Dfamcogo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5412 5384 WerFault.exe 487 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coeidfmm.dll" Loapim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bifgdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jonplmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll" Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll" Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekfeeo.dll" b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagbha32.dll" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbepj32.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkndnka.dll" Kjcgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mepnpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdehna32.dll" Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jabbhcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loapim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jejhecaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcefji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 3004 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 28 PID 1784 wrote to memory of 3004 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 28 PID 1784 wrote to memory of 3004 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 28 PID 1784 wrote to memory of 3004 1784 b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe 28 PID 3004 wrote to memory of 2968 3004 Ibmfdkcf.exe 29 PID 3004 wrote to memory of 2968 3004 Ibmfdkcf.exe 29 PID 3004 wrote to memory of 2968 3004 Ibmfdkcf.exe 29 PID 3004 wrote to memory of 2968 3004 Ibmfdkcf.exe 29 PID 2968 wrote to memory of 2692 2968 Ienoff32.exe 30 PID 2968 wrote to memory of 2692 2968 Ienoff32.exe 30 PID 2968 wrote to memory of 2692 2968 Ienoff32.exe 30 PID 2968 wrote to memory of 2692 2968 Ienoff32.exe 30 PID 2692 wrote to memory of 1988 2692 Jgnhga32.exe 31 PID 2692 wrote to memory of 1988 2692 Jgnhga32.exe 31 PID 2692 wrote to memory of 1988 2692 Jgnhga32.exe 31 PID 2692 wrote to memory of 1988 2692 Jgnhga32.exe 31 PID 1988 wrote to memory of 2944 1988 Jebiaelb.exe 32 PID 1988 wrote to memory of 2944 1988 Jebiaelb.exe 32 PID 1988 wrote to memory of 2944 1988 Jebiaelb.exe 32 PID 1988 wrote to memory of 2944 1988 Jebiaelb.exe 32 PID 2944 wrote to memory of 2496 2944 Jmpjkggj.exe 33 PID 2944 wrote to memory of 2496 2944 Jmpjkggj.exe 33 PID 2944 wrote to memory of 2496 2944 Jmpjkggj.exe 33 PID 2944 wrote to memory of 2496 2944 Jmpjkggj.exe 33 PID 2496 wrote to memory of 2996 2496 Jjdkdl32.exe 34 PID 2496 wrote to memory of 2996 2496 Jjdkdl32.exe 34 PID 2496 wrote to memory of 2996 2496 Jjdkdl32.exe 34 PID 2496 wrote to memory of 2996 2496 Jjdkdl32.exe 34 PID 2996 wrote to memory of 1512 2996 Kbalnnam.exe 35 PID 2996 wrote to memory of 1512 2996 Kbalnnam.exe 35 PID 2996 wrote to memory of 1512 2996 Kbalnnam.exe 35 PID 2996 wrote to memory of 1512 2996 Kbalnnam.exe 35 PID 1512 wrote to memory of 2656 1512 Kebepion.exe 36 PID 1512 wrote to memory of 2656 1512 Kebepion.exe 36 PID 1512 wrote to memory of 2656 1512 Kebepion.exe 36 PID 1512 wrote to memory of 2656 1512 Kebepion.exe 36 PID 2656 wrote to memory of 2404 2656 Khcnad32.exe 37 PID 2656 wrote to memory of 2404 2656 Khcnad32.exe 37 PID 2656 wrote to memory of 2404 2656 Khcnad32.exe 37 PID 2656 wrote to memory of 2404 2656 Khcnad32.exe 37 PID 2404 wrote to memory of 1892 2404 Kjcgco32.exe 38 PID 2404 wrote to memory of 1892 2404 Kjcgco32.exe 38 PID 2404 wrote to memory of 1892 2404 Kjcgco32.exe 38 PID 2404 wrote to memory of 1892 2404 Kjcgco32.exe 38 PID 1892 wrote to memory of 1372 1892 Loapim32.exe 39 PID 1892 wrote to memory of 1372 1892 Loapim32.exe 39 PID 1892 wrote to memory of 1372 1892 Loapim32.exe 39 PID 1892 wrote to memory of 1372 1892 Loapim32.exe 39 PID 1372 wrote to memory of 2220 1372 Ldqegd32.exe 40 PID 1372 wrote to memory of 2220 1372 Ldqegd32.exe 40 PID 1372 wrote to memory of 2220 1372 Ldqegd32.exe 40 PID 1372 wrote to memory of 2220 1372 Ldqegd32.exe 40 PID 2220 wrote to memory of 1800 2220 Lganiohl.exe 41 PID 2220 wrote to memory of 1800 2220 Lganiohl.exe 41 PID 2220 wrote to memory of 1800 2220 Lganiohl.exe 41 PID 2220 wrote to memory of 1800 2220 Lganiohl.exe 41 PID 1800 wrote to memory of 1108 1800 Lmkfei32.exe 42 PID 1800 wrote to memory of 1108 1800 Lmkfei32.exe 42 PID 1800 wrote to memory of 1108 1800 Lmkfei32.exe 42 PID 1800 wrote to memory of 1108 1800 Lmkfei32.exe 42 PID 1108 wrote to memory of 908 1108 Mhgclfje.exe 43 PID 1108 wrote to memory of 908 1108 Mhgclfje.exe 43 PID 1108 wrote to memory of 908 1108 Mhgclfje.exe 43 PID 1108 wrote to memory of 908 1108 Mhgclfje.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe"C:\Users\Admin\AppData\Local\Temp\b4357f2909d5972fa8d58b3d21e8af594127f73a6d8814220e63081bf6792860.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe33⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe37⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe38⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe42⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe43⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe45⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe47⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe49⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe50⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe51⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe52⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe53⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe54⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe55⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe57⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe59⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe60⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe61⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe62⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe64⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe65⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe67⤵PID:2844
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe68⤵PID:2196
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe69⤵PID:1780
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe70⤵PID:1120
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe71⤵PID:1352
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe72⤵PID:1068
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe73⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe74⤵PID:2036
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe75⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe77⤵PID:2640
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe78⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe80⤵
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe81⤵PID:2768
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe82⤵PID:2416
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe83⤵PID:2520
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe84⤵PID:2456
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe85⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe86⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe87⤵PID:2440
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe88⤵PID:1820
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe89⤵PID:2868
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe90⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe91⤵PID:1556
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe92⤵PID:2680
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe95⤵PID:2504
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe96⤵PID:1408
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe97⤵PID:1500
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe98⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe99⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe100⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe101⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe102⤵PID:1764
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe103⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe104⤵PID:2052
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe105⤵PID:2988
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe106⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe107⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe108⤵PID:2784
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe109⤵PID:2596
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe111⤵PID:2764
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe112⤵PID:1928
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe113⤵PID:828
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe114⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe115⤵PID:2204
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe118⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe119⤵PID:2448
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe121⤵PID:2604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-