Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe
-
Size
592KB
-
MD5
e68f149ed11bc993e26359329e7c7a82
-
SHA1
db9e24a83472a9d0d111647b8656cd70fd188bc5
-
SHA256
ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c
-
SHA512
c469ae63c4880b5e9f6465fdddffc9cd9f83fe4a445da64165a936ff7f096f5bd7648a341edf51beebec75453d82003b3ac5a0ef345a83bb133076b3cf5ba74b
-
SSDEEP
6144:Uqsf0k6YInqUk8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqk9a5:UHLJ87g7/VycgE81lgxaa79y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnobj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfekbdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahdged32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkhpfbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efhlhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncmhko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe -
Executes dropped EXE 64 IoCs
pid Process 4412 Dflmlj32.exe 4696 Dmfeidbe.exe 2364 Dpgnjo32.exe 516 Elnoopdj.exe 4664 Ecefqnel.exe 4796 Efccmidp.exe 4848 Efhlhh32.exe 4228 Eifhdd32.exe 5048 Ebommi32.exe 1164 Flinkojm.exe 932 Fpggamqc.exe 1428 Flngfn32.exe 2356 Flqdlnde.exe 3964 Fffhifdk.exe 4524 Gpnmbl32.exe 4880 Gpqjglii.exe 2900 Gfkbde32.exe 4808 Gpcfmkff.exe 1020 Gpecbk32.exe 3820 Gipdap32.exe 2564 Hkpqkcpd.exe 4684 Hckeoeno.exe 4948 Hkbmqb32.exe 1376 Hdmoohbo.exe 4000 Hpcodihc.exe 2444 Ipoopgnf.exe 3112 Igigla32.exe 1920 Jkgpbp32.exe 628 Jdodkebj.exe 2188 Jpfepf32.exe 1556 Jcgnbaeo.exe 4408 Jgeghp32.exe 1136 Kclgmq32.exe 4908 Kkconn32.exe 5008 Knalji32.exe 3928 Kdkdgchl.exe 4312 Kjhloj32.exe 2492 Kqbdldnq.exe 3372 Kcpahpmd.exe 4804 Kkgiimng.exe 1116 Kcbnnpka.exe 1720 Kjmfjj32.exe 4448 Kqfngd32.exe 5084 Lgqfdnah.exe 404 Lnjnqh32.exe 3500 Lcggio32.exe 4976 Lknojl32.exe 4536 Lmpkadnm.exe 2344 Ldgccb32.exe 212 Lkalplel.exe 3208 Lnohlgep.exe 3424 Lqndhcdc.exe 672 Lggldm32.exe 3580 Ljfhqh32.exe 5128 Lqpamb32.exe 5208 Lcnmin32.exe 5248 Ljhefhha.exe 5292 Lqbncb32.exe 5348 Mkhapk32.exe 5388 Madjhb32.exe 5428 Mccfdmmo.exe 5464 Mjmoag32.exe 5508 Mgaokl32.exe 5548 Mmnhcb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aojefobm.exe Alkijdci.exe File opened for modification C:\Windows\SysWOW64\Boeebnhp.exe Bkjiao32.exe File opened for modification C:\Windows\SysWOW64\Eppjfgcp.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Mnokgcbe.dll Opqofe32.exe File created C:\Windows\SysWOW64\Emmdom32.exe Enkdaepb.exe File opened for modification C:\Windows\SysWOW64\Bhkfkmmg.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Gbkkik32.exe File created C:\Windows\SysWOW64\Oqhoeb32.exe Ojnfihmo.exe File opened for modification C:\Windows\SysWOW64\Flngfn32.exe Fpggamqc.exe File created C:\Windows\SysWOW64\Mgaokl32.exe Mjmoag32.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Pecellgl.exe File created C:\Windows\SysWOW64\Pjinodke.dll Albpkc32.exe File created C:\Windows\SysWOW64\Ddplkbaa.dll Igigla32.exe File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Jekjcaef.exe File created C:\Windows\SysWOW64\Eiidnkam.dll Kplmliko.exe File created C:\Windows\SysWOW64\Flkkjnjg.dll Bdgged32.exe File created C:\Windows\SysWOW64\Kiljgf32.dll Cfbcke32.exe File created C:\Windows\SysWOW64\Fenhjedb.dll Gojiiafp.exe File created C:\Windows\SysWOW64\Mcfbkpab.exe Mqhfoebo.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Qaalblgi.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Blielbfi.exe Bdbnjdfg.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File opened for modification C:\Windows\SysWOW64\Nbnlaldg.exe Nqmojd32.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Lqndhcdc.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Flkdfh32.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Oanfen32.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Mokmqben.dll Aolblopj.exe File created C:\Windows\SysWOW64\Fmcjpl32.exe Felbnn32.exe File opened for modification C:\Windows\SysWOW64\Fkmjaa32.exe Fecadghc.exe File created C:\Windows\SysWOW64\Kqbdldnq.exe Kjhloj32.exe File created C:\Windows\SysWOW64\Cncijina.dll Onnmdcjm.exe File created C:\Windows\SysWOW64\Kpqggh32.exe Kifojnol.exe File created C:\Windows\SysWOW64\Lgqfdnah.exe Kqfngd32.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Pnmopk32.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dgcihgaj.exe File created C:\Windows\SysWOW64\Jgamhc32.dll Dndgfpbo.exe File created C:\Windows\SysWOW64\Bkgppbgc.dll Lepleocn.exe File created C:\Windows\SysWOW64\Mfbaalbi.exe Mpeiie32.exe File opened for modification C:\Windows\SysWOW64\Pafkgphl.exe Pjlcjf32.exe File opened for modification C:\Windows\SysWOW64\Naecop32.exe Nlhkgi32.exe File opened for modification C:\Windows\SysWOW64\Jiglnf32.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Ddkbmj32.exe Damfao32.exe File created C:\Windows\SysWOW64\Ehblpall.dll Eqiibjlj.exe File created C:\Windows\SysWOW64\Ekooihip.dll Kkconn32.exe File opened for modification C:\Windows\SysWOW64\Ohfami32.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Alkijdci.exe Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Kjjbjd32.exe Kgkfnh32.exe File opened for modification C:\Windows\SysWOW64\Hifmmb32.exe Hbldphde.exe File opened for modification C:\Windows\SysWOW64\Lancko32.exe Loofnccf.exe File created C:\Windows\SysWOW64\Fofdocoe.dll Dmennnni.exe File created C:\Windows\SysWOW64\Kgkfnh32.exe Kflide32.exe File created C:\Windows\SysWOW64\Jmpjlk32.dll Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Gpnmbl32.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Jcbiffko.dll Kdkdgchl.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Cocacl32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Oeedjegm.dll Mgaokl32.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Apaadpng.exe File opened for modification C:\Windows\SysWOW64\Bnlhncgi.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Pfccogfc.exe Pafkgphl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12264 12176 WerFault.exe 556 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paihlpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll" Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll" Oiccje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iedjmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddifgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mnmmboed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeacidl.dll" Fofilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll" Kcpahpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll" Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onnmdcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpamfo32.dll" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaelkfn.dll" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkofga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojhiogdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neclenfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiglnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Oqklkbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpnakk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll" Pciqnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmfeidbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 4412 632 ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe 92 PID 632 wrote to memory of 4412 632 ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe 92 PID 632 wrote to memory of 4412 632 ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe 92 PID 4412 wrote to memory of 4696 4412 Dflmlj32.exe 93 PID 4412 wrote to memory of 4696 4412 Dflmlj32.exe 93 PID 4412 wrote to memory of 4696 4412 Dflmlj32.exe 93 PID 4696 wrote to memory of 2364 4696 Dmfeidbe.exe 94 PID 4696 wrote to memory of 2364 4696 Dmfeidbe.exe 94 PID 4696 wrote to memory of 2364 4696 Dmfeidbe.exe 94 PID 2364 wrote to memory of 516 2364 Dpgnjo32.exe 95 PID 2364 wrote to memory of 516 2364 Dpgnjo32.exe 95 PID 2364 wrote to memory of 516 2364 Dpgnjo32.exe 95 PID 516 wrote to memory of 4664 516 Elnoopdj.exe 96 PID 516 wrote to memory of 4664 516 Elnoopdj.exe 96 PID 516 wrote to memory of 4664 516 Elnoopdj.exe 96 PID 4664 wrote to memory of 4796 4664 Ecefqnel.exe 97 PID 4664 wrote to memory of 4796 4664 Ecefqnel.exe 97 PID 4664 wrote to memory of 4796 4664 Ecefqnel.exe 97 PID 4796 wrote to memory of 4848 4796 Efccmidp.exe 98 PID 4796 wrote to memory of 4848 4796 Efccmidp.exe 98 PID 4796 wrote to memory of 4848 4796 Efccmidp.exe 98 PID 4848 wrote to memory of 4228 4848 Efhlhh32.exe 99 PID 4848 wrote to memory of 4228 4848 Efhlhh32.exe 99 PID 4848 wrote to memory of 4228 4848 Efhlhh32.exe 99 PID 4228 wrote to memory of 5048 4228 Eifhdd32.exe 100 PID 4228 wrote to memory of 5048 4228 Eifhdd32.exe 100 PID 4228 wrote to memory of 5048 4228 Eifhdd32.exe 100 PID 5048 wrote to memory of 1164 5048 Ebommi32.exe 101 PID 5048 wrote to memory of 1164 5048 Ebommi32.exe 101 PID 5048 wrote to memory of 1164 5048 Ebommi32.exe 101 PID 1164 wrote to memory of 932 1164 Flinkojm.exe 103 PID 1164 wrote to memory of 932 1164 Flinkojm.exe 103 PID 1164 wrote to memory of 932 1164 Flinkojm.exe 103 PID 932 wrote to memory of 1428 932 Fpggamqc.exe 104 PID 932 wrote to memory of 1428 932 Fpggamqc.exe 104 PID 932 wrote to memory of 1428 932 Fpggamqc.exe 104 PID 1428 wrote to memory of 2356 1428 Flngfn32.exe 105 PID 1428 wrote to memory of 2356 1428 Flngfn32.exe 105 PID 1428 wrote to memory of 2356 1428 Flngfn32.exe 105 PID 2356 wrote to memory of 3964 2356 Flqdlnde.exe 106 PID 2356 wrote to memory of 3964 2356 Flqdlnde.exe 106 PID 2356 wrote to memory of 3964 2356 Flqdlnde.exe 106 PID 3964 wrote to memory of 4524 3964 Fffhifdk.exe 107 PID 3964 wrote to memory of 4524 3964 Fffhifdk.exe 107 PID 3964 wrote to memory of 4524 3964 Fffhifdk.exe 107 PID 4524 wrote to memory of 4880 4524 Gpnmbl32.exe 108 PID 4524 wrote to memory of 4880 4524 Gpnmbl32.exe 108 PID 4524 wrote to memory of 4880 4524 Gpnmbl32.exe 108 PID 4880 wrote to memory of 2900 4880 Gpqjglii.exe 109 PID 4880 wrote to memory of 2900 4880 Gpqjglii.exe 109 PID 4880 wrote to memory of 2900 4880 Gpqjglii.exe 109 PID 2900 wrote to memory of 4808 2900 Gfkbde32.exe 110 PID 2900 wrote to memory of 4808 2900 Gfkbde32.exe 110 PID 2900 wrote to memory of 4808 2900 Gfkbde32.exe 110 PID 4808 wrote to memory of 1020 4808 Gpcfmkff.exe 111 PID 4808 wrote to memory of 1020 4808 Gpcfmkff.exe 111 PID 4808 wrote to memory of 1020 4808 Gpcfmkff.exe 111 PID 1020 wrote to memory of 3820 1020 Gpecbk32.exe 112 PID 1020 wrote to memory of 3820 1020 Gpecbk32.exe 112 PID 1020 wrote to memory of 3820 1020 Gpecbk32.exe 112 PID 3820 wrote to memory of 2564 3820 Gipdap32.exe 113 PID 3820 wrote to memory of 2564 3820 Gipdap32.exe 113 PID 3820 wrote to memory of 2564 3820 Gipdap32.exe 113 PID 2564 wrote to memory of 4684 2564 Hkpqkcpd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe"C:\Users\Admin\AppData\Local\Temp\ccdf239041695eab312622d067b821b9903a436f9b30323116d14211c50d583c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe23⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe24⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe25⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe26⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe29⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe31⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe32⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe33⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe34⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe36⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe39⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe41⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe42⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe45⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe47⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe48⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe49⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe50⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe51⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe52⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe54⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe55⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe56⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe57⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe58⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5388 -
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe62⤵
- Executes dropped EXE
PID:5428 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe65⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe66⤵PID:5588
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe67⤵PID:5628
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe68⤵PID:5668
-
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe70⤵PID:5756
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe71⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe72⤵PID:5836
-
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe73⤵PID:5880
-
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe74⤵PID:5920
-
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe75⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe76⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe77⤵
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe78⤵PID:6108
-
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5332 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe82⤵PID:5424
-
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe83⤵PID:5480
-
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe84⤵PID:5584
-
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe85⤵PID:5636
-
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe86⤵PID:5724
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe87⤵PID:5788
-
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe88⤵PID:5868
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe89⤵PID:5940
-
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe91⤵PID:6072
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe92⤵PID:5284
-
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe93⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe94⤵PID:5572
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5900 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe98⤵PID:6116
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe99⤵PID:6124
-
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe100⤵PID:5472
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe101⤵PID:5596
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe102⤵PID:5852
-
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe103⤵
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe104⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe106⤵PID:5948
-
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe107⤵PID:5624
-
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe108⤵PID:5372
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe109⤵PID:6132
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe110⤵PID:6192
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe111⤵PID:6236
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe112⤵PID:6280
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe113⤵PID:6324
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe114⤵PID:6360
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe115⤵
- Drops file in System32 directory
PID:6408 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe116⤵
- Drops file in System32 directory
PID:6452 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe117⤵PID:6500
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe118⤵PID:6540
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe119⤵PID:6592
-
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe120⤵PID:6636
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe121⤵
- Modifies registry class
PID:6680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-