Analysis
-
max time kernel
128s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe
-
Size
148KB
-
MD5
8ddacf8fcf56ab4f59ef96cb665fb6a0
-
SHA1
7843fa575a4560ed5af72ad96d11a6bcd766c79c
-
SHA256
33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047
-
SHA512
d5e50282028bb14986ca6bad6c1f071ecff2a72f9687cc597cfbf99684a3e1d3ba3a6e94eaefd88a43d6ae913ed7fe3fae434d4438184a7949d35508c44c5c65
-
SSDEEP
3072:rrkePhRPbZsw1jM3Ulf/LqHykHcb1WdTCn93OGey/ZhJakrPPFU6UK7q4+5DbGT7:X17Pd/MiqJHckTCndOGeKTame6UK+42Q
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geloanjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaphmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmgfgham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aompambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcohghbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegjdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmpkpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjqpdje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciqcmiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkddnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnkopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfagpiam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghlndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhcad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhapocoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjjndeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgfdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qglmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaglpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcdcgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldlga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadbqlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Fjongcbl.exe 3012 Gfhladfn.exe 2856 Giieco32.exe 2260 Gdniqh32.exe 2424 Hpgfki32.exe 2476 Hlngpjlj.exe 2956 Hakphqja.exe 576 Hmbpmapf.exe 2036 Hpbiommg.exe 1088 Ikkjbe32.exe 2392 Illgimph.exe 1476 Ilncom32.exe 1972 Ioolqh32.exe 1636 Ijdqna32.exe 2548 Jnffgd32.exe 3024 Jdbkjn32.exe 652 Jdgdempa.exe 1028 Kiijnq32.exe 1060 Kcakaipc.exe 1984 Kklpekno.exe 1032 Kkolkk32.exe 1928 Kegqdqbl.exe 2256 Kjdilgpc.exe 2884 Lmebnb32.exe 2940 Ljibgg32.exe 2216 Lcagpl32.exe 2004 Linphc32.exe 2552 Ljmlbfhi.exe 2748 Lbiqfied.exe 2744 Mpmapm32.exe 2768 Meijhc32.exe 2464 Mponel32.exe 2512 Melfncqb.exe 332 Modkfi32.exe 2444 Mlhkpm32.exe 2680 Mdcpdp32.exe 532 Moidahcn.exe 744 Nmnace32.exe 560 Nilhhdga.exe 1688 Ohaeia32.exe 2828 Okanklik.exe 1108 Oegbheiq.exe 1536 Oqacic32.exe 1204 Okfgfl32.exe 2332 Oappcfmb.exe 456 Ogmhkmki.exe 1624 Pcdipnqn.exe 1828 Pfbelipa.exe 2180 Pqhijbog.exe 2296 Pcfefmnk.exe 1724 Picnndmb.exe 2416 Pomfkndo.exe 2292 Pjbjhgde.exe 2716 Poocpnbm.exe 2496 Pdlkiepd.exe 2408 Pkfceo32.exe 2484 Qbplbi32.exe 2524 Qijdocfj.exe 1876 Qngmgjeb.exe 2660 Qeaedd32.exe 1432 Abeemhkh.exe 1528 Acfaeq32.exe 1676 Amnfnfgg.exe 1692 Achojp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 2980 Fjongcbl.exe 2980 Fjongcbl.exe 3012 Gfhladfn.exe 3012 Gfhladfn.exe 2856 Giieco32.exe 2856 Giieco32.exe 2260 Gdniqh32.exe 2260 Gdniqh32.exe 2424 Hpgfki32.exe 2424 Hpgfki32.exe 2476 Hlngpjlj.exe 2476 Hlngpjlj.exe 2956 Hakphqja.exe 2956 Hakphqja.exe 576 Hmbpmapf.exe 576 Hmbpmapf.exe 2036 Hpbiommg.exe 2036 Hpbiommg.exe 1088 Ikkjbe32.exe 1088 Ikkjbe32.exe 2392 Illgimph.exe 2392 Illgimph.exe 1476 Ilncom32.exe 1476 Ilncom32.exe 1972 Ioolqh32.exe 1972 Ioolqh32.exe 1636 Ijdqna32.exe 1636 Ijdqna32.exe 2548 Jnffgd32.exe 2548 Jnffgd32.exe 3024 Jdbkjn32.exe 3024 Jdbkjn32.exe 652 Jdgdempa.exe 652 Jdgdempa.exe 1028 Kiijnq32.exe 1028 Kiijnq32.exe 1060 Kcakaipc.exe 1060 Kcakaipc.exe 1984 Kklpekno.exe 1984 Kklpekno.exe 1032 Kkolkk32.exe 1032 Kkolkk32.exe 1928 Kegqdqbl.exe 1928 Kegqdqbl.exe 2256 Kjdilgpc.exe 2256 Kjdilgpc.exe 2884 Lmebnb32.exe 2884 Lmebnb32.exe 2940 Ljibgg32.exe 2940 Ljibgg32.exe 2216 Lcagpl32.exe 2216 Lcagpl32.exe 2004 Linphc32.exe 2004 Linphc32.exe 2552 Ljmlbfhi.exe 2552 Ljmlbfhi.exe 2748 Lbiqfied.exe 2748 Lbiqfied.exe 2744 Mpmapm32.exe 2744 Mpmapm32.exe 2768 Meijhc32.exe 2768 Meijhc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmhideol.exe Afnagk32.exe File created C:\Windows\SysWOW64\Enlglnci.exe Ehoocgeb.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Chlfnp32.exe File opened for modification C:\Windows\SysWOW64\Hbknkl32.exe Halbai32.exe File created C:\Windows\SysWOW64\Pnjofo32.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Giaidnkf.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Hndnigle.dll Mmjomogn.exe File created C:\Windows\SysWOW64\Djcnme32.dll Ankedf32.exe File created C:\Windows\SysWOW64\Hjdlgkfb.dll Oaciom32.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Foojop32.exe File created C:\Windows\SysWOW64\Cillkbac.exe Cpdgbm32.exe File opened for modification C:\Windows\SysWOW64\Gncldi32.exe Gblkoham.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Apkihofl.exe File created C:\Windows\SysWOW64\Abnopj32.exe Amafgc32.exe File opened for modification C:\Windows\SysWOW64\Heonpf32.exe Glfjgaih.exe File created C:\Windows\SysWOW64\Imgmggec.dll Process not Found File created C:\Windows\SysWOW64\Kbgecc32.dll Process not Found File created C:\Windows\SysWOW64\Jjjkclbf.dll Omcifpnp.exe File created C:\Windows\SysWOW64\Aeenapck.exe Ankedf32.exe File created C:\Windows\SysWOW64\Dcihik32.dll Process not Found File created C:\Windows\SysWOW64\Jcjbelmp.dll Kiijnq32.exe File opened for modification C:\Windows\SysWOW64\Cphndc32.exe Cklfll32.exe File opened for modification C:\Windows\SysWOW64\Lafahdcc.exe Ldbaopdj.exe File created C:\Windows\SysWOW64\Embbek32.dll Chlgid32.exe File created C:\Windows\SysWOW64\Fmdpcpjb.dll Oqjibkek.exe File opened for modification C:\Windows\SysWOW64\Hipmoc32.exe Process not Found File created C:\Windows\SysWOW64\Khabghdl.exe Kbgjkn32.exe File created C:\Windows\SysWOW64\Pllkpn32.exe Pbdfgilj.exe File opened for modification C:\Windows\SysWOW64\Fmlecinf.exe Ecogodlk.exe File opened for modification C:\Windows\SysWOW64\Kmaphmln.exe Kgdgpfnf.exe File opened for modification C:\Windows\SysWOW64\Dckcnj32.exe Ckpoih32.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hmbpmapf.exe File opened for modification C:\Windows\SysWOW64\Igijkd32.exe Iamabm32.exe File opened for modification C:\Windows\SysWOW64\Jbedkhie.exe Jgppmpjp.exe File opened for modification C:\Windows\SysWOW64\Maefamlh.exe Mlhnifmq.exe File created C:\Windows\SysWOW64\Jenbjc32.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Ankhmncb.exe Process not Found File created C:\Windows\SysWOW64\Knbnol32.dll Oiafee32.exe File created C:\Windows\SysWOW64\Fnlppbbp.dll Kfjfik32.exe File created C:\Windows\SysWOW64\Cdkkcp32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Qfclkmib.dll Ejjbbkpj.exe File opened for modification C:\Windows\SysWOW64\Hdfhdfgl.exe Hmmphlpp.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Oehdan32.exe File created C:\Windows\SysWOW64\Bbbpenco.exe Bkhhhd32.exe File created C:\Windows\SysWOW64\Nmnace32.exe Moidahcn.exe File created C:\Windows\SysWOW64\Ddhjpejc.dll Mdgmbhgh.exe File created C:\Windows\SysWOW64\Oaaifdhb.exe Oifdbb32.exe File created C:\Windows\SysWOW64\Olnmgo32.dll Piieicgl.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Mbkpeake.exe File created C:\Windows\SysWOW64\Bamoho32.dll Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Qifnhaho.exe Phgannal.exe File opened for modification C:\Windows\SysWOW64\Giahhj32.exe Ffcllo32.exe File created C:\Windows\SysWOW64\Mgjnhaco.exe Mfjann32.exe File opened for modification C:\Windows\SysWOW64\Kcgmoggn.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Npepblac.dll Cqdfehii.exe File created C:\Windows\SysWOW64\Llolnffe.dll Bgokfnij.exe File created C:\Windows\SysWOW64\Qobbcpoc.dll Pfnoegaf.exe File opened for modification C:\Windows\SysWOW64\Dqddmd32.exe Dfkclf32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Kglcogeo.exe Jhdihkcj.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jenbjc32.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Ikgkei32.exe File created C:\Windows\SysWOW64\Fodkno32.dll Gdcmig32.exe File created C:\Windows\SysWOW64\Mponel32.exe Meijhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4916 3156 Process not Found 1185 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiimgf32.dll" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafikqcd.dll" Aeenapck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcnqanhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplnpkga.dll" Eannmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbniohpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Cgnnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opodknco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkebqmfj.dll" Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmaick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjdldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gimaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npiiafpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffcllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll" Oappcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnihd32.dll" Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfhdk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daacecfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjpaefk.dll" Bikjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkpakq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heapkela.dll" Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflpeo32.dll" Jmdiahco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoied32.dll" Amafgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpjfcali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eijdkcgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgnnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Docopbaf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2980 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 28 PID 1732 wrote to memory of 2980 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 28 PID 1732 wrote to memory of 2980 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 28 PID 1732 wrote to memory of 2980 1732 33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe 28 PID 2980 wrote to memory of 3012 2980 Fjongcbl.exe 29 PID 2980 wrote to memory of 3012 2980 Fjongcbl.exe 29 PID 2980 wrote to memory of 3012 2980 Fjongcbl.exe 29 PID 2980 wrote to memory of 3012 2980 Fjongcbl.exe 29 PID 3012 wrote to memory of 2856 3012 Gfhladfn.exe 30 PID 3012 wrote to memory of 2856 3012 Gfhladfn.exe 30 PID 3012 wrote to memory of 2856 3012 Gfhladfn.exe 30 PID 3012 wrote to memory of 2856 3012 Gfhladfn.exe 30 PID 2856 wrote to memory of 2260 2856 Giieco32.exe 31 PID 2856 wrote to memory of 2260 2856 Giieco32.exe 31 PID 2856 wrote to memory of 2260 2856 Giieco32.exe 31 PID 2856 wrote to memory of 2260 2856 Giieco32.exe 31 PID 2260 wrote to memory of 2424 2260 Gdniqh32.exe 32 PID 2260 wrote to memory of 2424 2260 Gdniqh32.exe 32 PID 2260 wrote to memory of 2424 2260 Gdniqh32.exe 32 PID 2260 wrote to memory of 2424 2260 Gdniqh32.exe 32 PID 2424 wrote to memory of 2476 2424 Hpgfki32.exe 33 PID 2424 wrote to memory of 2476 2424 Hpgfki32.exe 33 PID 2424 wrote to memory of 2476 2424 Hpgfki32.exe 33 PID 2424 wrote to memory of 2476 2424 Hpgfki32.exe 33 PID 2476 wrote to memory of 2956 2476 Hlngpjlj.exe 34 PID 2476 wrote to memory of 2956 2476 Hlngpjlj.exe 34 PID 2476 wrote to memory of 2956 2476 Hlngpjlj.exe 34 PID 2476 wrote to memory of 2956 2476 Hlngpjlj.exe 34 PID 2956 wrote to memory of 576 2956 Hakphqja.exe 35 PID 2956 wrote to memory of 576 2956 Hakphqja.exe 35 PID 2956 wrote to memory of 576 2956 Hakphqja.exe 35 PID 2956 wrote to memory of 576 2956 Hakphqja.exe 35 PID 576 wrote to memory of 2036 576 Hmbpmapf.exe 36 PID 576 wrote to memory of 2036 576 Hmbpmapf.exe 36 PID 576 wrote to memory of 2036 576 Hmbpmapf.exe 36 PID 576 wrote to memory of 2036 576 Hmbpmapf.exe 36 PID 2036 wrote to memory of 1088 2036 Hpbiommg.exe 37 PID 2036 wrote to memory of 1088 2036 Hpbiommg.exe 37 PID 2036 wrote to memory of 1088 2036 Hpbiommg.exe 37 PID 2036 wrote to memory of 1088 2036 Hpbiommg.exe 37 PID 1088 wrote to memory of 2392 1088 Ikkjbe32.exe 38 PID 1088 wrote to memory of 2392 1088 Ikkjbe32.exe 38 PID 1088 wrote to memory of 2392 1088 Ikkjbe32.exe 38 PID 1088 wrote to memory of 2392 1088 Ikkjbe32.exe 38 PID 2392 wrote to memory of 1476 2392 Illgimph.exe 39 PID 2392 wrote to memory of 1476 2392 Illgimph.exe 39 PID 2392 wrote to memory of 1476 2392 Illgimph.exe 39 PID 2392 wrote to memory of 1476 2392 Illgimph.exe 39 PID 1476 wrote to memory of 1972 1476 Ilncom32.exe 40 PID 1476 wrote to memory of 1972 1476 Ilncom32.exe 40 PID 1476 wrote to memory of 1972 1476 Ilncom32.exe 40 PID 1476 wrote to memory of 1972 1476 Ilncom32.exe 40 PID 1972 wrote to memory of 1636 1972 Ioolqh32.exe 41 PID 1972 wrote to memory of 1636 1972 Ioolqh32.exe 41 PID 1972 wrote to memory of 1636 1972 Ioolqh32.exe 41 PID 1972 wrote to memory of 1636 1972 Ioolqh32.exe 41 PID 1636 wrote to memory of 2548 1636 Ijdqna32.exe 42 PID 1636 wrote to memory of 2548 1636 Ijdqna32.exe 42 PID 1636 wrote to memory of 2548 1636 Ijdqna32.exe 42 PID 1636 wrote to memory of 2548 1636 Ijdqna32.exe 42 PID 2548 wrote to memory of 3024 2548 Jnffgd32.exe 43 PID 2548 wrote to memory of 3024 2548 Jnffgd32.exe 43 PID 2548 wrote to memory of 3024 2548 Jnffgd32.exe 43 PID 2548 wrote to memory of 3024 2548 Jnffgd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe"C:\Users\Admin\AppData\Local\Temp\33083f5c913885a745d2dbfc7614bab0e0446875d2e59216c5b4906a4d527047.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe34⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe35⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe37⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe40⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe41⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe42⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe43⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe44⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe45⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe47⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe48⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe49⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe50⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe51⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Picnndmb.exeC:\Windows\system32\Picnndmb.exe52⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe53⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe54⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe55⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe57⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe58⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe59⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe60⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe61⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe62⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe65⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe66⤵PID:1572
-
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe67⤵PID:2556
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe68⤵PID:2380
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe69⤵PID:2904
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe70⤵PID:2288
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe71⤵PID:2400
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe72⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe73⤵PID:1280
-
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe74⤵PID:1744
-
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe75⤵PID:2764
-
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe76⤵PID:2508
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe77⤵PID:1728
-
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe78⤵PID:2776
-
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe79⤵PID:2124
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe80⤵PID:1896
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe81⤵PID:2436
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe82⤵PID:344
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe83⤵PID:2692
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe84⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe85⤵PID:1768
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe86⤵PID:1544
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe88⤵PID:2172
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe89⤵PID:2168
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe90⤵PID:880
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe91⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe92⤵PID:2740
-
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe93⤵PID:2184
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe94⤵PID:2952
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe95⤵PID:464
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe96⤵PID:2948
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe97⤵PID:1772
-
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe99⤵PID:556
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe101⤵PID:2936
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe102⤵PID:2328
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe103⤵PID:2008
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe104⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe105⤵PID:1904
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe106⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe107⤵PID:1136
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe108⤵PID:2816
-
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe109⤵PID:2600
-
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe110⤵PID:768
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe111⤵PID:1704
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe112⤵PID:1128
-
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe113⤵PID:1460
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe114⤵PID:2684
-
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe118⤵PID:964
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe119⤵PID:1104
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe120⤵PID:1936
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe121⤵PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-