Overview
overview
10Static
static
10[DemonArch...f3.exe
windows7-x64
10[DemonArch...5e.exe
windows7-x64
10[DemonArch...a8.exe
windows7-x64
10[DemonArch...55.exe
windows7-x64
[DemonArch...9c.exe
windows7-x64
8[DemonArch...ac.exe
windows7-x64
10[DemonArch...0f.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
8[DemonArch...5a.exe
windows7-x64
1[DemonArch...c4.exe
windows7-x64
[DemonArch...f3.exe
windows7-x64
10[DemonArch...8f.exe
windows7-x64
10[DemonArch...85.exe
windows7-x64
10[DemonArch...92.exe
windows7-x64
9[DemonArch...5b.exe
windows7-x64
10[DemonArch...59.exe
windows7-x64
7[DemonArch...0f.exe
windows7-x64
10[DemonArch...61.exe
windows7-x64
10[DemonArch...16.exe
windows7-x64
10[DemonArch...23.exe
windows7-x64
[DemonArch...6d.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...5c.exe
windows7-x64
10[DemonArch...52.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...fa.exe
windows7-x64
10[DemonArch...f1.exe
windows7-x64
7[DemonArch...7b.exe
windows7-x64
10[DemonArch...02.exe
windows7-x64
10[DemonArch...80.exe
windows7-x64
[DemonArch...c8.exe
windows7-x64
8Analysis
-
max time kernel
298s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral2
Sample
[DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral3
Sample
[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral4
Sample
[DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe
Resource
win7-20240508-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral5
Sample
[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
300 seconds
Behavioral task
behavioral6
Sample
[DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral7
Sample
[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral8
Sample
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral9
Sample
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
Resource
win7-20240508-en
windows7-x64
15 signatures
300 seconds
Behavioral task
behavioral10
Sample
[DemonArchives]0d061414e840b27ea6109e573bd2165a.exe
Resource
win7-20240419-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral11
Sample
[DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral12
Sample
[DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral13
Sample
[DemonArchives]149dd5469233f52aa4287362ce85b88f.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral14
Sample
[DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral15
Sample
[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
300 seconds
Behavioral task
behavioral16
Sample
[DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral17
Sample
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
Resource
win7-20240220-en
windows7-x64
15 signatures
300 seconds
Behavioral task
behavioral18
Sample
[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral19
Sample
[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral20
Sample
[DemonArchives]26add802e0e75416385317658b116216.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral21
Sample
[DemonArchives]2bf9e607accd325cfb734cd594b00723.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral22
Sample
[DemonArchives]3825817f6028f26ff0b5cd748559286d.exe
Resource
win7-20240611-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral23
Sample
[DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral24
Sample
[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Resource
win7-20240611-en
windows7-x64
19 signatures
300 seconds
Behavioral task
behavioral25
Sample
[DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe
Resource
win7-20240508-en
windows7-x64
19 signatures
300 seconds
Behavioral task
behavioral26
Sample
[DemonArchives]47522f57257b441811cf5f87c9118faf.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral27
Sample
[DemonArchives]4782545d269557614be88caef0383cfa.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
300 seconds
Behavioral task
behavioral28
Sample
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
300 seconds
Behavioral task
behavioral29
Sample
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Resource
win7-20240220-en
windows7-x64
2 signatures
300 seconds
Behavioral task
behavioral30
Sample
[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Resource
win7-20240508-en
windows7-x64
19 signatures
300 seconds
Behavioral task
behavioral31
Sample
[DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe
Resource
win7-20231129-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral32
Sample
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
300 seconds
General
-
Target
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
-
Size
1.9MB
-
MD5
09f326448c37d99a61bb064e68ac6b94
-
SHA1
bf9a4dd86d4dde46adf3cc5f24465d83ae13830a
-
SHA256
76e2ce48705ffc8abf38619d1ecaddbcb3ff580ce829b7a472359651461312fb
-
SHA512
859934c79cdfdaecffb60f51f64b95e6c674fb4fa970629455e6747777dc0ead612a43041fb6b11b4493dc920e609acfdf440fdde4a8e892c7ab4466b5eb3d17
-
SSDEEP
24576:xQXTNIVyeNIVy2jU3NIVyeNIVy2jUQNIVyeNIVy2jU3NIVyeNIVy2jUO:sqyjByjUyjByjH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniimjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aniimjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakcimgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegqdqbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfagfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Fjgoce32.exe 2076 Feeiob32.exe 2036 Globlmmj.exe 2560 Gogangdc.exe 2536 Ihoafpmp.exe 2580 Ikddbj32.exe 2844 Imfqjbli.exe 2896 Jicgpb32.exe 3056 Jbllihbf.exe 1936 Jnclnihj.exe 1560 Kihqkagp.exe 340 Kjjmbj32.exe 2044 Keoapb32.exe 2732 Kafbec32.exe 1864 Kfbkmk32.exe 1448 Kcfkfo32.exe 1396 Kmopod32.exe 828 Kpmlkp32.exe 1164 Kfgdhjmk.exe 1468 Kmaled32.exe 976 Lfjqnjkh.exe 1184 Loeebl32.exe 2308 Lliflp32.exe 2980 Lhpfqama.exe 872 Lbeknj32.exe 3016 Ldfgebbe.exe 1588 Llnofpcg.exe 2680 Lajhofao.exe 2756 Mhdplq32.exe 2728 Mmahdggc.exe 2784 Mdkqqa32.exe 3044 Mkeimlfm.exe 856 Mmceigep.exe 2952 Mgljbm32.exe 2876 Mlibjc32.exe 2828 Mcegmm32.exe 2092 Mpigfa32.exe 484 Nialog32.exe 2080 Ncjqhmkm.exe 2504 Ndkmpe32.exe 1516 Noqamn32.exe 1288 Ndmjedoi.exe 2612 Nkgbbo32.exe 1720 Naajoinb.exe 1740 Nhkbkc32.exe 1564 Njlockkm.exe 2908 Ndbcpd32.exe 2656 Ngpolo32.exe 2948 Oqideepg.exe 1524 Ojahnj32.exe 2408 Ogeigofa.exe 1464 Obafnlpn.exe 2088 Oikojfgk.exe 2556 Ooeggp32.exe 2348 Obcccl32.exe 576 Pimkpfeh.exe 1920 Pklhlael.exe 2700 Pedleg32.exe 2180 Pgbhabjp.exe 2872 Pbhmnkjf.exe 2228 Pgeefbhm.exe 1492 Pamiog32.exe 2356 Pggbla32.exe 3084 Pmdjdh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 2096 Fjgoce32.exe 2096 Fjgoce32.exe 2076 Feeiob32.exe 2076 Feeiob32.exe 2036 Globlmmj.exe 2036 Globlmmj.exe 2560 Gogangdc.exe 2560 Gogangdc.exe 2536 Ihoafpmp.exe 2536 Ihoafpmp.exe 2580 Ikddbj32.exe 2580 Ikddbj32.exe 2844 Imfqjbli.exe 2844 Imfqjbli.exe 2896 Jicgpb32.exe 2896 Jicgpb32.exe 3056 Jbllihbf.exe 3056 Jbllihbf.exe 1936 Jnclnihj.exe 1936 Jnclnihj.exe 1560 Kihqkagp.exe 1560 Kihqkagp.exe 340 Kjjmbj32.exe 340 Kjjmbj32.exe 2044 Keoapb32.exe 2044 Keoapb32.exe 2732 Kafbec32.exe 2732 Kafbec32.exe 1864 Kfbkmk32.exe 1864 Kfbkmk32.exe 1448 Kcfkfo32.exe 1448 Kcfkfo32.exe 1396 Kmopod32.exe 1396 Kmopod32.exe 828 Kpmlkp32.exe 828 Kpmlkp32.exe 1164 Kfgdhjmk.exe 1164 Kfgdhjmk.exe 1468 Kmaled32.exe 1468 Kmaled32.exe 976 Lfjqnjkh.exe 976 Lfjqnjkh.exe 1184 Loeebl32.exe 1184 Loeebl32.exe 2308 Lliflp32.exe 2308 Lliflp32.exe 2980 Lhpfqama.exe 2980 Lhpfqama.exe 872 Lbeknj32.exe 872 Lbeknj32.exe 3016 Ldfgebbe.exe 3016 Ldfgebbe.exe 1588 Llnofpcg.exe 1588 Llnofpcg.exe 2680 Lajhofao.exe 2680 Lajhofao.exe 2756 Mhdplq32.exe 2756 Mhdplq32.exe 2728 Mmahdggc.exe 2728 Mmahdggc.exe 2784 Mdkqqa32.exe 2784 Mdkqqa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfnjef32.dll Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Echfaf32.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Qagnqken.dll Hdlhjl32.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File created C:\Windows\SysWOW64\Mmdcie32.dll Lapnnafn.exe File created C:\Windows\SysWOW64\Fhhmapcq.dll Lpjdjmfp.exe File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe Qeaedd32.exe File opened for modification C:\Windows\SysWOW64\Agdjkogm.exe Amnfnfgg.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Emieil32.exe File created C:\Windows\SysWOW64\Gakcimgf.exe Gffoldhp.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Oqcpob32.exe Ojigbhlp.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Ngdifkpi.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File created C:\Windows\SysWOW64\Amcpie32.exe Afiglkle.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Ilcmjl32.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Apalea32.exe Amcpie32.exe File opened for modification C:\Windows\SysWOW64\Illgimph.exe Ikkjbe32.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Meppiblm.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Abmbhn32.exe File opened for modification C:\Windows\SysWOW64\Cnkicn32.exe Clilkfnb.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Eqpgol32.exe File opened for modification C:\Windows\SysWOW64\Emieil32.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Djmffb32.dll Lmgocb32.exe File created C:\Windows\SysWOW64\Niebhf32.exe Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Oeeecekc.exe Ocfigjlp.exe File created C:\Windows\SysWOW64\Geofbffe.dll Kfbkmk32.exe File created C:\Windows\SysWOW64\Lijigk32.dll Hpbiommg.exe File created C:\Windows\SysWOW64\Mmahdggc.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Kbkameaf.exe Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Hljdna32.dll Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File opened for modification C:\Windows\SysWOW64\Ikkjbe32.exe Hdqbekcm.exe File created C:\Windows\SysWOW64\Jjdmmdnh.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Deeieqod.dll Kgemplap.exe File created C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File created C:\Windows\SysWOW64\Igciil32.dll Pomfkndo.exe File created C:\Windows\SysWOW64\Bhajdblk.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Nodmbemj.dll Bhajdblk.exe File created C:\Windows\SysWOW64\Oglegn32.dll Anccmo32.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gakcimgf.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Hdqbekcm.exe File created C:\Windows\SysWOW64\Pplhdp32.dll Kofopj32.exe File created C:\Windows\SysWOW64\Fcihoc32.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Aonghnnp.dll Ncjqhmkm.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qpgpkcpp.exe File created C:\Windows\SysWOW64\Hkfagfop.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Lapefgai.dll Pbkbgjcc.exe File created C:\Windows\SysWOW64\Qkhpkoen.exe Qijdocfj.exe File created C:\Windows\SysWOW64\Bonoflae.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Eignpade.dll Bhdgjb32.exe File created C:\Windows\SysWOW64\Jnclnihj.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Nfcijc32.dll Kmopod32.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Ngfflj32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Aceobl32.dll Pqhijbog.exe File created C:\Windows\SysWOW64\Cifmcd32.dll Bfpnmj32.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jicgpb32.exe -
Program crash 1 IoCs
pid pid_target Process 3928 2332 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdlkiepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcbjpbn.dll" Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigbhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgoapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdobjm32.dll" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhlblil.dll" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpome32.dll" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceaboqg.dll" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knklagmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" Piekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodeppm.dll" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfojn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkomfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" Pkfceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Loeebl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2096 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 28 PID 1812 wrote to memory of 2096 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 28 PID 1812 wrote to memory of 2096 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 28 PID 1812 wrote to memory of 2096 1812 [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe 28 PID 2096 wrote to memory of 2076 2096 Fjgoce32.exe 29 PID 2096 wrote to memory of 2076 2096 Fjgoce32.exe 29 PID 2096 wrote to memory of 2076 2096 Fjgoce32.exe 29 PID 2096 wrote to memory of 2076 2096 Fjgoce32.exe 29 PID 2076 wrote to memory of 2036 2076 Feeiob32.exe 30 PID 2076 wrote to memory of 2036 2076 Feeiob32.exe 30 PID 2076 wrote to memory of 2036 2076 Feeiob32.exe 30 PID 2076 wrote to memory of 2036 2076 Feeiob32.exe 30 PID 2036 wrote to memory of 2560 2036 Globlmmj.exe 31 PID 2036 wrote to memory of 2560 2036 Globlmmj.exe 31 PID 2036 wrote to memory of 2560 2036 Globlmmj.exe 31 PID 2036 wrote to memory of 2560 2036 Globlmmj.exe 31 PID 2560 wrote to memory of 2536 2560 Gogangdc.exe 32 PID 2560 wrote to memory of 2536 2560 Gogangdc.exe 32 PID 2560 wrote to memory of 2536 2560 Gogangdc.exe 32 PID 2560 wrote to memory of 2536 2560 Gogangdc.exe 32 PID 2536 wrote to memory of 2580 2536 Ihoafpmp.exe 33 PID 2536 wrote to memory of 2580 2536 Ihoafpmp.exe 33 PID 2536 wrote to memory of 2580 2536 Ihoafpmp.exe 33 PID 2536 wrote to memory of 2580 2536 Ihoafpmp.exe 33 PID 2580 wrote to memory of 2844 2580 Ikddbj32.exe 34 PID 2580 wrote to memory of 2844 2580 Ikddbj32.exe 34 PID 2580 wrote to memory of 2844 2580 Ikddbj32.exe 34 PID 2580 wrote to memory of 2844 2580 Ikddbj32.exe 34 PID 2844 wrote to memory of 2896 2844 Imfqjbli.exe 35 PID 2844 wrote to memory of 2896 2844 Imfqjbli.exe 35 PID 2844 wrote to memory of 2896 2844 Imfqjbli.exe 35 PID 2844 wrote to memory of 2896 2844 Imfqjbli.exe 35 PID 2896 wrote to memory of 3056 2896 Jicgpb32.exe 36 PID 2896 wrote to memory of 3056 2896 Jicgpb32.exe 36 PID 2896 wrote to memory of 3056 2896 Jicgpb32.exe 36 PID 2896 wrote to memory of 3056 2896 Jicgpb32.exe 36 PID 3056 wrote to memory of 1936 3056 Jbllihbf.exe 37 PID 3056 wrote to memory of 1936 3056 Jbllihbf.exe 37 PID 3056 wrote to memory of 1936 3056 Jbllihbf.exe 37 PID 3056 wrote to memory of 1936 3056 Jbllihbf.exe 37 PID 1936 wrote to memory of 1560 1936 Jnclnihj.exe 38 PID 1936 wrote to memory of 1560 1936 Jnclnihj.exe 38 PID 1936 wrote to memory of 1560 1936 Jnclnihj.exe 38 PID 1936 wrote to memory of 1560 1936 Jnclnihj.exe 38 PID 1560 wrote to memory of 340 1560 Kihqkagp.exe 39 PID 1560 wrote to memory of 340 1560 Kihqkagp.exe 39 PID 1560 wrote to memory of 340 1560 Kihqkagp.exe 39 PID 1560 wrote to memory of 340 1560 Kihqkagp.exe 39 PID 340 wrote to memory of 2044 340 Kjjmbj32.exe 40 PID 340 wrote to memory of 2044 340 Kjjmbj32.exe 40 PID 340 wrote to memory of 2044 340 Kjjmbj32.exe 40 PID 340 wrote to memory of 2044 340 Kjjmbj32.exe 40 PID 2044 wrote to memory of 2732 2044 Keoapb32.exe 41 PID 2044 wrote to memory of 2732 2044 Keoapb32.exe 41 PID 2044 wrote to memory of 2732 2044 Keoapb32.exe 41 PID 2044 wrote to memory of 2732 2044 Keoapb32.exe 41 PID 2732 wrote to memory of 1864 2732 Kafbec32.exe 42 PID 2732 wrote to memory of 1864 2732 Kafbec32.exe 42 PID 2732 wrote to memory of 1864 2732 Kafbec32.exe 42 PID 2732 wrote to memory of 1864 2732 Kafbec32.exe 42 PID 1864 wrote to memory of 1448 1864 Kfbkmk32.exe 43 PID 1864 wrote to memory of 1448 1864 Kfbkmk32.exe 43 PID 1864 wrote to memory of 1448 1864 Kfbkmk32.exe 43 PID 1864 wrote to memory of 1448 1864 Kfbkmk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe33⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe35⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe39⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe41⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe42⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe43⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe44⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe47⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe48⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe49⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe51⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe52⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe56⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe57⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe58⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe60⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe61⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe63⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe64⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe65⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe68⤵PID:3264
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe69⤵PID:3320
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe71⤵PID:3444
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe72⤵PID:3500
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe74⤵PID:3628
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe76⤵
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe77⤵PID:3820
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe78⤵
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe79⤵PID:3944
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe80⤵
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe81⤵PID:4064
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe82⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe84⤵PID:1008
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe86⤵PID:2768
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe87⤵PID:1104
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe88⤵PID:444
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe89⤵PID:2340
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe90⤵PID:1872
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe91⤵PID:3152
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe93⤵PID:3308
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3396 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe97⤵
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe98⤵PID:3640
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe99⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe100⤵PID:3716
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe101⤵PID:3796
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe102⤵PID:3852
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe105⤵PID:4040
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe106⤵PID:2588
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe107⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe109⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe110⤵PID:1672
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe111⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe112⤵PID:2428
-
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe113⤵PID:1656
-
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe114⤵PID:2344
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3192 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe117⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe118⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe119⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe120⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe121⤵
- Drops file in System32 directory
PID:3636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-