Analysis
-
max time kernel
25s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
-
Size
302KB
-
MD5
2d409e79d4d910b6f944dc2d784e5cca
-
SHA1
2ccc7cbf6f883d4e48f754d9d89b0c2c39097a40
-
SHA256
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc
-
SHA512
ecc62ced261aed00a1acf2ce5bf172c8b77afe1afa5f229c933bf57ab26bb4fd843131147447dee5049d84785ef43b91ee62bf0e782eefc222370cf74fb6fd3e
-
SSDEEP
6144:WCo2Ky4i1cL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:Wcsiiv8lXhuT9XvEhdfEmwlY1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpjgdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fofekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqegb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogddpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhljlnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feppqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjenkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqemlbqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlnjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfoellgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adekhkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgihjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odgchjhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poddphee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifoljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pahjgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikbndqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmcbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cejhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjdqfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjbienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhpmhgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjgdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmmkaik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmnakege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbhibio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhkembk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijhkembk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhlogo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnakege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjfmolo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glajmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiiop32.exe -
Executes dropped EXE 64 IoCs
pid Process 2964 Aaogbh32.exe 2784 Ankabh32.exe 2796 Bigohejb.exe 2904 Bgqeea32.exe 1580 Cancif32.exe 1304 Cfoellgb.exe 272 Dlnjjc32.exe 2168 Dlcceboa.exe 2684 Epjbienl.exe 2056 Eplood32.exe 2936 Fofekp32.exe 2508 Faikbkhj.exe 1160 Fdjddf32.exe 1036 Ghnfci32.exe 2288 Gdjpcj32.exe 864 Goodpb32.exe 2188 Haejcj32.exe 2368 Hpjgdf32.exe 2308 Ibmmkaik.exe 1964 Ipameehe.exe 984 Ibdclp32.exe 920 Jmpqbnmp.exe 1576 Jfiekc32.exe 496 Jlhjijpe.exe 1744 Jbdokceo.exe 1592 Kkaaee32.exe 2372 Kdjenkgh.exe 2792 Kpcbhlki.exe 2748 Lkkckdhm.exe 2980 Lnlmmo32.exe 804 Lpmeojbo.exe 2716 Ldokhn32.exe 2916 Mhopcl32.exe 2560 Mjbiac32.exe 1352 Mmcbbo32.exe 2192 Nfncad32.exe 2704 Nfppfcmj.exe 2160 Nnnbqeib.exe 320 Odmgnl32.exe 3036 Omhhma32.exe 1776 Oiqegb32.exe 896 Pfgcff32.exe 2000 Pbnckg32.exe 1212 Poddphee.exe 1796 Phmiimlf.exe 2432 Pddinn32.exe 992 Pahjgb32.exe 1280 Qdhcinme.exe 1620 Qnagbc32.exe 1616 Apapcnaf.exe 1704 Alhaho32.exe 2736 Aknnil32.exe 2868 Akpkok32.exe 2804 Boncej32.exe 2816 Bgihjl32.exe 2556 Bgkeol32.exe 2924 Bnemlf32.exe 1076 Bjlnaghp.exe 2252 Bfcnfh32.exe 2340 Cjqglf32.exe 2744 Cejhld32.exe 1660 Cpbiolnl.exe 1140 Cjljpjjk.exe 2052 Cjngej32.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 2964 Aaogbh32.exe 2964 Aaogbh32.exe 2784 Ankabh32.exe 2784 Ankabh32.exe 2796 Bigohejb.exe 2796 Bigohejb.exe 2904 Bgqeea32.exe 2904 Bgqeea32.exe 1580 Cancif32.exe 1580 Cancif32.exe 1304 Cfoellgb.exe 1304 Cfoellgb.exe 272 Dlnjjc32.exe 272 Dlnjjc32.exe 2168 Dlcceboa.exe 2168 Dlcceboa.exe 2684 Epjbienl.exe 2684 Epjbienl.exe 2056 Eplood32.exe 2056 Eplood32.exe 2936 Fofekp32.exe 2936 Fofekp32.exe 2508 Faikbkhj.exe 2508 Faikbkhj.exe 1160 Fdjddf32.exe 1160 Fdjddf32.exe 1036 Ghnfci32.exe 1036 Ghnfci32.exe 2288 Gdjpcj32.exe 2288 Gdjpcj32.exe 864 Goodpb32.exe 864 Goodpb32.exe 2188 Haejcj32.exe 2188 Haejcj32.exe 2368 Hpjgdf32.exe 2368 Hpjgdf32.exe 2308 Ibmmkaik.exe 2308 Ibmmkaik.exe 1964 Ipameehe.exe 1964 Ipameehe.exe 984 Ibdclp32.exe 984 Ibdclp32.exe 920 Jmpqbnmp.exe 920 Jmpqbnmp.exe 1576 Jfiekc32.exe 1576 Jfiekc32.exe 496 Jlhjijpe.exe 496 Jlhjijpe.exe 1744 Jbdokceo.exe 1744 Jbdokceo.exe 1592 Kkaaee32.exe 1592 Kkaaee32.exe 2372 Kdjenkgh.exe 2372 Kdjenkgh.exe 2792 Kpcbhlki.exe 2792 Kpcbhlki.exe 2748 Lkkckdhm.exe 2748 Lkkckdhm.exe 2980 Lnlmmo32.exe 2980 Lnlmmo32.exe 804 Lpmeojbo.exe 804 Lpmeojbo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oiglfm32.exe Nqkgbkdj.exe File created C:\Windows\SysWOW64\Kggeijok.dll Bbdoec32.exe File opened for modification C:\Windows\SysWOW64\Dpjhcj32.exe Cccgni32.exe File opened for modification C:\Windows\SysWOW64\Emqaaabg.exe Ebhani32.exe File created C:\Windows\SysWOW64\Hjdbckib.dll Jfiekc32.exe File opened for modification C:\Windows\SysWOW64\Dimfmeef.exe Dijjgegh.exe File created C:\Windows\SysWOW64\Eajhgg32.exe Eecgafkj.exe File created C:\Windows\SysWOW64\Qeglqpaj.exe Pedokpcm.exe File created C:\Windows\SysWOW64\Bjdqfajl.exe Adekhkng.exe File created C:\Windows\SysWOW64\Ccmanjch.exe Cqlhlo32.exe File created C:\Windows\SysWOW64\Mfamko32.exe Mpeebhhf.exe File opened for modification C:\Windows\SysWOW64\Bdehgnqc.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Jiaaaicm.exe Ipimic32.exe File created C:\Windows\SysWOW64\Pncemobj.dll Ngcbie32.exe File opened for modification C:\Windows\SysWOW64\Hqemlbqi.exe Hqcpfcbl.exe File created C:\Windows\SysWOW64\Bmhjjiab.dll Ghnfci32.exe File created C:\Windows\SysWOW64\Ibmmkaik.exe Hpjgdf32.exe File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe Gcimop32.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe Emqaaabg.exe File opened for modification C:\Windows\SysWOW64\Epakcm32.exe Eelfedpa.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Faikbkhj.exe File opened for modification C:\Windows\SysWOW64\Kemgqm32.exe Kmbclj32.exe File created C:\Windows\SysWOW64\Ldlghhde.exe Ldikbhfh.exe File created C:\Windows\SysWOW64\Bdehgnqc.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Flkohc32.exe Epdncb32.exe File created C:\Windows\SysWOW64\Caldepec.dll Aniffaim.exe File created C:\Windows\SysWOW64\Bkfenkcq.dll Dbkaee32.exe File created C:\Windows\SysWOW64\Oofeeflg.dll Emqaaabg.exe File created C:\Windows\SysWOW64\Pfenml32.dll Fdjfmolo.exe File opened for modification C:\Windows\SysWOW64\Dlnjjc32.exe Cfoellgb.exe File opened for modification C:\Windows\SysWOW64\Ibmmkaik.exe Hpjgdf32.exe File opened for modification C:\Windows\SysWOW64\Nfncad32.exe Mmcbbo32.exe File created C:\Windows\SysWOW64\Icgpcjpo.dll Leaallcb.exe File created C:\Windows\SysWOW64\Fkopgd32.dll Cocbbk32.exe File created C:\Windows\SysWOW64\Dbkaee32.exe Dpjhcj32.exe File opened for modification C:\Windows\SysWOW64\Faikbkhj.exe Fofekp32.exe File created C:\Windows\SysWOW64\Mcllmmbh.dll Dedkbb32.exe File created C:\Windows\SysWOW64\Niqcoabo.dll Feccqime.exe File opened for modification C:\Windows\SysWOW64\Hbccklmj.exe Hmfkbeoc.exe File opened for modification C:\Windows\SysWOW64\Bhljlnma.exe Bhjngnod.exe File opened for modification C:\Windows\SysWOW64\Glhhgahg.exe Gdmcbojl.exe File created C:\Windows\SysWOW64\Bgqeea32.exe Bigohejb.exe File opened for modification C:\Windows\SysWOW64\Mhopcl32.exe Ldokhn32.exe File created C:\Windows\SysWOW64\Lmiggh32.dll Bnemlf32.exe File created C:\Windows\SysWOW64\Khkdmh32.exe Kemgqm32.exe File created C:\Windows\SysWOW64\Mceodfan.dll Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Bjdqfajl.exe Adekhkng.exe File created C:\Windows\SysWOW64\Ibdclp32.exe Ipameehe.exe File created C:\Windows\SysWOW64\Jcgdnd32.dll Jmpqbnmp.exe File opened for modification C:\Windows\SysWOW64\Hcnfjpib.exe Hjfbaj32.exe File created C:\Windows\SysWOW64\Khmpbemc.dll Hogddpld.exe File created C:\Windows\SysWOW64\Bqhmkq32.dll Moahdd32.exe File created C:\Windows\SysWOW64\Fbeidk32.dll Fofekp32.exe File opened for modification C:\Windows\SysWOW64\Ipimic32.exe Ibeloo32.exe File opened for modification C:\Windows\SysWOW64\Mlnbmikh.exe Mfamko32.exe File opened for modification C:\Windows\SysWOW64\Moahdd32.exe Mfhcknpf.exe File created C:\Windows\SysWOW64\Bigohejb.exe Ankabh32.exe File created C:\Windows\SysWOW64\Ndbfldme.dll Qnagbc32.exe File created C:\Windows\SysWOW64\Eecgafkj.exe Dimfmeef.exe File created C:\Windows\SysWOW64\Boncej32.exe Akpkok32.exe File created C:\Windows\SysWOW64\Lgqfpqja.dll Cpbiolnl.exe File created C:\Windows\SysWOW64\Gcgpiq32.exe Gklkdn32.exe File created C:\Windows\SysWOW64\Iepfml32.dll Qdhcinme.exe File created C:\Windows\SysWOW64\Djpmocdn.dll Ldikbhfh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkaaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjngej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maeljf32.dll" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elefkiaj.dll" Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkgph32.dll" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehiiop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbkljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpjnd32.dll" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcnfjpib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pedokpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmnakege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdjpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omhhma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnagbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecbce32.dll" Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Gnhkkjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll" Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fljhmmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmnakege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlhjijpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkapcaf.dll" Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnicncli.dll" Hbccklmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmdpf32.dll" Ifgooikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjngej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibeloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmkbfmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcedhee.dll" Alhaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khbcbcmo.dll" Akmgoehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfenml32.dll" Fdjfmolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpademd.dll" Ibeloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngcbie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdjddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cejhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldndng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghifl32.dll" Pfjiod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpggcbki.dll" Ekeiel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdehmnj.dll" Ikbndqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfjiod32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2964 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 29 PID 2112 wrote to memory of 2964 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 29 PID 2112 wrote to memory of 2964 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 29 PID 2112 wrote to memory of 2964 2112 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 29 PID 2964 wrote to memory of 2784 2964 Aaogbh32.exe 30 PID 2964 wrote to memory of 2784 2964 Aaogbh32.exe 30 PID 2964 wrote to memory of 2784 2964 Aaogbh32.exe 30 PID 2964 wrote to memory of 2784 2964 Aaogbh32.exe 30 PID 2784 wrote to memory of 2796 2784 Ankabh32.exe 31 PID 2784 wrote to memory of 2796 2784 Ankabh32.exe 31 PID 2784 wrote to memory of 2796 2784 Ankabh32.exe 31 PID 2784 wrote to memory of 2796 2784 Ankabh32.exe 31 PID 2796 wrote to memory of 2904 2796 Bigohejb.exe 32 PID 2796 wrote to memory of 2904 2796 Bigohejb.exe 32 PID 2796 wrote to memory of 2904 2796 Bigohejb.exe 32 PID 2796 wrote to memory of 2904 2796 Bigohejb.exe 32 PID 2904 wrote to memory of 1580 2904 Bgqeea32.exe 33 PID 2904 wrote to memory of 1580 2904 Bgqeea32.exe 33 PID 2904 wrote to memory of 1580 2904 Bgqeea32.exe 33 PID 2904 wrote to memory of 1580 2904 Bgqeea32.exe 33 PID 1580 wrote to memory of 1304 1580 Cancif32.exe 34 PID 1580 wrote to memory of 1304 1580 Cancif32.exe 34 PID 1580 wrote to memory of 1304 1580 Cancif32.exe 34 PID 1580 wrote to memory of 1304 1580 Cancif32.exe 34 PID 1304 wrote to memory of 272 1304 Cfoellgb.exe 35 PID 1304 wrote to memory of 272 1304 Cfoellgb.exe 35 PID 1304 wrote to memory of 272 1304 Cfoellgb.exe 35 PID 1304 wrote to memory of 272 1304 Cfoellgb.exe 35 PID 272 wrote to memory of 2168 272 Dlnjjc32.exe 36 PID 272 wrote to memory of 2168 272 Dlnjjc32.exe 36 PID 272 wrote to memory of 2168 272 Dlnjjc32.exe 36 PID 272 wrote to memory of 2168 272 Dlnjjc32.exe 36 PID 2168 wrote to memory of 2684 2168 Dlcceboa.exe 37 PID 2168 wrote to memory of 2684 2168 Dlcceboa.exe 37 PID 2168 wrote to memory of 2684 2168 Dlcceboa.exe 37 PID 2168 wrote to memory of 2684 2168 Dlcceboa.exe 37 PID 2684 wrote to memory of 2056 2684 Epjbienl.exe 38 PID 2684 wrote to memory of 2056 2684 Epjbienl.exe 38 PID 2684 wrote to memory of 2056 2684 Epjbienl.exe 38 PID 2684 wrote to memory of 2056 2684 Epjbienl.exe 38 PID 2056 wrote to memory of 2936 2056 Eplood32.exe 39 PID 2056 wrote to memory of 2936 2056 Eplood32.exe 39 PID 2056 wrote to memory of 2936 2056 Eplood32.exe 39 PID 2056 wrote to memory of 2936 2056 Eplood32.exe 39 PID 2936 wrote to memory of 2508 2936 Fofekp32.exe 40 PID 2936 wrote to memory of 2508 2936 Fofekp32.exe 40 PID 2936 wrote to memory of 2508 2936 Fofekp32.exe 40 PID 2936 wrote to memory of 2508 2936 Fofekp32.exe 40 PID 2508 wrote to memory of 1160 2508 Faikbkhj.exe 41 PID 2508 wrote to memory of 1160 2508 Faikbkhj.exe 41 PID 2508 wrote to memory of 1160 2508 Faikbkhj.exe 41 PID 2508 wrote to memory of 1160 2508 Faikbkhj.exe 41 PID 1160 wrote to memory of 1036 1160 Fdjddf32.exe 42 PID 1160 wrote to memory of 1036 1160 Fdjddf32.exe 42 PID 1160 wrote to memory of 1036 1160 Fdjddf32.exe 42 PID 1160 wrote to memory of 1036 1160 Fdjddf32.exe 42 PID 1036 wrote to memory of 2288 1036 Ghnfci32.exe 43 PID 1036 wrote to memory of 2288 1036 Ghnfci32.exe 43 PID 1036 wrote to memory of 2288 1036 Ghnfci32.exe 43 PID 1036 wrote to memory of 2288 1036 Ghnfci32.exe 43 PID 2288 wrote to memory of 864 2288 Gdjpcj32.exe 44 PID 2288 wrote to memory of 864 2288 Gdjpcj32.exe 44 PID 2288 wrote to memory of 864 2288 Gdjpcj32.exe 44 PID 2288 wrote to memory of 864 2288 Gdjpcj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe"C:\Users\Admin\AppData\Local\Temp\6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe34⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe35⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe43⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe44⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe46⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe47⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe57⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe60⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe67⤵PID:2024
-
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe68⤵PID:2304
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe69⤵PID:748
-
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe71⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe72⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe73⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe75⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe78⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe79⤵PID:2512
-
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe80⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Flphccbp.exeC:\Windows\system32\Flphccbp.exe81⤵PID:2216
-
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe84⤵PID:772
-
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe85⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe87⤵PID:1336
-
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe88⤵
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe89⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe90⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe91⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe92⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Hbccklmj.exeC:\Windows\system32\Hbccklmj.exe93⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe95⤵PID:1516
-
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe97⤵PID:2336
-
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe100⤵PID:924
-
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe103⤵
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe104⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe106⤵PID:2672
-
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe107⤵PID:2608
-
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe109⤵PID:2920
-
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe110⤵PID:1044
-
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe111⤵PID:2488
-
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe112⤵PID:1536
-
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe113⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe114⤵
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe115⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe116⤵PID:2156
-
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe118⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe120⤵PID:1388
-
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe121⤵PID:1612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-