Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe
-
Size
227KB
-
MD5
3c84728862bcc4e779d802a2a586baea
-
SHA1
79165d338da5eb3beaa986e36e6f69fdffedfdbf
-
SHA256
29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1
-
SHA512
4024d068f41246d7437aa5d1c81d52c492ec8b4e61c21764a628cb54f4ddeaac99b1b2ba1ce7f178ad27bf37f8f7ea0231c926d2e8c0d963de3079d289f57c53
-
SSDEEP
3072:PVQfrGkQGqOaMvTtYmK5eyepwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:PGtVmMLllgm7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfkifhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lokgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkegeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Findhdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhejnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmgiiff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdonhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgebdipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjkndb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmdmmalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidiekdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okojkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgoopkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Findhdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfonkfqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlkngc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2812 Hmcfhkjg.exe 2780 Ihmgiiff.exe 2760 Ihpdoh32.exe 2556 Iahhgnkd.exe 3024 Iefamlak.exe 712 Iggned32.exe 352 Iihfgp32.exe 2652 Jglgpdcc.exe 1176 Jeadap32.exe 2768 Jpfhoi32.exe 1132 Jajala32.exe 2388 Jblnaq32.exe 2236 Jdkjnl32.exe 276 Kfjggo32.exe 1052 Kdbpnk32.exe 1908 Kmmebm32.exe 1092 Kqknil32.exe 1976 Lifbmn32.exe 1004 Lfjcfb32.exe 2640 Lihobnap.exe 1068 Lkihdioa.exe 2512 Lnhdqdnd.exe 1200 Lahmbo32.exe 2700 Ledibnco.exe 2680 Lgbeoibb.exe 2592 Mgebdipp.exe 2668 Meicnm32.exe 2632 Mclcijfd.exe 776 Mapccndn.exe 1688 Mhilph32.exe 2852 Mfoiqe32.exe 2884 Mjjdacik.exe 1860 Mdbiji32.exe 1868 Medeaaej.exe 1872 Nlnnnk32.exe 1540 Noljjglk.exe 2056 Nianhplq.exe 2224 Nlpkdkkd.exe 2396 Namclbil.exe 1788 Nidkmojn.exe 2128 Nkegeg32.exe 2528 Nblpfepo.exe 1056 Neklbppb.exe 936 Nhiholof.exe 2008 Naalga32.exe 2896 Nemhhpmp.exe 2288 Noemqe32.exe 2800 Nmhmlbkk.exe 2920 Odbeilbg.exe 2672 Ogqaehak.exe 2724 Oaffbqaa.exe 2576 Odebolpe.exe 1972 Ogcnkgoh.exe 640 Okojkf32.exe 2104 Odgodl32.exe 316 Oehklddp.exe 2784 Oidglb32.exe 2544 Opnpimdf.exe 1980 Ocllehcj.exe 2924 Oekhacbn.exe 3036 Opplolac.exe 2244 Ocohkh32.exe 2956 Oihqgbhd.exe 1720 Olgmcmgh.exe -
Loads dropped DLL 64 IoCs
pid Process 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 2812 Hmcfhkjg.exe 2812 Hmcfhkjg.exe 2780 Ihmgiiff.exe 2780 Ihmgiiff.exe 2760 Ihpdoh32.exe 2760 Ihpdoh32.exe 2556 Iahhgnkd.exe 2556 Iahhgnkd.exe 3024 Iefamlak.exe 3024 Iefamlak.exe 712 Iggned32.exe 712 Iggned32.exe 352 Iihfgp32.exe 352 Iihfgp32.exe 2652 Jglgpdcc.exe 2652 Jglgpdcc.exe 1176 Jeadap32.exe 1176 Jeadap32.exe 2768 Jpfhoi32.exe 2768 Jpfhoi32.exe 1132 Jajala32.exe 1132 Jajala32.exe 2388 Jblnaq32.exe 2388 Jblnaq32.exe 2236 Jdkjnl32.exe 2236 Jdkjnl32.exe 276 Kfjggo32.exe 276 Kfjggo32.exe 1052 Kdbpnk32.exe 1052 Kdbpnk32.exe 1908 Kmmebm32.exe 1908 Kmmebm32.exe 1092 Kqknil32.exe 1092 Kqknil32.exe 1976 Lifbmn32.exe 1976 Lifbmn32.exe 1004 Lfjcfb32.exe 1004 Lfjcfb32.exe 2640 Lihobnap.exe 2640 Lihobnap.exe 1068 Lkihdioa.exe 1068 Lkihdioa.exe 2512 Lnhdqdnd.exe 2512 Lnhdqdnd.exe 1200 Lahmbo32.exe 1200 Lahmbo32.exe 2700 Ledibnco.exe 2700 Ledibnco.exe 2680 Lgbeoibb.exe 2680 Lgbeoibb.exe 2592 Mgebdipp.exe 2592 Mgebdipp.exe 2668 Meicnm32.exe 2668 Meicnm32.exe 2632 Mclcijfd.exe 2632 Mclcijfd.exe 776 Mapccndn.exe 776 Mapccndn.exe 1688 Mhilph32.exe 1688 Mhilph32.exe 2852 Mfoiqe32.exe 2852 Mfoiqe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Amkbnp32.exe Aipfmane.exe File opened for modification C:\Windows\SysWOW64\Mkaghg32.exe Micklk32.exe File created C:\Windows\SysWOW64\Acfdnihk.exe Abegfa32.exe File created C:\Windows\SysWOW64\Aknlofim.exe Acfdnihk.exe File created C:\Windows\SysWOW64\Omlflo32.dll Dafmqb32.exe File created C:\Windows\SysWOW64\Oidglb32.exe Oehklddp.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Oaqbln32.exe File created C:\Windows\SysWOW64\Enlidg32.exe Eknmhk32.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Gkglnm32.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Iikifegp.exe File created C:\Windows\SysWOW64\Dglfle32.dll Mkaghg32.exe File created C:\Windows\SysWOW64\Kfkmhkcc.dll Lihobnap.exe File opened for modification C:\Windows\SysWOW64\Ledibnco.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Qqeagm32.dll Ogqaehak.exe File created C:\Windows\SysWOW64\Pnopldgn.exe Phbgcnig.exe File created C:\Windows\SysWOW64\Clgbno32.exe Bfkifhib.exe File created C:\Windows\SysWOW64\Gqiimfam.exe Fgadda32.exe File created C:\Windows\SysWOW64\Agacqb32.dll Halbai32.exe File opened for modification C:\Windows\SysWOW64\Maefamlh.exe Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Jajala32.exe Jpfhoi32.exe File opened for modification C:\Windows\SysWOW64\Lkihdioa.exe Lihobnap.exe File created C:\Windows\SysWOW64\Eipfohgn.dll Aipfmane.exe File created C:\Windows\SysWOW64\Danmmd32.exe Cifelgmd.exe File created C:\Windows\SysWOW64\Jbbobb32.dll Nbflno32.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Odgamdef.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bdcifi32.exe File opened for modification C:\Windows\SysWOW64\Namclbil.exe Nlpkdkkd.exe File opened for modification C:\Windows\SysWOW64\Cgkocj32.exe Caaggpdh.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File created C:\Windows\SysWOW64\Nblpfepo.exe Nkegeg32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kjleflod.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Lgmeid32.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Dejbqb32.exe Copjdhib.exe File created C:\Windows\SysWOW64\Effeckcj.dll Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe Neknki32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Ckcdknaf.dll Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hmoofdea.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Qogbdl32.exe Qinjgbpg.exe File created C:\Windows\SysWOW64\Fbfnjhdd.dll Badnhbce.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mfjann32.exe File created C:\Windows\SysWOW64\Nbhbjgmd.dll Ajhiei32.exe File opened for modification C:\Windows\SysWOW64\Bpnddn32.exe Bjallg32.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hipmmg32.exe File opened for modification C:\Windows\SysWOW64\Pnjofo32.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Ljqglfel.dll Bfqpecma.exe File opened for modification C:\Windows\SysWOW64\Nlpkdkkd.exe Nianhplq.exe File created C:\Windows\SysWOW64\Bnhoag32.exe Bgnfdm32.exe File created C:\Windows\SysWOW64\Heealhla.exe Hnkion32.exe File created C:\Windows\SysWOW64\Oaqbln32.exe Okgjodmi.exe File created C:\Windows\SysWOW64\Jcojdjpd.dll Neklbppb.exe File opened for modification C:\Windows\SysWOW64\Oekhacbn.exe Ocllehcj.exe File opened for modification C:\Windows\SysWOW64\Bjallg32.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Obmgfhhe.dll Daipqhdg.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Gfejjgli.exe File created C:\Windows\SysWOW64\Maanne32.dll Afdiondb.exe File created C:\Windows\SysWOW64\Medeaaej.exe Mdbiji32.exe File opened for modification C:\Windows\SysWOW64\Cepfgdnj.exe Cofnjj32.exe File opened for modification C:\Windows\SysWOW64\Mjnjjbbh.exe Mhonngce.exe File created C:\Windows\SysWOW64\Hneeilgj.exe Hlgimqhf.exe File created C:\Windows\SysWOW64\Opqoge32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pepcelel.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enkpahon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmgalkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfle32.dll" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komnbg32.dll" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkgo32.dll" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpkhoab.dll" Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgjqjjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll" Ahbekjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopnegcl.dll" Hapklimq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlfg32.dll" Acqnnndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpjflkfg.dll" Kdbpnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Affdle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokmehl.dll" Gfmgelil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgmfchei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dafmqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogleomil.dll" Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbknmg32.dll" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhnnjob.dll" Hneeilgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haihjdkf.dll" Kqknil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhioaa32.dll" Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffaaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkomchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffaaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbfgoak.dll" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhgjdli.dll" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmekc32.dll" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpogbgmi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2812 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 30 PID 2664 wrote to memory of 2812 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 30 PID 2664 wrote to memory of 2812 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 30 PID 2664 wrote to memory of 2812 2664 29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe 30 PID 2812 wrote to memory of 2780 2812 Hmcfhkjg.exe 31 PID 2812 wrote to memory of 2780 2812 Hmcfhkjg.exe 31 PID 2812 wrote to memory of 2780 2812 Hmcfhkjg.exe 31 PID 2812 wrote to memory of 2780 2812 Hmcfhkjg.exe 31 PID 2780 wrote to memory of 2760 2780 Ihmgiiff.exe 32 PID 2780 wrote to memory of 2760 2780 Ihmgiiff.exe 32 PID 2780 wrote to memory of 2760 2780 Ihmgiiff.exe 32 PID 2780 wrote to memory of 2760 2780 Ihmgiiff.exe 32 PID 2760 wrote to memory of 2556 2760 Ihpdoh32.exe 33 PID 2760 wrote to memory of 2556 2760 Ihpdoh32.exe 33 PID 2760 wrote to memory of 2556 2760 Ihpdoh32.exe 33 PID 2760 wrote to memory of 2556 2760 Ihpdoh32.exe 33 PID 2556 wrote to memory of 3024 2556 Iahhgnkd.exe 34 PID 2556 wrote to memory of 3024 2556 Iahhgnkd.exe 34 PID 2556 wrote to memory of 3024 2556 Iahhgnkd.exe 34 PID 2556 wrote to memory of 3024 2556 Iahhgnkd.exe 34 PID 3024 wrote to memory of 712 3024 Iefamlak.exe 35 PID 3024 wrote to memory of 712 3024 Iefamlak.exe 35 PID 3024 wrote to memory of 712 3024 Iefamlak.exe 35 PID 3024 wrote to memory of 712 3024 Iefamlak.exe 35 PID 712 wrote to memory of 352 712 Iggned32.exe 36 PID 712 wrote to memory of 352 712 Iggned32.exe 36 PID 712 wrote to memory of 352 712 Iggned32.exe 36 PID 712 wrote to memory of 352 712 Iggned32.exe 36 PID 352 wrote to memory of 2652 352 Iihfgp32.exe 37 PID 352 wrote to memory of 2652 352 Iihfgp32.exe 37 PID 352 wrote to memory of 2652 352 Iihfgp32.exe 37 PID 352 wrote to memory of 2652 352 Iihfgp32.exe 37 PID 2652 wrote to memory of 1176 2652 Jglgpdcc.exe 38 PID 2652 wrote to memory of 1176 2652 Jglgpdcc.exe 38 PID 2652 wrote to memory of 1176 2652 Jglgpdcc.exe 38 PID 2652 wrote to memory of 1176 2652 Jglgpdcc.exe 38 PID 1176 wrote to memory of 2768 1176 Jeadap32.exe 39 PID 1176 wrote to memory of 2768 1176 Jeadap32.exe 39 PID 1176 wrote to memory of 2768 1176 Jeadap32.exe 39 PID 1176 wrote to memory of 2768 1176 Jeadap32.exe 39 PID 2768 wrote to memory of 1132 2768 Jpfhoi32.exe 40 PID 2768 wrote to memory of 1132 2768 Jpfhoi32.exe 40 PID 2768 wrote to memory of 1132 2768 Jpfhoi32.exe 40 PID 2768 wrote to memory of 1132 2768 Jpfhoi32.exe 40 PID 1132 wrote to memory of 2388 1132 Jajala32.exe 41 PID 1132 wrote to memory of 2388 1132 Jajala32.exe 41 PID 1132 wrote to memory of 2388 1132 Jajala32.exe 41 PID 1132 wrote to memory of 2388 1132 Jajala32.exe 41 PID 2388 wrote to memory of 2236 2388 Jblnaq32.exe 42 PID 2388 wrote to memory of 2236 2388 Jblnaq32.exe 42 PID 2388 wrote to memory of 2236 2388 Jblnaq32.exe 42 PID 2388 wrote to memory of 2236 2388 Jblnaq32.exe 42 PID 2236 wrote to memory of 276 2236 Jdkjnl32.exe 43 PID 2236 wrote to memory of 276 2236 Jdkjnl32.exe 43 PID 2236 wrote to memory of 276 2236 Jdkjnl32.exe 43 PID 2236 wrote to memory of 276 2236 Jdkjnl32.exe 43 PID 276 wrote to memory of 1052 276 Kfjggo32.exe 44 PID 276 wrote to memory of 1052 276 Kfjggo32.exe 44 PID 276 wrote to memory of 1052 276 Kfjggo32.exe 44 PID 276 wrote to memory of 1052 276 Kfjggo32.exe 44 PID 1052 wrote to memory of 1908 1052 Kdbpnk32.exe 45 PID 1052 wrote to memory of 1908 1052 Kdbpnk32.exe 45 PID 1052 wrote to memory of 1908 1052 Kdbpnk32.exe 45 PID 1052 wrote to memory of 1908 1052 Kdbpnk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe"C:\Users\Admin\AppData\Local\Temp\29b90898b8fa2c993d0afd91d4cc9ec21d9a66a2e4d01b5db990c77498b8cff1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe35⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe36⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe37⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe40⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe41⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe43⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe45⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe47⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe49⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe50⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe52⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe53⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe54⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe56⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe59⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe61⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe62⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe63⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe64⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe65⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe66⤵PID:1408
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe67⤵PID:3012
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe68⤵PID:1060
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe69⤵PID:984
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe71⤵PID:2584
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe72⤵PID:2588
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe73⤵PID:2992
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe74⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe75⤵PID:2880
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe76⤵PID:2444
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe77⤵PID:2452
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe78⤵PID:2152
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe80⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe81⤵PID:624
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe83⤵PID:1520
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe85⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe86⤵PID:2524
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe88⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe89⤵PID:2692
-
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe90⤵PID:2620
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe91⤵PID:1044
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe92⤵PID:1900
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe93⤵PID:2028
-
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe94⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe95⤵PID:1260
-
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe96⤵PID:660
-
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe97⤵PID:2644
-
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe98⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe99⤵PID:1032
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe100⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe101⤵PID:2068
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe102⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe103⤵PID:2816
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe104⤵PID:2688
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe105⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe106⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe107⤵PID:2888
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe108⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe109⤵PID:852
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe110⤵PID:2256
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe111⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe112⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe113⤵PID:1592
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe114⤵PID:2320
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe115⤵PID:1712
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe116⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe119⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe120⤵PID:1952
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-