Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 12:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d75e9397b1ef6ab0ec06160dd0315700N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
d75e9397b1ef6ab0ec06160dd0315700N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
d75e9397b1ef6ab0ec06160dd0315700N.exe
-
Size
71KB
-
MD5
d75e9397b1ef6ab0ec06160dd0315700
-
SHA1
d93c61a4eb6edd3abad2f5c7bfd077bc501ddbc2
-
SHA256
0164d1604b04bb5412462c5082b44e272170c86f8a0fdc8d5987847cd5a881b4
-
SHA512
b7b88a5baff3a4f05a0e4084742fc2ae9838f7de8beb523db8649262da9325750f2055add8be60a7150b8b7481ce7e5e7afd4c14ed2910b0ffd0a148493583c6
-
SSDEEP
1536:+Pt6p2sk242AtYEbsJjMcIQpOiOzmEYb2RQrK1P+ATT:+P6XkemQjM3QpYPe2P+A3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmenhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdnkanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nokcbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjihci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfando32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdapjglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oleepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agkako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cglcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipngg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlohmonb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbolkac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dncdqcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbmco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeeelhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccnddg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaljjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfoanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcenmcea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjljnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnpcpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igcjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khcbpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnkpcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciebdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekmceaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjohmbpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maiqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dodahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oninhgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjkpo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2600 Blfapfpg.exe 2116 Bfoeil32.exe 2668 Bfabnl32.exe 2632 Bfcodkcb.exe 568 Bolcma32.exe 2532 Bdhleh32.exe 1324 Bjedmo32.exe 2496 Bdkhjgeh.exe 2836 Cncmcm32.exe 572 Cfoaho32.exe 2008 Cqdfehii.exe 1172 Cjljnn32.exe 2140 Cceogcfj.exe 2216 Djjjga32.exe 1052 Dcbnpgkh.exe 1516 Dmkcil32.exe 1492 Dnjoco32.exe 556 Dhbdleol.exe 2604 Eifmimch.exe 1976 Efjmbaba.exe 1944 Epbbkf32.exe 1012 Eeojcmfi.exe 1140 Elibpg32.exe 1004 Ebckmaec.exe 3044 Ehpcehcj.exe 2704 Fbegbacp.exe 2608 Folhgbid.exe 2744 Fggmldfp.exe 2788 Famaimfe.exe 2756 Fdnjkh32.exe 2524 Fijbco32.exe 2512 Fimoiopk.exe 1476 Gcedad32.exe 2864 Goldfelp.exe 852 Gkcekfad.exe 680 Gehiioaj.exe 2104 Gkebafoa.exe 1088 Gekfnoog.exe 2900 Gnfkba32.exe 2232 Hkjkle32.exe 2868 Hqgddm32.exe 1176 Hjohmbpd.exe 664 Hjaeba32.exe 1560 Hcjilgdb.exe 1716 Hjcaha32.exe 1952 Hjfnnajl.exe 2380 Icncgf32.exe 1488 Iikkon32.exe 2420 Iakino32.exe 880 Ijcngenj.exe 1608 Jmdgipkk.exe 2904 Jgjkfi32.exe 2656 Jikhnaao.exe 2860 Jcqlkjae.exe 2684 Jjjdhc32.exe 2680 Jllqplnp.exe 3016 Jcciqi32.exe 2828 Jedehaea.exe 2832 Jlnmel32.exe 1788 Jfcabd32.exe 2192 Jlqjkk32.exe 2908 Kambcbhb.exe 2708 Khgkpl32.exe 1296 Kdnkdmec.exe -
Loads dropped DLL 64 IoCs
pid Process 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 2600 Blfapfpg.exe 2600 Blfapfpg.exe 2116 Bfoeil32.exe 2116 Bfoeil32.exe 2668 Bfabnl32.exe 2668 Bfabnl32.exe 2632 Bfcodkcb.exe 2632 Bfcodkcb.exe 568 Bolcma32.exe 568 Bolcma32.exe 2532 Bdhleh32.exe 2532 Bdhleh32.exe 1324 Bjedmo32.exe 1324 Bjedmo32.exe 2496 Bdkhjgeh.exe 2496 Bdkhjgeh.exe 2836 Cncmcm32.exe 2836 Cncmcm32.exe 572 Cfoaho32.exe 572 Cfoaho32.exe 2008 Cqdfehii.exe 2008 Cqdfehii.exe 1172 Cjljnn32.exe 1172 Cjljnn32.exe 2140 Cceogcfj.exe 2140 Cceogcfj.exe 2216 Djjjga32.exe 2216 Djjjga32.exe 1052 Dcbnpgkh.exe 1052 Dcbnpgkh.exe 1516 Dmkcil32.exe 1516 Dmkcil32.exe 1492 Dnjoco32.exe 1492 Dnjoco32.exe 556 Dhbdleol.exe 556 Dhbdleol.exe 2604 Eifmimch.exe 2604 Eifmimch.exe 1976 Efjmbaba.exe 1976 Efjmbaba.exe 1944 Epbbkf32.exe 1944 Epbbkf32.exe 1012 Eeojcmfi.exe 1012 Eeojcmfi.exe 1140 Elibpg32.exe 1140 Elibpg32.exe 1004 Ebckmaec.exe 1004 Ebckmaec.exe 3044 Ehpcehcj.exe 3044 Ehpcehcj.exe 2704 Fbegbacp.exe 2704 Fbegbacp.exe 2608 Folhgbid.exe 2608 Folhgbid.exe 2744 Fggmldfp.exe 2744 Fggmldfp.exe 2788 Famaimfe.exe 2788 Famaimfe.exe 2756 Fdnjkh32.exe 2756 Fdnjkh32.exe 2524 Fijbco32.exe 2524 Fijbco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Heiojloh.dll Goiafp32.exe File created C:\Windows\SysWOW64\Djeljd32.exe Ddhcbnnn.exe File created C:\Windows\SysWOW64\Aehmoh32.exe Pkplgoop.exe File created C:\Windows\SysWOW64\Ljbipolj.exe Laidgi32.exe File opened for modification C:\Windows\SysWOW64\Pqjhjf32.exe Pkmobp32.exe File created C:\Windows\SysWOW64\Gaclkmid.dll Dogpfc32.exe File opened for modification C:\Windows\SysWOW64\Fpcblkje.exe Fnafdc32.exe File opened for modification C:\Windows\SysWOW64\Mhqjen32.exe Lafahdcc.exe File opened for modification C:\Windows\SysWOW64\Jgbmco32.exe Jbedkhie.exe File created C:\Windows\SysWOW64\Agngpn32.dll Chgimh32.exe File created C:\Windows\SysWOW64\Pkmnfogl.dll Pkmobp32.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Dmadmn32.dll Kfjfik32.exe File created C:\Windows\SysWOW64\Phkfglid.dll Gfogneop.exe File opened for modification C:\Windows\SysWOW64\Fimoiopk.exe Fijbco32.exe File created C:\Windows\SysWOW64\Jjgonf32.exe Jcmgal32.exe File opened for modification C:\Windows\SysWOW64\Caepdk32.exe Cdapjglj.exe File created C:\Windows\SysWOW64\Fnmjpk32.exe Fipbhd32.exe File opened for modification C:\Windows\SysWOW64\Bphaglgo.exe Bhmmcjjd.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Ckiiiine.exe File created C:\Windows\SysWOW64\Ogepbg32.dll Jdmjfe32.exe File created C:\Windows\SysWOW64\Mbjfcnkg.exe Lmhdph32.exe File opened for modification C:\Windows\SysWOW64\Bfabnl32.exe Bfoeil32.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Khgkpl32.exe File opened for modification C:\Windows\SysWOW64\Ecmjid32.exe Enpban32.exe File opened for modification C:\Windows\SysWOW64\Lcffgnnc.exe Lmlnjcgg.exe File created C:\Windows\SysWOW64\Ncfjajma.exe Nllbdp32.exe File created C:\Windows\SysWOW64\Pejkoijd.dll Kbpnkm32.exe File opened for modification C:\Windows\SysWOW64\Deahcneh.exe Dogpfc32.exe File opened for modification C:\Windows\SysWOW64\Mbjfcnkg.exe Lmhdph32.exe File opened for modification C:\Windows\SysWOW64\Dhbdleol.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Folhgbid.exe Fbegbacp.exe File opened for modification C:\Windows\SysWOW64\Nghpjn32.exe Nbkgbg32.exe File created C:\Windows\SysWOW64\Nhocol32.dll Jihdnk32.exe File opened for modification C:\Windows\SysWOW64\Fnmjpk32.exe Fipbhd32.exe File created C:\Windows\SysWOW64\Fahpaj32.dll Cgbfcjag.exe File opened for modification C:\Windows\SysWOW64\Dekeeonn.exe Dlbaljhn.exe File created C:\Windows\SysWOW64\Olchjp32.exe Ojblbgdg.exe File opened for modification C:\Windows\SysWOW64\Aedlhg32.exe Aokckm32.exe File opened for modification C:\Windows\SysWOW64\Cqjhcfpc.exe Cjppfl32.exe File created C:\Windows\SysWOW64\Chggdoee.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Aankkqfl.exe Ahfgbkpl.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Eifmimch.exe File opened for modification C:\Windows\SysWOW64\Nkaoemjm.exe Ndggib32.exe File created C:\Windows\SysWOW64\Ccboal32.dll Gpogiglp.exe File created C:\Windows\SysWOW64\Epnkip32.exe Ejabqi32.exe File opened for modification C:\Windows\SysWOW64\Inplqlng.exe Idghhf32.exe File created C:\Windows\SysWOW64\Pmcgmkil.exe Oqlfhjch.exe File opened for modification C:\Windows\SysWOW64\Anmbje32.exe Aiqjao32.exe File created C:\Windows\SysWOW64\Egdpmo32.dll Bolcma32.exe File opened for modification C:\Windows\SysWOW64\Hganjo32.exe Hofjem32.exe File created C:\Windows\SysWOW64\Akjfgh32.dll Neblqoel.exe File opened for modification C:\Windows\SysWOW64\Dfpcblfp.exe Dpfkeb32.exe File opened for modification C:\Windows\SysWOW64\Bpboinpd.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Dlkcdc32.dll Fjdnne32.exe File created C:\Windows\SysWOW64\Jdlclo32.exe Jjgonf32.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kiemmh32.exe File created C:\Windows\SysWOW64\Lmlepi32.dll Kglfcd32.exe File created C:\Windows\SysWOW64\Anjojphb.exe Acejlfhl.exe File created C:\Windows\SysWOW64\Mhmkph32.dll Hffjng32.exe File created C:\Windows\SysWOW64\Eceimadb.exe Deahcneh.exe File created C:\Windows\SysWOW64\Hqmkfaia.dll Gcedad32.exe File created C:\Windows\SysWOW64\Lolijfnc.dll Pjahakgb.exe File opened for modification C:\Windows\SysWOW64\Bodhjdcc.exe Beldao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3252 3600 WerFault.exe 679 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fheoiqgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaimd32.dll" Oecnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbidjgd.dll" Ciebdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khldkllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnfllod.dll" Kigibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bojkib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhjbhcg.dll" Palpneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjigapme.dll" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moeeelhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkimmgco.dll" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loimal32.dll" Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fijnabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmmlkl.dll" Phcleoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qigebglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dogpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaeqmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomebdea.dll" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalab32.dll" Hehafe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjecp32.dll" Qifnhaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clneaj32.dll" Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdnjaibm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll" Lpnopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghghie32.dll" Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olkjaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olchjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdklmlof.dll" Ilgjhena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkap32.dll" Ikjlmjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danmddgh.dll" Bcfmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdaehpn.dll" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll" Bbikig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Papank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokkfdac.dll" Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohiimmp.dll" Bodhjdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjhfd32.dll" Fbiijb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnafdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll" Blniinac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bakaaepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbndmh32.dll" Jbfkeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll" Pnkiebib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glipgk32.dll" Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogcf32.dll" Gnfkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpemeck.dll" Dfngll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbgd32.dll" Fmlecinf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2600 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 31 PID 2288 wrote to memory of 2600 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 31 PID 2288 wrote to memory of 2600 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 31 PID 2288 wrote to memory of 2600 2288 d75e9397b1ef6ab0ec06160dd0315700N.exe 31 PID 2600 wrote to memory of 2116 2600 Blfapfpg.exe 32 PID 2600 wrote to memory of 2116 2600 Blfapfpg.exe 32 PID 2600 wrote to memory of 2116 2600 Blfapfpg.exe 32 PID 2600 wrote to memory of 2116 2600 Blfapfpg.exe 32 PID 2116 wrote to memory of 2668 2116 Bfoeil32.exe 33 PID 2116 wrote to memory of 2668 2116 Bfoeil32.exe 33 PID 2116 wrote to memory of 2668 2116 Bfoeil32.exe 33 PID 2116 wrote to memory of 2668 2116 Bfoeil32.exe 33 PID 2668 wrote to memory of 2632 2668 Bfabnl32.exe 34 PID 2668 wrote to memory of 2632 2668 Bfabnl32.exe 34 PID 2668 wrote to memory of 2632 2668 Bfabnl32.exe 34 PID 2668 wrote to memory of 2632 2668 Bfabnl32.exe 34 PID 2632 wrote to memory of 568 2632 Bfcodkcb.exe 35 PID 2632 wrote to memory of 568 2632 Bfcodkcb.exe 35 PID 2632 wrote to memory of 568 2632 Bfcodkcb.exe 35 PID 2632 wrote to memory of 568 2632 Bfcodkcb.exe 35 PID 568 wrote to memory of 2532 568 Bolcma32.exe 36 PID 568 wrote to memory of 2532 568 Bolcma32.exe 36 PID 568 wrote to memory of 2532 568 Bolcma32.exe 36 PID 568 wrote to memory of 2532 568 Bolcma32.exe 36 PID 2532 wrote to memory of 1324 2532 Bdhleh32.exe 37 PID 2532 wrote to memory of 1324 2532 Bdhleh32.exe 37 PID 2532 wrote to memory of 1324 2532 Bdhleh32.exe 37 PID 2532 wrote to memory of 1324 2532 Bdhleh32.exe 37 PID 1324 wrote to memory of 2496 1324 Bjedmo32.exe 38 PID 1324 wrote to memory of 2496 1324 Bjedmo32.exe 38 PID 1324 wrote to memory of 2496 1324 Bjedmo32.exe 38 PID 1324 wrote to memory of 2496 1324 Bjedmo32.exe 38 PID 2496 wrote to memory of 2836 2496 Bdkhjgeh.exe 39 PID 2496 wrote to memory of 2836 2496 Bdkhjgeh.exe 39 PID 2496 wrote to memory of 2836 2496 Bdkhjgeh.exe 39 PID 2496 wrote to memory of 2836 2496 Bdkhjgeh.exe 39 PID 2836 wrote to memory of 572 2836 Cncmcm32.exe 40 PID 2836 wrote to memory of 572 2836 Cncmcm32.exe 40 PID 2836 wrote to memory of 572 2836 Cncmcm32.exe 40 PID 2836 wrote to memory of 572 2836 Cncmcm32.exe 40 PID 572 wrote to memory of 2008 572 Cfoaho32.exe 41 PID 572 wrote to memory of 2008 572 Cfoaho32.exe 41 PID 572 wrote to memory of 2008 572 Cfoaho32.exe 41 PID 572 wrote to memory of 2008 572 Cfoaho32.exe 41 PID 2008 wrote to memory of 1172 2008 Cqdfehii.exe 42 PID 2008 wrote to memory of 1172 2008 Cqdfehii.exe 42 PID 2008 wrote to memory of 1172 2008 Cqdfehii.exe 42 PID 2008 wrote to memory of 1172 2008 Cqdfehii.exe 42 PID 1172 wrote to memory of 2140 1172 Cjljnn32.exe 43 PID 1172 wrote to memory of 2140 1172 Cjljnn32.exe 43 PID 1172 wrote to memory of 2140 1172 Cjljnn32.exe 43 PID 1172 wrote to memory of 2140 1172 Cjljnn32.exe 43 PID 2140 wrote to memory of 2216 2140 Cceogcfj.exe 44 PID 2140 wrote to memory of 2216 2140 Cceogcfj.exe 44 PID 2140 wrote to memory of 2216 2140 Cceogcfj.exe 44 PID 2140 wrote to memory of 2216 2140 Cceogcfj.exe 44 PID 2216 wrote to memory of 1052 2216 Djjjga32.exe 45 PID 2216 wrote to memory of 1052 2216 Djjjga32.exe 45 PID 2216 wrote to memory of 1052 2216 Djjjga32.exe 45 PID 2216 wrote to memory of 1052 2216 Djjjga32.exe 45 PID 1052 wrote to memory of 1516 1052 Dcbnpgkh.exe 46 PID 1052 wrote to memory of 1516 1052 Dcbnpgkh.exe 46 PID 1052 wrote to memory of 1516 1052 Dcbnpgkh.exe 46 PID 1052 wrote to memory of 1516 1052 Dcbnpgkh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d75e9397b1ef6ab0ec06160dd0315700N.exe"C:\Users\Admin\AppData\Local\Temp\d75e9397b1ef6ab0ec06160dd0315700N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe33⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe35⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe36⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe37⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Gkebafoa.exeC:\Windows\system32\Gkebafoa.exe38⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe39⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe41⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe42⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe44⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe45⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe46⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe47⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe48⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe49⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Iakino32.exeC:\Windows\system32\Iakino32.exe50⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe53⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe55⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe56⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe59⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe61⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe62⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe63⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe66⤵PID:2208
-
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe67⤵PID:2040
-
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe68⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe69⤵PID:2112
-
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe70⤵PID:2012
-
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe71⤵PID:2720
-
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe73⤵PID:2196
-
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe75⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe76⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe77⤵
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe78⤵PID:2284
-
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe79⤵PID:888
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe80⤵PID:2852
-
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe81⤵PID:1376
-
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe82⤵PID:1548
-
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe83⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe84⤵PID:1456
-
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe85⤵PID:3004
-
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe86⤵PID:2816
-
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe87⤵PID:1876
-
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe90⤵PID:1056
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe91⤵PID:2564
-
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe93⤵PID:2060
-
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe94⤵PID:2612
-
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe95⤵PID:1652
-
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe96⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe97⤵PID:1620
-
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe98⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe99⤵PID:3008
-
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe100⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe101⤵PID:2880
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe102⤵PID:2328
-
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe103⤵PID:2892
-
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe104⤵PID:1720
-
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe105⤵PID:2536
-
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe106⤵PID:2576
-
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe107⤵PID:2748
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe110⤵PID:2616
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe111⤵PID:828
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe112⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe113⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe114⤵PID:2728
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe117⤵PID:2028
-
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe118⤵PID:1524
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe119⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe120⤵PID:1400
-
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe121⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-