Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 09:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f07343901fcd6736ff5cc2bc8c1bb60N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
9f07343901fcd6736ff5cc2bc8c1bb60N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
9f07343901fcd6736ff5cc2bc8c1bb60N.exe
-
Size
390KB
-
MD5
9f07343901fcd6736ff5cc2bc8c1bb60
-
SHA1
7a8248d37428f457a4c96bc78bedc061a4c1a404
-
SHA256
f4ec96b0dbc4ae3db9326d1988f703d63a7e7b28affb52e1b220e78a7327e8d9
-
SHA512
7b6c58e504e80c7995e81b106bba25684d3707829caf81d018dff4cc8a597017947b388f88f87cd10b147bad958dff3e9ccc0e2512986a19bb937383df3677d6
-
SSDEEP
6144:CXoy9EKEOf366b+X0RjtdgOPAUvgkNRgdgOPAUvgkG:oSTUngEiM2gEif
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocqhcqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqebd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikfklni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpmijqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpngmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lchclmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egeecf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdoocdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlmphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmoekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnhggln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhgidjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhpca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakpiajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkoqmhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgkbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igngim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opebpdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmibmhoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjphm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgibd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noplmlok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaekljjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmfoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikapdqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oknjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiflpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olimlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abaaoodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkdda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacefpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lggbmbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbknmicj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiakkcma.exe -
Executes dropped EXE 64 IoCs
pid Process 1572 Bnofaf32.exe 3032 Bggjjlnb.exe 2168 Ccqhdmbc.exe 2728 Cjjpag32.exe 2600 Cojeomee.exe 2008 Dlpbna32.exe 2004 Dfhgggim.exe 2284 Dglpdomh.exe 2752 Dqddmd32.exe 2956 Dmmbge32.exe 2652 Eddjhb32.exe 888 Enmnahnm.exe 2344 Ecjgio32.exe 2876 Efhcej32.exe 2480 Eqngcc32.exe 272 Ebockkal.exe 1940 Emdhhdqb.exe 1696 Ebappk32.exe 1916 Fmfalg32.exe 3060 Gbcien32.exe 1008 Gbffjmmp.exe 2308 Gipngg32.exe 2744 Ghekhd32.exe 2460 Glbdnbpk.exe 1528 Gkedjo32.exe 2780 Habili32.exe 2680 Hdpehd32.exe 2888 Hadfah32.exe 2720 Hhnnnbaj.exe 2556 Hkogpn32.exe 2236 Hnmcli32.exe 1892 Hlbpme32.exe 1192 Hclhjpjc.exe 3040 Iaaekl32.exe 2228 Ilgjhena.exe 780 Iadbqlmh.exe 2348 Ifbkgj32.exe 2188 Iqllghon.exe 2060 Ikapdqoc.exe 1912 Jcleiclo.exe 400 Jmdiahco.exe 960 Jdlacfca.exe 1488 Jfmnkn32.exe 2020 Jmgfgham.exe 3016 Jcandb32.exe 2616 Jjkfqlpf.exe 2504 Jmibmhoj.exe 2532 Jcckibfg.exe 1424 Jfagemej.exe 2056 Jipcbidn.exe 2784 Jkopndcb.exe 2832 Jbhhkn32.exe 2868 Jegdgj32.exe 2584 Kkalcdao.exe 2676 Kbkdpnil.exe 2828 Keiqlihp.exe 2052 Kiemmh32.exe 2260 Knaeeo32.exe 2412 Kelmbifm.exe 2396 Kkefoc32.exe 600 Kbpnkm32.exe 1852 Kglfcd32.exe 1688 Knfopnkk.exe 2172 Kaekljjo.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 1572 Bnofaf32.exe 1572 Bnofaf32.exe 3032 Bggjjlnb.exe 3032 Bggjjlnb.exe 2168 Ccqhdmbc.exe 2168 Ccqhdmbc.exe 2728 Cjjpag32.exe 2728 Cjjpag32.exe 2600 Cojeomee.exe 2600 Cojeomee.exe 2008 Dlpbna32.exe 2008 Dlpbna32.exe 2004 Dfhgggim.exe 2004 Dfhgggim.exe 2284 Dglpdomh.exe 2284 Dglpdomh.exe 2752 Dqddmd32.exe 2752 Dqddmd32.exe 2956 Dmmbge32.exe 2956 Dmmbge32.exe 2652 Eddjhb32.exe 2652 Eddjhb32.exe 888 Enmnahnm.exe 888 Enmnahnm.exe 2344 Ecjgio32.exe 2344 Ecjgio32.exe 2876 Efhcej32.exe 2876 Efhcej32.exe 2480 Eqngcc32.exe 2480 Eqngcc32.exe 272 Ebockkal.exe 272 Ebockkal.exe 1940 Emdhhdqb.exe 1940 Emdhhdqb.exe 1696 Ebappk32.exe 1696 Ebappk32.exe 1916 Fmfalg32.exe 1916 Fmfalg32.exe 3060 Gbcien32.exe 3060 Gbcien32.exe 1008 Gbffjmmp.exe 1008 Gbffjmmp.exe 2308 Gipngg32.exe 2308 Gipngg32.exe 2744 Ghekhd32.exe 2744 Ghekhd32.exe 2460 Glbdnbpk.exe 2460 Glbdnbpk.exe 1528 Gkedjo32.exe 1528 Gkedjo32.exe 2780 Habili32.exe 2780 Habili32.exe 2680 Hdpehd32.exe 2680 Hdpehd32.exe 2888 Hadfah32.exe 2888 Hadfah32.exe 2720 Hhnnnbaj.exe 2720 Hhnnnbaj.exe 2556 Hkogpn32.exe 2556 Hkogpn32.exe 2236 Hnmcli32.exe 2236 Hnmcli32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcleiclo.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Ebmjec32.dll Knikfnih.exe File opened for modification C:\Windows\SysWOW64\Ninjjf32.exe Nbdbml32.exe File created C:\Windows\SysWOW64\Kmfjlmef.dll Lhapocoi.exe File opened for modification C:\Windows\SysWOW64\Igngim32.exe Idokma32.exe File created C:\Windows\SysWOW64\Gekkpqnp.exe Gnabcf32.exe File created C:\Windows\SysWOW64\Gbcien32.exe Fmfalg32.exe File created C:\Windows\SysWOW64\Agngpn32.dll Cpbnaj32.exe File created C:\Windows\SysWOW64\Ilhlan32.exe Ihlpqonl.exe File opened for modification C:\Windows\SysWOW64\Nggkipci.exe Nlbgkgcc.exe File created C:\Windows\SysWOW64\Bneancnc.exe Biiiempl.exe File created C:\Windows\SysWOW64\Hnmeeene.dll Gfadcemm.exe File created C:\Windows\SysWOW64\Jfmnkn32.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Eajkip32.dll Ceickb32.exe File created C:\Windows\SysWOW64\Gfcdcl32.dll Lggbmbfc.exe File created C:\Windows\SysWOW64\Odpbmoop.dll Bleilh32.exe File created C:\Windows\SysWOW64\Hdqcfdkh.dll Mcjlap32.exe File created C:\Windows\SysWOW64\Nhcgkbja.exe Neekogkm.exe File created C:\Windows\SysWOW64\Jmibmhoj.exe Jjkfqlpf.exe File created C:\Windows\SysWOW64\Aphgbo32.dll Nhebhipj.exe File created C:\Windows\SysWOW64\Poaamlnm.dll Hpdbmooo.exe File created C:\Windows\SysWOW64\Aikjmm32.dll Chgimh32.exe File created C:\Windows\SysWOW64\Ncjnhhid.dll Fjhgidjk.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Odnobj32.exe File created C:\Windows\SysWOW64\Kbmamh32.dll Bgdfjfmi.exe File opened for modification C:\Windows\SysWOW64\Edelakoq.exe Enkdda32.exe File created C:\Windows\SysWOW64\Jpnkep32.exe Jakjjcnd.exe File created C:\Windows\SysWOW64\Jhdlcl32.dll Milaecdp.exe File created C:\Windows\SysWOW64\Pjeimkch.dll Ofdeeb32.exe File opened for modification C:\Windows\SysWOW64\Lehfafgp.exe Lnnndl32.exe File opened for modification C:\Windows\SysWOW64\Mbopon32.exe Mhikae32.exe File created C:\Windows\SysWOW64\Fhpqof32.dll Geinjapb.exe File created C:\Windows\SysWOW64\Gnabcf32.exe Glcfgk32.exe File created C:\Windows\SysWOW64\Lgbibb32.exe Kecmfg32.exe File created C:\Windows\SysWOW64\Nlmjcejp.dll Gpjilj32.exe File created C:\Windows\SysWOW64\Jdeadmlb.dll Lqgjkbop.exe File created C:\Windows\SysWOW64\Heobhfnp.dll Obnbpb32.exe File created C:\Windows\SysWOW64\Jfhmehji.exe Ialadj32.exe File created C:\Windows\SysWOW64\Mfebdm32.exe Monjcp32.exe File created C:\Windows\SysWOW64\Elpqemll.exe Ejadibmh.exe File opened for modification C:\Windows\SysWOW64\Nbdbml32.exe Npffaq32.exe File created C:\Windows\SysWOW64\Pkfgal32.dll Knfopnkk.exe File created C:\Windows\SysWOW64\Ckhbnb32.exe Cdnjaibm.exe File created C:\Windows\SysWOW64\Bpophbkc.dll Gmcikd32.exe File created C:\Windows\SysWOW64\Ieaikf32.dll Mddibb32.exe File created C:\Windows\SysWOW64\Njaagp32.dll Pamlel32.exe File opened for modification C:\Windows\SysWOW64\Ocihgo32.exe Oomlfpdi.exe File created C:\Windows\SysWOW64\Ibfmgg32.dll Kiemmh32.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Ccpqjfnh.exe File created C:\Windows\SysWOW64\Mhkhgd32.exe Maapjjml.exe File opened for modification C:\Windows\SysWOW64\Blnkbg32.exe Bdgcaj32.exe File opened for modification C:\Windows\SysWOW64\Enkdda32.exe Dkmghe32.exe File created C:\Windows\SysWOW64\Hdlenkfg.dll Dhehfk32.exe File created C:\Windows\SysWOW64\Ecgckc32.dll Ihlpqonl.exe File created C:\Windows\SysWOW64\Ollcee32.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Peqhgmdd.exe Pbblkaea.exe File opened for modification C:\Windows\SysWOW64\Fmaqgaae.exe Fejifdab.exe File created C:\Windows\SysWOW64\Gnicoh32.exe Ghpkbn32.exe File opened for modification C:\Windows\SysWOW64\Hpdbmooo.exe Hijjpeha.exe File opened for modification C:\Windows\SysWOW64\Hkbmil32.exe Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Dljngoea.exe Dbejjfek.exe File created C:\Windows\SysWOW64\Dkcebg32.exe Dhehfk32.exe File opened for modification C:\Windows\SysWOW64\Ddjphm32.exe Dlchfp32.exe File created C:\Windows\SysWOW64\Cckcjpkg.dll Hginnmml.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6744 6708 WerFault.exe 698 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emjjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbopon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadhjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onchdkoc.dll" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbeqjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqanjl32.dll" Abaaoodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piihaccl.dll" Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimoek32.dll" Jcgqbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppppfck.dll" Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkolfk32.dll" Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkje32.dll" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpcdjii.dll" Akgibd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hadhjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqamla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgmekpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcpmijqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjflmmn.dll" Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hidfjckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceacoqfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iabhdefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll" Qfikod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpocbfnp.dll" Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghdmolf.dll" Kgdiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhkhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlbpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miaaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgdad32.dll" Jkobgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqkgfdn.dll" Hdpehd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jldbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhmpbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anjojphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdqcnk.dll" Onipqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feobac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpfpn32.dll" Qekdpkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhggc32.dll" Noplmlok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poacighp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohmalgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfodmhbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlmphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icgdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjdeqif.dll" Kjhopjqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdoccg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1572 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 30 PID 3008 wrote to memory of 1572 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 30 PID 3008 wrote to memory of 1572 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 30 PID 3008 wrote to memory of 1572 3008 9f07343901fcd6736ff5cc2bc8c1bb60N.exe 30 PID 1572 wrote to memory of 3032 1572 Bnofaf32.exe 31 PID 1572 wrote to memory of 3032 1572 Bnofaf32.exe 31 PID 1572 wrote to memory of 3032 1572 Bnofaf32.exe 31 PID 1572 wrote to memory of 3032 1572 Bnofaf32.exe 31 PID 3032 wrote to memory of 2168 3032 Bggjjlnb.exe 32 PID 3032 wrote to memory of 2168 3032 Bggjjlnb.exe 32 PID 3032 wrote to memory of 2168 3032 Bggjjlnb.exe 32 PID 3032 wrote to memory of 2168 3032 Bggjjlnb.exe 32 PID 2168 wrote to memory of 2728 2168 Ccqhdmbc.exe 33 PID 2168 wrote to memory of 2728 2168 Ccqhdmbc.exe 33 PID 2168 wrote to memory of 2728 2168 Ccqhdmbc.exe 33 PID 2168 wrote to memory of 2728 2168 Ccqhdmbc.exe 33 PID 2728 wrote to memory of 2600 2728 Cjjpag32.exe 34 PID 2728 wrote to memory of 2600 2728 Cjjpag32.exe 34 PID 2728 wrote to memory of 2600 2728 Cjjpag32.exe 34 PID 2728 wrote to memory of 2600 2728 Cjjpag32.exe 34 PID 2600 wrote to memory of 2008 2600 Cojeomee.exe 35 PID 2600 wrote to memory of 2008 2600 Cojeomee.exe 35 PID 2600 wrote to memory of 2008 2600 Cojeomee.exe 35 PID 2600 wrote to memory of 2008 2600 Cojeomee.exe 35 PID 2008 wrote to memory of 2004 2008 Dlpbna32.exe 36 PID 2008 wrote to memory of 2004 2008 Dlpbna32.exe 36 PID 2008 wrote to memory of 2004 2008 Dlpbna32.exe 36 PID 2008 wrote to memory of 2004 2008 Dlpbna32.exe 36 PID 2004 wrote to memory of 2284 2004 Dfhgggim.exe 37 PID 2004 wrote to memory of 2284 2004 Dfhgggim.exe 37 PID 2004 wrote to memory of 2284 2004 Dfhgggim.exe 37 PID 2004 wrote to memory of 2284 2004 Dfhgggim.exe 37 PID 2284 wrote to memory of 2752 2284 Dglpdomh.exe 38 PID 2284 wrote to memory of 2752 2284 Dglpdomh.exe 38 PID 2284 wrote to memory of 2752 2284 Dglpdomh.exe 38 PID 2284 wrote to memory of 2752 2284 Dglpdomh.exe 38 PID 2752 wrote to memory of 2956 2752 Dqddmd32.exe 39 PID 2752 wrote to memory of 2956 2752 Dqddmd32.exe 39 PID 2752 wrote to memory of 2956 2752 Dqddmd32.exe 39 PID 2752 wrote to memory of 2956 2752 Dqddmd32.exe 39 PID 2956 wrote to memory of 2652 2956 Dmmbge32.exe 40 PID 2956 wrote to memory of 2652 2956 Dmmbge32.exe 40 PID 2956 wrote to memory of 2652 2956 Dmmbge32.exe 40 PID 2956 wrote to memory of 2652 2956 Dmmbge32.exe 40 PID 2652 wrote to memory of 888 2652 Eddjhb32.exe 41 PID 2652 wrote to memory of 888 2652 Eddjhb32.exe 41 PID 2652 wrote to memory of 888 2652 Eddjhb32.exe 41 PID 2652 wrote to memory of 888 2652 Eddjhb32.exe 41 PID 888 wrote to memory of 2344 888 Enmnahnm.exe 42 PID 888 wrote to memory of 2344 888 Enmnahnm.exe 42 PID 888 wrote to memory of 2344 888 Enmnahnm.exe 42 PID 888 wrote to memory of 2344 888 Enmnahnm.exe 42 PID 2344 wrote to memory of 2876 2344 Ecjgio32.exe 43 PID 2344 wrote to memory of 2876 2344 Ecjgio32.exe 43 PID 2344 wrote to memory of 2876 2344 Ecjgio32.exe 43 PID 2344 wrote to memory of 2876 2344 Ecjgio32.exe 43 PID 2876 wrote to memory of 2480 2876 Efhcej32.exe 44 PID 2876 wrote to memory of 2480 2876 Efhcej32.exe 44 PID 2876 wrote to memory of 2480 2876 Efhcej32.exe 44 PID 2876 wrote to memory of 2480 2876 Efhcej32.exe 44 PID 2480 wrote to memory of 272 2480 Eqngcc32.exe 45 PID 2480 wrote to memory of 272 2480 Eqngcc32.exe 45 PID 2480 wrote to memory of 272 2480 Eqngcc32.exe 45 PID 2480 wrote to memory of 272 2480 Eqngcc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f07343901fcd6736ff5cc2bc8c1bb60N.exe"C:\Users\Admin\AppData\Local\Temp\9f07343901fcd6736ff5cc2bc8c1bb60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe34⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe36⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe38⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe39⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe41⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe42⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe44⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe45⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe46⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe49⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe50⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe53⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe55⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe56⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe57⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe59⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe60⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe61⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe63⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe66⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe67⤵PID:2408
-
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe68⤵PID:620
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe71⤵PID:680
-
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe74⤵PID:320
-
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe75⤵PID:2960
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe77⤵PID:1980
-
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe78⤵PID:2924
-
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe79⤵PID:2524
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe81⤵PID:1296
-
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe82⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe83⤵PID:2372
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe84⤵PID:2340
-
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe85⤵PID:1792
-
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe86⤵PID:2484
-
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe87⤵PID:548
-
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe88⤵PID:2512
-
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe89⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe90⤵PID:2312
-
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe91⤵PID:1544
-
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe93⤵PID:2816
-
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe94⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe95⤵PID:2612
-
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe96⤵PID:3004
-
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe97⤵PID:1108
-
C:\Windows\SysWOW64\Nlldmimi.exeC:\Windows\system32\Nlldmimi.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe99⤵PID:2932
-
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe100⤵PID:1520
-
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe101⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe102⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe103⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe104⤵PID:2096
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe105⤵PID:2356
-
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe106⤵PID:1276
-
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe107⤵PID:1448
-
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe108⤵PID:1908
-
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe109⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe110⤵PID:892
-
C:\Windows\SysWOW64\Ongckp32.exeC:\Windows\system32\Ongckp32.exe111⤵PID:2024
-
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe112⤵PID:2844
-
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe113⤵PID:2708
-
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe114⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe115⤵PID:2700
-
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe116⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe117⤵PID:2196
-
C:\Windows\SysWOW64\Oomjng32.exeC:\Windows\system32\Oomjng32.exe118⤵PID:848
-
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe119⤵PID:1700
-
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe120⤵PID:2332
-
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-