Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d2e976fdc078f5d002fd9a38071cb70N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
1d2e976fdc078f5d002fd9a38071cb70N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
1d2e976fdc078f5d002fd9a38071cb70N.exe
-
Size
67KB
-
MD5
1d2e976fdc078f5d002fd9a38071cb70
-
SHA1
109b2df9dbdc9ccc6b20d3fa00015276680373af
-
SHA256
d860c2d0b9bcee20341bc75e37c8b78349af90de822e9c53cdcfa2bd10015fc7
-
SHA512
2700c3ea5afe4d1fa34c48c14fc01816e54803958bb09f7a3858774f8f625e57d7df766214c606bbd1b5a40d5c43b946cdc30552f61c976fdd61522633b7c432
-
SSDEEP
1536:iRdt89nhZoECDDMsxWK+wJ530AtPHgK0nk5GO2tRQdR/Rj:+t89nhZg0sxWAL3zBHgK0nkwltedVx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odpeop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijqeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdmogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdobg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglhghgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apphpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feeldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphmbolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjbfbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopibdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqqqokla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbcda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laenqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmglfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hddgkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jodkkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oceaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foidii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Minldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdcmjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbhecjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnfgnibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neaehelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djcbib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebkibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gokpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmfamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peakkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbgak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpihog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coehnecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diklpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnifbaja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liqcei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdpnqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhnfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqqqokla.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Apjpglfn.exe 1636 Alqplmlb.exe 1864 Bgfdjfkh.exe 2876 Bdpnlo32.exe 2788 Bdbkaoce.exe 2792 Bqilfp32.exe 2304 Cqlhlo32.exe 552 Ckamihfm.exe 1676 Cmbiap32.exe 2728 Cfmjoe32.exe 764 Cccgni32.exe 2596 Dbidof32.exe 1844 Danaqbgp.exe 1372 Djffihmp.exe 2272 Dlfbck32.exe 2468 Denglpkc.exe 2600 Ephhmn32.exe 2532 Ejmljg32.exe 952 Ebhani32.exe 752 Ebkndibq.exe 1308 Eponmmaj.exe 1824 Ehjbaooe.exe 2588 Eabgjeef.exe 2668 Fholmo32.exe 2584 Foidii32.exe 1648 Fhaibnim.exe 1600 Fomndhng.exe 848 Fdjfmolo.exe 1144 Gdmcbojl.exe 2848 Gkfkoi32.exe 2440 Gcdmikma.exe 1660 Gphmbolk.exe 2676 Gomjckqc.exe 2336 Gheola32.exe 1984 Hopgikop.exe 1684 Hhhkbqea.exe 2136 Hqemlbqi.exe 2236 Hkkaik32.exe 2984 Hfdbji32.exe 2448 Hmojfcdk.exe 2244 Igdndl32.exe 2228 Ikfdmogp.exe 2528 Iniidj32.exe 824 Iganmp32.exe 1944 Jnlfjjpl.exe 268 Jchobqnc.exe 1292 Jjbgok32.exe 1192 Jehklc32.exe 1380 Jnppei32.exe 864 Jijqeg32.exe 2564 Jcodcp32.exe 2148 Jlkigbef.exe 2508 Jfpndkel.exe 3020 Kphbmp32.exe 2664 Klocba32.exe 2816 Kalkjh32.exe 2692 Kopldl32.exe 588 Kkglim32.exe 2196 Kelqff32.exe 2868 Kmgekh32.exe 800 Lgpjcnhh.exe 2424 Laenqg32.exe 3028 Lgbfin32.exe 2500 Liqcei32.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 2712 Apjpglfn.exe 2712 Apjpglfn.exe 1636 Alqplmlb.exe 1636 Alqplmlb.exe 1864 Bgfdjfkh.exe 1864 Bgfdjfkh.exe 2876 Bdpnlo32.exe 2876 Bdpnlo32.exe 2788 Bdbkaoce.exe 2788 Bdbkaoce.exe 2792 Bqilfp32.exe 2792 Bqilfp32.exe 2304 Cqlhlo32.exe 2304 Cqlhlo32.exe 552 Ckamihfm.exe 552 Ckamihfm.exe 1676 Cmbiap32.exe 1676 Cmbiap32.exe 2728 Cfmjoe32.exe 2728 Cfmjoe32.exe 764 Cccgni32.exe 764 Cccgni32.exe 2596 Dbidof32.exe 2596 Dbidof32.exe 1844 Danaqbgp.exe 1844 Danaqbgp.exe 1372 Djffihmp.exe 1372 Djffihmp.exe 2272 Dlfbck32.exe 2272 Dlfbck32.exe 2468 Denglpkc.exe 2468 Denglpkc.exe 2600 Ephhmn32.exe 2600 Ephhmn32.exe 2532 Ejmljg32.exe 2532 Ejmljg32.exe 952 Ebhani32.exe 952 Ebhani32.exe 752 Ebkndibq.exe 752 Ebkndibq.exe 1308 Eponmmaj.exe 1308 Eponmmaj.exe 1824 Ehjbaooe.exe 1824 Ehjbaooe.exe 2588 Eabgjeef.exe 2588 Eabgjeef.exe 2668 Fholmo32.exe 2668 Fholmo32.exe 2584 Foidii32.exe 2584 Foidii32.exe 1648 Fhaibnim.exe 1648 Fhaibnim.exe 1600 Fomndhng.exe 1600 Fomndhng.exe 848 Fdjfmolo.exe 848 Fdjfmolo.exe 1144 Gdmcbojl.exe 1144 Gdmcbojl.exe 2848 Gkfkoi32.exe 2848 Gkfkoi32.exe 2440 Gcdmikma.exe 2440 Gcdmikma.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jelcgfbk.dll Gkfkoi32.exe File created C:\Windows\SysWOW64\Lejppj32.exe Llalgdbj.exe File created C:\Windows\SysWOW64\Feeldk32.exe Flmglfhk.exe File created C:\Windows\SysWOW64\Odpeop32.exe Ogldfl32.exe File created C:\Windows\SysWOW64\Iegjnkod.exe Iomaaa32.exe File created C:\Windows\SysWOW64\Ejmljg32.exe Ephhmn32.exe File created C:\Windows\SysWOW64\Llkamfnj.dll Plfjme32.exe File created C:\Windows\SysWOW64\Pejnpe32.exe Pcjbfbmm.exe File created C:\Windows\SysWOW64\Iedmhlqf.exe Hkoikcaq.exe File opened for modification C:\Windows\SysWOW64\Jlkigbef.exe Jcodcp32.exe File created C:\Windows\SysWOW64\Cdmgkl32.exe Copobe32.exe File opened for modification C:\Windows\SysWOW64\Ofkoijhc.exe Ojdndi32.exe File opened for modification C:\Windows\SysWOW64\Pjfghl32.exe Pejnpe32.exe File created C:\Windows\SysWOW64\Bhamfgja.dll Qbiamm32.exe File created C:\Windows\SysWOW64\Bdbkaoce.exe Bdpnlo32.exe File created C:\Windows\SysWOW64\Gfgfbj32.dll Glbcpokl.exe File created C:\Windows\SysWOW64\Idihponj.exe Hhbgkn32.exe File created C:\Windows\SysWOW64\Jfdgpj32.dll Hacoio32.exe File created C:\Windows\SysWOW64\Jpmaii32.dll Lhhmle32.exe File created C:\Windows\SysWOW64\Oloioh32.dll Ojjnioae.exe File created C:\Windows\SysWOW64\Phmkaf32.exe Peooek32.exe File created C:\Windows\SysWOW64\Qdfhlggl.exe Pmmppm32.exe File created C:\Windows\SysWOW64\Hdmjfi32.dll Bnhljnhm.exe File opened for modification C:\Windows\SysWOW64\Mgebfi32.exe Mojmbg32.exe File created C:\Windows\SysWOW64\Nfgbjc32.dll Doqmjaac.exe File created C:\Windows\SysWOW64\Ebkibk32.exe Egedebgc.exe File created C:\Windows\SysWOW64\Kalkjh32.exe Klocba32.exe File created C:\Windows\SysWOW64\Oeiakl32.dll Bdmklico.exe File opened for modification C:\Windows\SysWOW64\Echpaecj.exe Ecfcle32.exe File created C:\Windows\SysWOW64\Ifbalb32.dll Qfegakmc.exe File opened for modification C:\Windows\SysWOW64\Coehnecn.exe Cfmceomm.exe File created C:\Windows\SysWOW64\Ffeoid32.exe Fplgljbm.exe File opened for modification C:\Windows\SysWOW64\Feeldk32.exe Flmglfhk.exe File created C:\Windows\SysWOW64\Lfehmgfd.dll Hddgkj32.exe File opened for modification C:\Windows\SysWOW64\Genkhidc.exe Gekncjfe.exe File created C:\Windows\SysWOW64\Ekloon32.dll Pblinp32.exe File created C:\Windows\SysWOW64\Pfehhmgp.dll Ckebbgoj.exe File created C:\Windows\SysWOW64\Mdbdlp32.dll Iackhb32.exe File created C:\Windows\SysWOW64\Licbca32.exe Lfbibfmi.exe File opened for modification C:\Windows\SysWOW64\Apphpp32.exe Afhcgjkq.exe File created C:\Windows\SysWOW64\Bgbkhnja.dll Hhhkbqea.exe File created C:\Windows\SysWOW64\Dqqqokla.exe Dopdgb32.exe File created C:\Windows\SysWOW64\Mojmbg32.exe Meaiia32.exe File created C:\Windows\SysWOW64\Igjlnf32.dll Pobhfl32.exe File created C:\Windows\SysWOW64\Dlgjie32.exe Dbaflm32.exe File created C:\Windows\SysWOW64\Jfabkg32.dll Mhbhecjc.exe File opened for modification C:\Windows\SysWOW64\Eogckqkk.exe Edbonh32.exe File created C:\Windows\SysWOW64\Fifogcdl.dll Idihponj.exe File created C:\Windows\SysWOW64\Cpgabh32.dll Nefncd32.exe File created C:\Windows\SysWOW64\Gdhimfaj.dll Oaolne32.exe File created C:\Windows\SysWOW64\Gdmcbojl.exe Fdjfmolo.exe File created C:\Windows\SysWOW64\Bnhljnhm.exe Bcbhmehg.exe File created C:\Windows\SysWOW64\Aagadh32.exe Ajmihn32.exe File opened for modification C:\Windows\SysWOW64\Dlokegib.exe Djnbdlla.exe File created C:\Windows\SysWOW64\Ohefjnqk.dll Allbpqcp.exe File created C:\Windows\SysWOW64\Mnlkdk32.exe Mknohpqj.exe File created C:\Windows\SysWOW64\Klfjpm32.dll Dggcbf32.exe File opened for modification C:\Windows\SysWOW64\Ojdndi32.exe Noojfpbi.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Eogckqkk.exe File created C:\Windows\SysWOW64\Cobkhe32.exe Cdmgkl32.exe File opened for modification C:\Windows\SysWOW64\Caijik32.exe Bnkbcmaj.exe File created C:\Windows\SysWOW64\Genifa32.dll Cnpknl32.exe File opened for modification C:\Windows\SysWOW64\Mlfgkleh.exe Lldkem32.exe File created C:\Windows\SysWOW64\Jdlomqkj.dll Meaiia32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4588 4524 WerFault.exe 451 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjokik32.dll" Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdocnod.dll" Mpegka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dopdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iobbfggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joefkl32.dll" Peandcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhbfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhpjfoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogldfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnpak32.dll" Cpkaai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpegka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjqlbdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lneghd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nglhghgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bakgmgpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebkibk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdgpj32.dll" Hacoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmfamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdijjmef.dll" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcibnmm.dll" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldcifi.dll" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhobldaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpbilmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meiedg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Echpaecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djlfjh32.dll" Gfnnmboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhhkbqea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkjk32.dll" Bcbhmehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppelfbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdbdlp32.dll" Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppelfbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbdocbi.dll" Nkphmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Picdejbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkmdmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjfghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blelpeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likaja32.dll" Jjefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgglopo.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpkaai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jobnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibngfe32.dll" Dbaflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmlief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjibdoi.dll" Pifcdbhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Allbpqcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibgakob.dll" Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqkkea32.dll" Qdfhlggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adenqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoflo32.dll" Enijcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gloppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojlmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Genkhidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjnfobi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhmfgdch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dknehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gohjnf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2712 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 29 PID 2172 wrote to memory of 2712 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 29 PID 2172 wrote to memory of 2712 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 29 PID 2172 wrote to memory of 2712 2172 1d2e976fdc078f5d002fd9a38071cb70N.exe 29 PID 2712 wrote to memory of 1636 2712 Apjpglfn.exe 30 PID 2712 wrote to memory of 1636 2712 Apjpglfn.exe 30 PID 2712 wrote to memory of 1636 2712 Apjpglfn.exe 30 PID 2712 wrote to memory of 1636 2712 Apjpglfn.exe 30 PID 1636 wrote to memory of 1864 1636 Alqplmlb.exe 31 PID 1636 wrote to memory of 1864 1636 Alqplmlb.exe 31 PID 1636 wrote to memory of 1864 1636 Alqplmlb.exe 31 PID 1636 wrote to memory of 1864 1636 Alqplmlb.exe 31 PID 1864 wrote to memory of 2876 1864 Bgfdjfkh.exe 32 PID 1864 wrote to memory of 2876 1864 Bgfdjfkh.exe 32 PID 1864 wrote to memory of 2876 1864 Bgfdjfkh.exe 32 PID 1864 wrote to memory of 2876 1864 Bgfdjfkh.exe 32 PID 2876 wrote to memory of 2788 2876 Bdpnlo32.exe 33 PID 2876 wrote to memory of 2788 2876 Bdpnlo32.exe 33 PID 2876 wrote to memory of 2788 2876 Bdpnlo32.exe 33 PID 2876 wrote to memory of 2788 2876 Bdpnlo32.exe 33 PID 2788 wrote to memory of 2792 2788 Bdbkaoce.exe 34 PID 2788 wrote to memory of 2792 2788 Bdbkaoce.exe 34 PID 2788 wrote to memory of 2792 2788 Bdbkaoce.exe 34 PID 2788 wrote to memory of 2792 2788 Bdbkaoce.exe 34 PID 2792 wrote to memory of 2304 2792 Bqilfp32.exe 35 PID 2792 wrote to memory of 2304 2792 Bqilfp32.exe 35 PID 2792 wrote to memory of 2304 2792 Bqilfp32.exe 35 PID 2792 wrote to memory of 2304 2792 Bqilfp32.exe 35 PID 2304 wrote to memory of 552 2304 Cqlhlo32.exe 36 PID 2304 wrote to memory of 552 2304 Cqlhlo32.exe 36 PID 2304 wrote to memory of 552 2304 Cqlhlo32.exe 36 PID 2304 wrote to memory of 552 2304 Cqlhlo32.exe 36 PID 552 wrote to memory of 1676 552 Ckamihfm.exe 37 PID 552 wrote to memory of 1676 552 Ckamihfm.exe 37 PID 552 wrote to memory of 1676 552 Ckamihfm.exe 37 PID 552 wrote to memory of 1676 552 Ckamihfm.exe 37 PID 1676 wrote to memory of 2728 1676 Cmbiap32.exe 38 PID 1676 wrote to memory of 2728 1676 Cmbiap32.exe 38 PID 1676 wrote to memory of 2728 1676 Cmbiap32.exe 38 PID 1676 wrote to memory of 2728 1676 Cmbiap32.exe 38 PID 2728 wrote to memory of 764 2728 Cfmjoe32.exe 39 PID 2728 wrote to memory of 764 2728 Cfmjoe32.exe 39 PID 2728 wrote to memory of 764 2728 Cfmjoe32.exe 39 PID 2728 wrote to memory of 764 2728 Cfmjoe32.exe 39 PID 764 wrote to memory of 2596 764 Cccgni32.exe 40 PID 764 wrote to memory of 2596 764 Cccgni32.exe 40 PID 764 wrote to memory of 2596 764 Cccgni32.exe 40 PID 764 wrote to memory of 2596 764 Cccgni32.exe 40 PID 2596 wrote to memory of 1844 2596 Dbidof32.exe 41 PID 2596 wrote to memory of 1844 2596 Dbidof32.exe 41 PID 2596 wrote to memory of 1844 2596 Dbidof32.exe 41 PID 2596 wrote to memory of 1844 2596 Dbidof32.exe 41 PID 1844 wrote to memory of 1372 1844 Danaqbgp.exe 42 PID 1844 wrote to memory of 1372 1844 Danaqbgp.exe 42 PID 1844 wrote to memory of 1372 1844 Danaqbgp.exe 42 PID 1844 wrote to memory of 1372 1844 Danaqbgp.exe 42 PID 1372 wrote to memory of 2272 1372 Djffihmp.exe 43 PID 1372 wrote to memory of 2272 1372 Djffihmp.exe 43 PID 1372 wrote to memory of 2272 1372 Djffihmp.exe 43 PID 1372 wrote to memory of 2272 1372 Djffihmp.exe 43 PID 2272 wrote to memory of 2468 2272 Dlfbck32.exe 44 PID 2272 wrote to memory of 2468 2272 Dlfbck32.exe 44 PID 2272 wrote to memory of 2468 2272 Dlfbck32.exe 44 PID 2272 wrote to memory of 2468 2272 Dlfbck32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2e976fdc078f5d002fd9a38071cb70N.exe"C:\Users\Admin\AppData\Local\Temp\1d2e976fdc078f5d002fd9a38071cb70N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe36⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe38⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe41⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe45⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe46⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe47⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Jjbgok32.exeC:\Windows\system32\Jjbgok32.exe48⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe49⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe50⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe53⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe54⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe55⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe59⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe60⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe61⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe62⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe64⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Liqcei32.exeC:\Windows\system32\Liqcei32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe66⤵PID:2824
-
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe67⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe68⤵PID:916
-
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe69⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Mkiemqdo.exeC:\Windows\system32\Mkiemqdo.exe71⤵PID:2040
-
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe72⤵PID:1672
-
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe73⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe74⤵PID:2900
-
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe75⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe76⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe77⤵PID:1972
-
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe79⤵PID:1792
-
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:928 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe81⤵PID:2264
-
C:\Windows\SysWOW64\Nodnmb32.exeC:\Windows\system32\Nodnmb32.exe82⤵PID:1632
-
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe84⤵PID:236
-
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe85⤵PID:1348
-
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe87⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe88⤵PID:1100
-
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe90⤵PID:2756
-
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe91⤵PID:1408
-
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe92⤵PID:2812
-
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe93⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe94⤵PID:2932
-
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe95⤵PID:2520
-
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe96⤵PID:1484
-
C:\Windows\SysWOW64\Oahpahel.exeC:\Windows\system32\Oahpahel.exe97⤵PID:2408
-
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe98⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe99⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe100⤵PID:1780
-
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe101⤵PID:1196
-
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe102⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe103⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe104⤵PID:2844
-
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe106⤵PID:2488
-
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe107⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe108⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe109⤵PID:2000
-
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe110⤵PID:936
-
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe111⤵PID:2444
-
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe112⤵PID:1404
-
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe113⤵PID:1508
-
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe114⤵PID:1652
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe115⤵PID:2820
-
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe117⤵PID:904
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe118⤵PID:2056
-
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe119⤵PID:1568
-
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe120⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe121⤵
- Drops file in System32 directory
PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-