Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 07:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b060d5df6f628bb218029fd96e09340N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
8b060d5df6f628bb218029fd96e09340N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
8b060d5df6f628bb218029fd96e09340N.exe
-
Size
290KB
-
MD5
8b060d5df6f628bb218029fd96e09340
-
SHA1
5c3392a98a49b34604d9764cb3c9aba684d3e527
-
SHA256
a3b23c211d50d5f70e57e0267e20b8b072c4de0cd4dc9c0e971359d89cfb4881
-
SHA512
37d4b149950667fb3473b315fe3e6bd504b2d3be728d78b7fa3de91d5ea7805e7cd155a95ba354bf929ced6bc62b8987fb045e821f7aca218a1ca1019daec765
-
SSDEEP
6144:BOeQhIfdPvO7Mb5kMUmKyIxLDXXoq9FJZCUmKyIxL:USRvO7Mb732XXf9Do3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjpncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laccdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehkgnpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcidqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aahhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbmggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnldhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnbeclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnkqih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbbig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henipenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjgjmipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmgioed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faapbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jboanfmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikemiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbefen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiepca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbjonicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnanceem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paoedc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lodeahen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpnekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpijngn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplqoiai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affjehkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hodpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglfkebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmegkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbcgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkcjchco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfgeaklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gadidabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdedoegh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgmdkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdhmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpogjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplgmodq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnnomnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jigmeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnpdaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddgaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpedph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfqngom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdokjdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphgpnhm.exe -
Executes dropped EXE 64 IoCs
pid Process 2120 Achlch32.exe 2608 Alqplmlb.exe 2636 Bocfch32.exe 2752 Bohoogbk.exe 2788 Cqlhlo32.exe 2572 Cmeffp32.exe 612 Cklpml32.exe 2504 Dfdqpdja.exe 2716 Dbkaee32.exe 2968 Dmgokcja.exe 1780 Eagdgaoe.exe 1260 Eelfedpa.exe 2584 Eenckc32.exe 1676 Flmecm32.exe 2104 Fdjfmolo.exe 2940 Gmegkd32.exe 1436 Gilhpe32.exe 1812 Ghaeaaki.exe 1804 Ghcbga32.exe 2096 Hancef32.exe 1544 Hgkknm32.exe 2056 Hbblpf32.exe 928 Hcfenn32.exe 2044 Hnljkf32.exe 2088 Imaglc32.exe 880 Ibplji32.exe 2476 Iecaad32.exe 2168 Jalolemm.exe 2712 Jnppei32.exe 2052 Jjgpjjak.exe 2732 Jlkigbef.exe 2548 Keekeg32.exe 2768 Kbikokin.exe 2648 Kopldl32.exe 988 Kdoaackf.exe 2840 Lhmjha32.exe 2880 Lknbjlnn.exe 1816 Lmolkg32.exe 1460 Lhhmle32.exe 1496 Mlfebcnd.exe 1272 Mkkbcpbl.exe 2340 Mjcljlea.exe 2216 Mjeholco.exe 2192 Ncnmhajo.exe 1772 Ncpjnahm.exe 2428 Nlhnfg32.exe 1364 Nkmkgc32.exe 812 Nfcoel32.exe 1032 Nnndin32.exe 2868 Nkbdbbop.exe 1704 Oifelfni.exe 2952 Oncndnlq.exe 2452 Oeobfgak.exe 2676 Ojlkonpb.exe 2632 Ofcldoef.exe 2552 Ocglmcdp.exe 2596 Pciiccbm.exe 1884 Pldnge32.exe 1616 Pihnqj32.exe 1976 Pbqbioeb.exe 1156 Pikkfilp.exe 1600 Pafpjljk.exe 1684 Phphgf32.exe 2304 Pmmppm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2488 8b060d5df6f628bb218029fd96e09340N.exe 2488 8b060d5df6f628bb218029fd96e09340N.exe 2120 Achlch32.exe 2120 Achlch32.exe 2608 Alqplmlb.exe 2608 Alqplmlb.exe 2636 Bocfch32.exe 2636 Bocfch32.exe 2752 Bohoogbk.exe 2752 Bohoogbk.exe 2788 Cqlhlo32.exe 2788 Cqlhlo32.exe 2572 Cmeffp32.exe 2572 Cmeffp32.exe 612 Cklpml32.exe 612 Cklpml32.exe 2504 Dfdqpdja.exe 2504 Dfdqpdja.exe 2716 Dbkaee32.exe 2716 Dbkaee32.exe 2968 Dmgokcja.exe 2968 Dmgokcja.exe 1780 Eagdgaoe.exe 1780 Eagdgaoe.exe 1260 Eelfedpa.exe 1260 Eelfedpa.exe 2584 Eenckc32.exe 2584 Eenckc32.exe 1676 Flmecm32.exe 1676 Flmecm32.exe 2104 Fdjfmolo.exe 2104 Fdjfmolo.exe 2940 Gmegkd32.exe 2940 Gmegkd32.exe 1436 Gilhpe32.exe 1436 Gilhpe32.exe 1812 Ghaeaaki.exe 1812 Ghaeaaki.exe 1804 Ghcbga32.exe 1804 Ghcbga32.exe 2096 Hancef32.exe 2096 Hancef32.exe 1544 Hgkknm32.exe 1544 Hgkknm32.exe 2056 Hbblpf32.exe 2056 Hbblpf32.exe 928 Hcfenn32.exe 928 Hcfenn32.exe 2044 Hnljkf32.exe 2044 Hnljkf32.exe 2088 Imaglc32.exe 2088 Imaglc32.exe 880 Ibplji32.exe 880 Ibplji32.exe 2476 Iecaad32.exe 2476 Iecaad32.exe 2168 Jalolemm.exe 2168 Jalolemm.exe 2712 Jnppei32.exe 2712 Jnppei32.exe 2052 Jjgpjjak.exe 2052 Jjgpjjak.exe 2732 Jlkigbef.exe 2732 Jlkigbef.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dehccpae.dll Ohgnoeii.exe File created C:\Windows\SysWOW64\Ipmgncii.exe Ifecen32.exe File created C:\Windows\SysWOW64\Kceecg32.dll Mgkncfdc.exe File created C:\Windows\SysWOW64\Icpijl32.dll Bimdka32.exe File created C:\Windows\SysWOW64\Pidhjg32.exe Plpgqc32.exe File opened for modification C:\Windows\SysWOW64\Jjfiap32.exe Jifmgman.exe File created C:\Windows\SysWOW64\Afjplj32.exe Aifpcfjd.exe File opened for modification C:\Windows\SysWOW64\Onplmp32.exe Ockhpgbf.exe File created C:\Windows\SysWOW64\Njilpjke.dll Kjbqei32.exe File opened for modification C:\Windows\SysWOW64\Lgadba32.exe Lofono32.exe File created C:\Windows\SysWOW64\Gcmdbl32.dll Lgadba32.exe File created C:\Windows\SysWOW64\Qlmnfh32.exe Qcdinbdk.exe File created C:\Windows\SysWOW64\Foacmg32.exe Flbgak32.exe File opened for modification C:\Windows\SysWOW64\Lbdghi32.exe Kmnljc32.exe File created C:\Windows\SysWOW64\Fbebcp32.exe Filnjk32.exe File created C:\Windows\SysWOW64\Odflnaqp.dll Hgpgae32.exe File created C:\Windows\SysWOW64\Onhkan32.exe Ogncddpg.exe File created C:\Windows\SysWOW64\Dglfkebm.exe Cabnokkq.exe File opened for modification C:\Windows\SysWOW64\Mhpeem32.exe Mhmhpm32.exe File created C:\Windows\SysWOW64\Cgccll32.dll Hfhjfp32.exe File created C:\Windows\SysWOW64\Fmcchb32.exe Eopbooqb.exe File opened for modification C:\Windows\SysWOW64\Hleegpgb.exe Hmphfc32.exe File created C:\Windows\SysWOW64\Mjnohc32.exe Mqfjpnmj.exe File opened for modification C:\Windows\SysWOW64\Hkccpb32.exe Holcka32.exe File opened for modification C:\Windows\SysWOW64\Cpogjh32.exe Cnnohmog.exe File created C:\Windows\SysWOW64\Gpaikiig.exe Fallil32.exe File opened for modification C:\Windows\SysWOW64\Ohajic32.exe Oqfeda32.exe File created C:\Windows\SysWOW64\Pdlmnm32.exe Pqodho32.exe File opened for modification C:\Windows\SysWOW64\Fahdja32.exe Fphgpnhm.exe File opened for modification C:\Windows\SysWOW64\Deficgha.exe Dknejb32.exe File opened for modification C:\Windows\SysWOW64\Fahfcjfd.exe Fddeifgj.exe File created C:\Windows\SysWOW64\Kopldl32.exe Kbikokin.exe File created C:\Windows\SysWOW64\Cigkbm32.dll Ianambhc.exe File created C:\Windows\SysWOW64\Kbedmedg.exe Jimodo32.exe File created C:\Windows\SysWOW64\Jhbfcj32.exe Jojaje32.exe File created C:\Windows\SysWOW64\Mlqncf32.dll Lhmjha32.exe File created C:\Windows\SysWOW64\Blllchcf.dll Jfkphnmj.exe File created C:\Windows\SysWOW64\Glaejokn.exe Fahdja32.exe File created C:\Windows\SysWOW64\Ifhacfhj.exe Icgibkki.exe File created C:\Windows\SysWOW64\Ajibgh32.dll Eepccldb.exe File created C:\Windows\SysWOW64\Dfjcncak.exe Dqmkflcd.exe File created C:\Windows\SysWOW64\Eickdlcd.exe Ejnnbpol.exe File created C:\Windows\SysWOW64\Pkmadk32.dll Hlmpjl32.exe File created C:\Windows\SysWOW64\Iqddmmfp.dll Odknmi32.exe File opened for modification C:\Windows\SysWOW64\Gmkjjbhg.exe Ghnaaljp.exe File created C:\Windows\SysWOW64\Dnmdmj32.exe Dddodd32.exe File created C:\Windows\SysWOW64\Ibngfe32.dll Dfmbmkgm.exe File created C:\Windows\SysWOW64\Edognj32.dll Laokdekd.exe File created C:\Windows\SysWOW64\Ckfkdffp.dll Mmdlqa32.exe File opened for modification C:\Windows\SysWOW64\Epimjd32.exe Efqian32.exe File created C:\Windows\SysWOW64\Aljinncb.exe Aofhejdh.exe File opened for modification C:\Windows\SysWOW64\Lmfnbohm.exe Ldnjii32.exe File created C:\Windows\SysWOW64\Nolilcpb.dll Cqlhlo32.exe File created C:\Windows\SysWOW64\Hcfenn32.exe Hbblpf32.exe File created C:\Windows\SysWOW64\Hniaeb32.dll Aanonj32.exe File created C:\Windows\SysWOW64\Fajpdmgb.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Iomhkgkb.exe Heedbbdb.exe File created C:\Windows\SysWOW64\Ddbika32.dll Holqbipe.exe File opened for modification C:\Windows\SysWOW64\Kenaoojo.exe Jdodel32.exe File created C:\Windows\SysWOW64\Pihnqj32.exe Pldnge32.exe File opened for modification C:\Windows\SysWOW64\Dnmdmj32.exe Dddodd32.exe File created C:\Windows\SysWOW64\Oohoeg32.exe Oepjmbka.exe File opened for modification C:\Windows\SysWOW64\Emmljodk.exe Eddgaj32.exe File opened for modification C:\Windows\SysWOW64\Hcpbalaa.exe Hmfjda32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5080 5116 WerFault.exe 951 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nimflk32.dll" Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kililk32.dll" Pdkgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Claqoinf.dll" Mfbnfcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clapna32.dll" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adenqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihmiqhb.dll" Knnagehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnmdmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmepboin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndbeeo.dll" Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmkodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhnfph32.dll" Celnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poohno32.dll" Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbobdolj.dll" Jeafgiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkccpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibiflmjc.dll" Qmkigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beignlig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcdinbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknmgkpa.dll" Bickkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlghc32.dll" Dnnnlmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lplqoiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbikokin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbhckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjeedcjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnadfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neojknfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfidhcbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpfoipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aljinncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofeeflg.dll" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boqjdl32.dll" Mabihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdhfbpi.dll" Lqfbbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpdfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcpcppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnhcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdja32.dll" Eenckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmjpako.dll" Ifecen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbkmcmd.dll" Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meeqkijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfaodclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfepljba.dll" Hcpbalaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpgccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkideqgo.dll" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdbl32.dll" Lgadba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfljc32.dll" Cgicko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alikdf32.dll" Epimjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fddeifgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foacmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gldaoaqg.dll" Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleoig32.dll" Dpfpco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehlqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeoad32.dll" Mbadih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpnkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgffpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfkphnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phgfmk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2120 2488 8b060d5df6f628bb218029fd96e09340N.exe 28 PID 2488 wrote to memory of 2120 2488 8b060d5df6f628bb218029fd96e09340N.exe 28 PID 2488 wrote to memory of 2120 2488 8b060d5df6f628bb218029fd96e09340N.exe 28 PID 2488 wrote to memory of 2120 2488 8b060d5df6f628bb218029fd96e09340N.exe 28 PID 2120 wrote to memory of 2608 2120 Achlch32.exe 29 PID 2120 wrote to memory of 2608 2120 Achlch32.exe 29 PID 2120 wrote to memory of 2608 2120 Achlch32.exe 29 PID 2120 wrote to memory of 2608 2120 Achlch32.exe 29 PID 2608 wrote to memory of 2636 2608 Alqplmlb.exe 30 PID 2608 wrote to memory of 2636 2608 Alqplmlb.exe 30 PID 2608 wrote to memory of 2636 2608 Alqplmlb.exe 30 PID 2608 wrote to memory of 2636 2608 Alqplmlb.exe 30 PID 2636 wrote to memory of 2752 2636 Bocfch32.exe 31 PID 2636 wrote to memory of 2752 2636 Bocfch32.exe 31 PID 2636 wrote to memory of 2752 2636 Bocfch32.exe 31 PID 2636 wrote to memory of 2752 2636 Bocfch32.exe 31 PID 2752 wrote to memory of 2788 2752 Bohoogbk.exe 32 PID 2752 wrote to memory of 2788 2752 Bohoogbk.exe 32 PID 2752 wrote to memory of 2788 2752 Bohoogbk.exe 32 PID 2752 wrote to memory of 2788 2752 Bohoogbk.exe 32 PID 2788 wrote to memory of 2572 2788 Cqlhlo32.exe 33 PID 2788 wrote to memory of 2572 2788 Cqlhlo32.exe 33 PID 2788 wrote to memory of 2572 2788 Cqlhlo32.exe 33 PID 2788 wrote to memory of 2572 2788 Cqlhlo32.exe 33 PID 2572 wrote to memory of 612 2572 Cmeffp32.exe 34 PID 2572 wrote to memory of 612 2572 Cmeffp32.exe 34 PID 2572 wrote to memory of 612 2572 Cmeffp32.exe 34 PID 2572 wrote to memory of 612 2572 Cmeffp32.exe 34 PID 612 wrote to memory of 2504 612 Cklpml32.exe 35 PID 612 wrote to memory of 2504 612 Cklpml32.exe 35 PID 612 wrote to memory of 2504 612 Cklpml32.exe 35 PID 612 wrote to memory of 2504 612 Cklpml32.exe 35 PID 2504 wrote to memory of 2716 2504 Dfdqpdja.exe 36 PID 2504 wrote to memory of 2716 2504 Dfdqpdja.exe 36 PID 2504 wrote to memory of 2716 2504 Dfdqpdja.exe 36 PID 2504 wrote to memory of 2716 2504 Dfdqpdja.exe 36 PID 2716 wrote to memory of 2968 2716 Dbkaee32.exe 37 PID 2716 wrote to memory of 2968 2716 Dbkaee32.exe 37 PID 2716 wrote to memory of 2968 2716 Dbkaee32.exe 37 PID 2716 wrote to memory of 2968 2716 Dbkaee32.exe 37 PID 2968 wrote to memory of 1780 2968 Dmgokcja.exe 38 PID 2968 wrote to memory of 1780 2968 Dmgokcja.exe 38 PID 2968 wrote to memory of 1780 2968 Dmgokcja.exe 38 PID 2968 wrote to memory of 1780 2968 Dmgokcja.exe 38 PID 1780 wrote to memory of 1260 1780 Eagdgaoe.exe 39 PID 1780 wrote to memory of 1260 1780 Eagdgaoe.exe 39 PID 1780 wrote to memory of 1260 1780 Eagdgaoe.exe 39 PID 1780 wrote to memory of 1260 1780 Eagdgaoe.exe 39 PID 1260 wrote to memory of 2584 1260 Eelfedpa.exe 40 PID 1260 wrote to memory of 2584 1260 Eelfedpa.exe 40 PID 1260 wrote to memory of 2584 1260 Eelfedpa.exe 40 PID 1260 wrote to memory of 2584 1260 Eelfedpa.exe 40 PID 2584 wrote to memory of 1676 2584 Eenckc32.exe 41 PID 2584 wrote to memory of 1676 2584 Eenckc32.exe 41 PID 2584 wrote to memory of 1676 2584 Eenckc32.exe 41 PID 2584 wrote to memory of 1676 2584 Eenckc32.exe 41 PID 1676 wrote to memory of 2104 1676 Flmecm32.exe 42 PID 1676 wrote to memory of 2104 1676 Flmecm32.exe 42 PID 1676 wrote to memory of 2104 1676 Flmecm32.exe 42 PID 1676 wrote to memory of 2104 1676 Flmecm32.exe 42 PID 2104 wrote to memory of 2940 2104 Fdjfmolo.exe 43 PID 2104 wrote to memory of 2940 2104 Fdjfmolo.exe 43 PID 2104 wrote to memory of 2940 2104 Fdjfmolo.exe 43 PID 2104 wrote to memory of 2940 2104 Fdjfmolo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b060d5df6f628bb218029fd96e09340N.exe"C:\Users\Admin\AppData\Local\Temp\8b060d5df6f628bb218029fd96e09340N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Hcfenn32.exeC:\Windows\system32\Hcfenn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe33⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe35⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe36⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe38⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe39⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe40⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe41⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe42⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe43⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mjeholco.exeC:\Windows\system32\Mjeholco.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe45⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe46⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe48⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe49⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe50⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe51⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe52⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Okgnna32.exeC:\Windows\system32\Okgnna32.exe54⤵PID:1584
-
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe55⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe56⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe58⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe59⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe61⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe62⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe63⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe66⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe68⤵PID:1164
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe69⤵PID:1552
-
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe70⤵PID:1664
-
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe71⤵PID:1376
-
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe72⤵PID:2132
-
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe73⤵PID:2136
-
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe75⤵PID:2760
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe76⤵PID:1036
-
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe77⤵PID:2588
-
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe78⤵PID:944
-
C:\Windows\SysWOW64\Bkjpncii.exeC:\Windows\system32\Bkjpncii.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe80⤵PID:1488
-
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe81⤵PID:1400
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe82⤵PID:852
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe83⤵PID:2492
-
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe84⤵PID:2320
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe85⤵PID:2420
-
C:\Windows\SysWOW64\Chmlfj32.exeC:\Windows\system32\Chmlfj32.exe86⤵PID:1852
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe87⤵PID:2496
-
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe89⤵PID:2976
-
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe90⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe91⤵PID:596
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe92⤵PID:1948
-
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe93⤵PID:2656
-
C:\Windows\SysWOW64\Elleai32.exeC:\Windows\system32\Elleai32.exe94⤵PID:2460
-
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe95⤵PID:2576
-
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe96⤵PID:3008
-
C:\Windows\SysWOW64\Ejcohe32.exeC:\Windows\system32\Ejcohe32.exe97⤵PID:2980
-
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe98⤵PID:1312
-
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe99⤵PID:1692
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe100⤵PID:1152
-
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe101⤵PID:1700
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe102⤵PID:2180
-
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe103⤵PID:972
-
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe104⤵PID:2904
-
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe105⤵PID:888
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe106⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe107⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe108⤵PID:2472
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe109⤵PID:2832
-
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe110⤵PID:1624
-
C:\Windows\SysWOW64\Gadidabc.exeC:\Windows\system32\Gadidabc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe112⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe113⤵PID:2008
-
C:\Windows\SysWOW64\Gpiffngk.exeC:\Windows\system32\Gpiffngk.exe114⤵PID:108
-
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe115⤵PID:2820
-
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe116⤵PID:2364
-
C:\Windows\SysWOW64\Hifdjcif.exeC:\Windows\system32\Hifdjcif.exe117⤵PID:2960
-
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe118⤵PID:2892
-
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe119⤵PID:2408
-
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe120⤵PID:1612
-
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe121⤵PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-