Analysis
-
max time kernel
109s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 06:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ff64baded0692c5228d8dd6cced3f20N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
6ff64baded0692c5228d8dd6cced3f20N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
6ff64baded0692c5228d8dd6cced3f20N.exe
-
Size
232KB
-
MD5
6ff64baded0692c5228d8dd6cced3f20
-
SHA1
05e3cf95c24e6406b710955b263ea1d96e1bee1c
-
SHA256
aebc5b372b7f74675dcbae40d73e2084ca71bdba02a5b889a0202bc51eeef470
-
SHA512
53cfb8cf567af75d54c88cea4ff0ee4181491aa2a4993600452fa6b2eb9d48c0367e4357e3d766d99e279ffcd73db241ebc4d0c7c0c489526a52561e2f754f48
-
SSDEEP
3072:LxpWPJ1MHNf8dH7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfz/:GP2fCH6s21L7/s50z/Wa3/PNlPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnacbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekofgnna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjdcghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgamgken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombjpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnqeeeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggphji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhaep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhnpplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljanhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofphdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odfjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinqoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apllml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egimdmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdkbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkcgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffcbce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnminkof.exe -
Executes dropped EXE 64 IoCs
pid Process 1892 Jgbolhoa.exe 2512 Kcipqi32.exe 2872 Kpmpjm32.exe 2376 Kldaon32.exe 2584 Khkadoog.exe 2672 Kbcfme32.exe 2364 Kjjnnbfj.exe 1680 Lnmcge32.exe 2396 Lkqdajhc.exe 3032 Lggdfk32.exe 3044 Lgiakjld.exe 3052 Ldnbeokn.exe 2884 Lfonlg32.exe 476 Mmifiahi.exe 1032 Mjmgbe32.exe 1124 Mqfooonp.exe 1120 Midqiaih.exe 1528 Mfhabe32.exe 2184 Mifmoa32.exe 1856 Maabcc32.exe 2344 Njjfli32.exe 2852 Nbaomf32.exe 1632 Ncbkenba.exe 1212 Nmkpnd32.exe 1552 Ndehjnpo.exe 1444 Nplhooec.exe 1200 Njammhei.exe 2808 Ndiaem32.exe 2836 Njcibgcf.exe 2768 Obonfj32.exe 2716 Oemjbe32.exe 2728 Opbopn32.exe 1588 Oepghe32.exe 2580 Opekenmh.exe 1728 Oebdndlp.exe 1276 Obfdgiji.exe 2976 Oedqcdim.exe 2420 Oakaheoa.exe 2912 Oheieo32.exe 576 Phgfko32.exe 1748 Pihbbgjj.exe 2252 Ppbkoabf.exe 1992 Pkholjam.exe 2352 Pimlmf32.exe 2992 Pllhib32.exe 1060 Pgamgken.exe 2312 Phbinc32.exe 2932 Ppiapp32.exe 1576 Qakmghbm.exe 1628 Qjbehfbo.exe 2848 Qoonqmqf.exe 2788 Qhgbibgg.exe 2084 Qkeofnfk.exe 2668 Aaogbh32.exe 1112 Adncoc32.exe 2504 Akhkkmdh.exe 2412 Aqddcdbo.exe 2168 Adppdckh.exe 3016 Anhdmh32.exe 2112 Aqgqid32.exe 3008 Agaifnhi.exe 604 Amnanefa.exe 2076 Agcekn32.exe 2588 Ajaagi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 1892 Jgbolhoa.exe 1892 Jgbolhoa.exe 2512 Kcipqi32.exe 2512 Kcipqi32.exe 2872 Kpmpjm32.exe 2872 Kpmpjm32.exe 2376 Kldaon32.exe 2376 Kldaon32.exe 2584 Khkadoog.exe 2584 Khkadoog.exe 2672 Kbcfme32.exe 2672 Kbcfme32.exe 2364 Kjjnnbfj.exe 2364 Kjjnnbfj.exe 1680 Lnmcge32.exe 1680 Lnmcge32.exe 2396 Lkqdajhc.exe 2396 Lkqdajhc.exe 3032 Lggdfk32.exe 3032 Lggdfk32.exe 3044 Lgiakjld.exe 3044 Lgiakjld.exe 3052 Ldnbeokn.exe 3052 Ldnbeokn.exe 2884 Lfonlg32.exe 2884 Lfonlg32.exe 476 Mmifiahi.exe 476 Mmifiahi.exe 1032 Mjmgbe32.exe 1032 Mjmgbe32.exe 1124 Mqfooonp.exe 1124 Mqfooonp.exe 1120 Midqiaih.exe 1120 Midqiaih.exe 1528 Mfhabe32.exe 1528 Mfhabe32.exe 2184 Mifmoa32.exe 2184 Mifmoa32.exe 1856 Maabcc32.exe 1856 Maabcc32.exe 2344 Njjfli32.exe 2344 Njjfli32.exe 2852 Nbaomf32.exe 2852 Nbaomf32.exe 1632 Ncbkenba.exe 1632 Ncbkenba.exe 1212 Nmkpnd32.exe 1212 Nmkpnd32.exe 1552 Ndehjnpo.exe 1552 Ndehjnpo.exe 1444 Nplhooec.exe 1444 Nplhooec.exe 1200 Njammhei.exe 1200 Njammhei.exe 2808 Ndiaem32.exe 2808 Ndiaem32.exe 2836 Njcibgcf.exe 2836 Njcibgcf.exe 2768 Obonfj32.exe 2768 Obonfj32.exe 2716 Oemjbe32.exe 2716 Oemjbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cjdkllec.exe Ccjbobnf.exe File opened for modification C:\Windows\SysWOW64\Nfbmlckg.exe Nbgakd32.exe File created C:\Windows\SysWOW64\Naebmppm.exe Process not Found File created C:\Windows\SysWOW64\Gpagbp32.exe Fangfcki.exe File created C:\Windows\SysWOW64\Njbfpe32.dll Mjeholco.exe File opened for modification C:\Windows\SysWOW64\Cignlf32.exe Process not Found File created C:\Windows\SysWOW64\Efjklh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Apgcbmha.exe Aadbfp32.exe File created C:\Windows\SysWOW64\Hmkjkp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fldbnb32.exe Fclmem32.exe File created C:\Windows\SysWOW64\Emaejfgn.dll Kanhph32.exe File created C:\Windows\SysWOW64\Dkkpeg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kfqpmc32.exe Process not Found File created C:\Windows\SysWOW64\Ipmohome.dll Hjbhgolp.exe File opened for modification C:\Windows\SysWOW64\Ihaldgak.exe Ibdclp32.exe File opened for modification C:\Windows\SysWOW64\Fkmhij32.exe Fholmo32.exe File opened for modification C:\Windows\SysWOW64\Oeobfgak.exe Omhjejai.exe File created C:\Windows\SysWOW64\Ojojmfed.exe Process not Found File created C:\Windows\SysWOW64\Eklgjbca.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpeidjfo.exe Process not Found File created C:\Windows\SysWOW64\Fbocnbmi.dll Lfonlg32.exe File opened for modification C:\Windows\SysWOW64\Bqngjcje.exe Acjfpokk.exe File created C:\Windows\SysWOW64\Aecdpmbm.exe Aahhoo32.exe File created C:\Windows\SysWOW64\Kkmnmd32.dll Process not Found File created C:\Windows\SysWOW64\Mojaceln.exe Mlkegimk.exe File opened for modification C:\Windows\SysWOW64\Ledpjdid.exe Lojhmjag.exe File opened for modification C:\Windows\SysWOW64\Kgkokjjd.exe Process not Found File created C:\Windows\SysWOW64\Ceidfi32.dll Process not Found File created C:\Windows\SysWOW64\Ffokan32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ekicjlai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ffndghdj.exe Process not Found File created C:\Windows\SysWOW64\Gjiibm32.exe Fgjmfa32.exe File created C:\Windows\SysWOW64\Bcbhmehg.exe Bpdkajic.exe File created C:\Windows\SysWOW64\Bcobdgoj.exe Bhjngnod.exe File created C:\Windows\SysWOW64\Gjpgaohl.dll Oblmom32.exe File created C:\Windows\SysWOW64\Aandhbgj.dll Kaihjbno.exe File created C:\Windows\SysWOW64\Bnbgab32.dll Process not Found File created C:\Windows\SysWOW64\Majfcb32.exe Process not Found File created C:\Windows\SysWOW64\Mipanmej.dll Process not Found File created C:\Windows\SysWOW64\Cohnmm32.dll Process not Found File created C:\Windows\SysWOW64\Fpdjkabb.dll Process not Found File created C:\Windows\SysWOW64\Ibjikk32.exe Hkpaoape.exe File created C:\Windows\SysWOW64\Ijhemglp.dll Iapfmg32.exe File created C:\Windows\SysWOW64\Nnoaan32.dll Kikpgk32.exe File created C:\Windows\SysWOW64\Fqbbig32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Obonfj32.exe Njcibgcf.exe File created C:\Windows\SysWOW64\Cinahhff.exe Ccaipaho.exe File opened for modification C:\Windows\SysWOW64\Lkepdbkb.exe Ldlghhde.exe File created C:\Windows\SysWOW64\Plnbai32.dll Jjbgok32.exe File opened for modification C:\Windows\SysWOW64\Blfnin32.exe Process not Found File created C:\Windows\SysWOW64\Ibbffq32.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Jknlfg32.exe Process not Found File created C:\Windows\SysWOW64\Dhadhakp.exe Process not Found File created C:\Windows\SysWOW64\Diqabd32.exe Process not Found File created C:\Windows\SysWOW64\Mogmgpjh.dll Kjdpcnfi.exe File created C:\Windows\SysWOW64\Boohgk32.exe Process not Found File created C:\Windows\SysWOW64\Opbopn32.exe Oemjbe32.exe File created C:\Windows\SysWOW64\Dplalb32.dll Dfdngl32.exe File created C:\Windows\SysWOW64\Gmloigln.exe Gjnbmlmj.exe File created C:\Windows\SysWOW64\Lobbpg32.exe Lhhjcmpj.exe File opened for modification C:\Windows\SysWOW64\Niaihojk.exe Nfbmlckg.exe File created C:\Windows\SysWOW64\Kbokda32.exe Kldchgag.exe File created C:\Windows\SysWOW64\Bkhfmlhk.dll Qhdabemb.exe File opened for modification C:\Windows\SysWOW64\Alicahno.exe Aijgemok.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3008 7220 Process not Found 1625 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afamgpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apjbpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhlapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolcmd32.dll" Nadpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbeimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmpcbji.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpkhjlc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epijdn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcododfd.dll" Opbopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlenlhnc.dll" Hcfceeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfihln.dll" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeocnah.dll" Ldgpea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnigogd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kehgkgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkdakmp.dll" Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkpjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ococgpfb.dll" Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihmimaj.dll" Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Eponmmaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegdbbae.dll" Lkqdajhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpjbm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqknqleg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbghmegj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falakjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlklik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjbmonp.dll" Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoacabb.dll" Ldfgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmhqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokdfe32.dll" Obniel32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 1892 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 30 PID 2608 wrote to memory of 1892 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 30 PID 2608 wrote to memory of 1892 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 30 PID 2608 wrote to memory of 1892 2608 6ff64baded0692c5228d8dd6cced3f20N.exe 30 PID 1892 wrote to memory of 2512 1892 Jgbolhoa.exe 31 PID 1892 wrote to memory of 2512 1892 Jgbolhoa.exe 31 PID 1892 wrote to memory of 2512 1892 Jgbolhoa.exe 31 PID 1892 wrote to memory of 2512 1892 Jgbolhoa.exe 31 PID 2512 wrote to memory of 2872 2512 Kcipqi32.exe 32 PID 2512 wrote to memory of 2872 2512 Kcipqi32.exe 32 PID 2512 wrote to memory of 2872 2512 Kcipqi32.exe 32 PID 2512 wrote to memory of 2872 2512 Kcipqi32.exe 32 PID 2872 wrote to memory of 2376 2872 Kpmpjm32.exe 33 PID 2872 wrote to memory of 2376 2872 Kpmpjm32.exe 33 PID 2872 wrote to memory of 2376 2872 Kpmpjm32.exe 33 PID 2872 wrote to memory of 2376 2872 Kpmpjm32.exe 33 PID 2376 wrote to memory of 2584 2376 Kldaon32.exe 34 PID 2376 wrote to memory of 2584 2376 Kldaon32.exe 34 PID 2376 wrote to memory of 2584 2376 Kldaon32.exe 34 PID 2376 wrote to memory of 2584 2376 Kldaon32.exe 34 PID 2584 wrote to memory of 2672 2584 Khkadoog.exe 35 PID 2584 wrote to memory of 2672 2584 Khkadoog.exe 35 PID 2584 wrote to memory of 2672 2584 Khkadoog.exe 35 PID 2584 wrote to memory of 2672 2584 Khkadoog.exe 35 PID 2672 wrote to memory of 2364 2672 Kbcfme32.exe 36 PID 2672 wrote to memory of 2364 2672 Kbcfme32.exe 36 PID 2672 wrote to memory of 2364 2672 Kbcfme32.exe 36 PID 2672 wrote to memory of 2364 2672 Kbcfme32.exe 36 PID 2364 wrote to memory of 1680 2364 Kjjnnbfj.exe 37 PID 2364 wrote to memory of 1680 2364 Kjjnnbfj.exe 37 PID 2364 wrote to memory of 1680 2364 Kjjnnbfj.exe 37 PID 2364 wrote to memory of 1680 2364 Kjjnnbfj.exe 37 PID 1680 wrote to memory of 2396 1680 Lnmcge32.exe 38 PID 1680 wrote to memory of 2396 1680 Lnmcge32.exe 38 PID 1680 wrote to memory of 2396 1680 Lnmcge32.exe 38 PID 1680 wrote to memory of 2396 1680 Lnmcge32.exe 38 PID 2396 wrote to memory of 3032 2396 Lkqdajhc.exe 39 PID 2396 wrote to memory of 3032 2396 Lkqdajhc.exe 39 PID 2396 wrote to memory of 3032 2396 Lkqdajhc.exe 39 PID 2396 wrote to memory of 3032 2396 Lkqdajhc.exe 39 PID 3032 wrote to memory of 3044 3032 Lggdfk32.exe 40 PID 3032 wrote to memory of 3044 3032 Lggdfk32.exe 40 PID 3032 wrote to memory of 3044 3032 Lggdfk32.exe 40 PID 3032 wrote to memory of 3044 3032 Lggdfk32.exe 40 PID 3044 wrote to memory of 3052 3044 Lgiakjld.exe 41 PID 3044 wrote to memory of 3052 3044 Lgiakjld.exe 41 PID 3044 wrote to memory of 3052 3044 Lgiakjld.exe 41 PID 3044 wrote to memory of 3052 3044 Lgiakjld.exe 41 PID 3052 wrote to memory of 2884 3052 Ldnbeokn.exe 42 PID 3052 wrote to memory of 2884 3052 Ldnbeokn.exe 42 PID 3052 wrote to memory of 2884 3052 Ldnbeokn.exe 42 PID 3052 wrote to memory of 2884 3052 Ldnbeokn.exe 42 PID 2884 wrote to memory of 476 2884 Lfonlg32.exe 43 PID 2884 wrote to memory of 476 2884 Lfonlg32.exe 43 PID 2884 wrote to memory of 476 2884 Lfonlg32.exe 43 PID 2884 wrote to memory of 476 2884 Lfonlg32.exe 43 PID 476 wrote to memory of 1032 476 Mmifiahi.exe 44 PID 476 wrote to memory of 1032 476 Mmifiahi.exe 44 PID 476 wrote to memory of 1032 476 Mmifiahi.exe 44 PID 476 wrote to memory of 1032 476 Mmifiahi.exe 44 PID 1032 wrote to memory of 1124 1032 Mjmgbe32.exe 45 PID 1032 wrote to memory of 1124 1032 Mjmgbe32.exe 45 PID 1032 wrote to memory of 1124 1032 Mjmgbe32.exe 45 PID 1032 wrote to memory of 1124 1032 Mjmgbe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff64baded0692c5228d8dd6cced3f20N.exe"C:\Users\Admin\AppData\Local\Temp\6ff64baded0692c5228d8dd6cced3f20N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Midqiaih.exeC:\Windows\system32\Midqiaih.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe34⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe35⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe36⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe37⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe38⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe39⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe40⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe41⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe42⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe43⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe44⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe46⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe48⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe51⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe52⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe53⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe54⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe55⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe56⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe57⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe58⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe59⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe60⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe61⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe63⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe64⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe65⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe66⤵PID:2264
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe67⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe68⤵PID:1248
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe70⤵PID:664
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe71⤵PID:2812
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe72⤵PID:752
-
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe73⤵PID:2776
-
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe74⤵PID:2060
-
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe75⤵PID:2004
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe76⤵PID:2748
-
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe77⤵PID:1968
-
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe78⤵PID:1052
-
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe79⤵PID:2920
-
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe80⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe81⤵PID:1508
-
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe82⤵PID:2120
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe84⤵PID:1472
-
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe86⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe87⤵PID:2820
-
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe89⤵PID:2564
-
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe90⤵PID:2876
-
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe91⤵PID:2444
-
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe92⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe93⤵PID:2492
-
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe94⤵PID:1872
-
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe95⤵PID:2368
-
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe96⤵PID:1944
-
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe98⤵PID:2944
-
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe99⤵PID:2792
-
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe100⤵PID:1764
-
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe101⤵PID:1196
-
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe102⤵PID:1864
-
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe103⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe104⤵PID:2528
-
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe105⤵PID:2980
-
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe106⤵PID:2356
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe107⤵PID:2548
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe108⤵PID:2800
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe111⤵PID:772
-
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe112⤵PID:1608
-
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe113⤵PID:2340
-
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe114⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe115⤵PID:624
-
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe116⤵PID:1880
-
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe117⤵PID:776
-
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe118⤵PID:1664
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe119⤵PID:2392
-
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe120⤵PID:2948
-
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-