Analysis
-
max time kernel
47s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 13:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b96a164abaa9c9999edf7b5946a39e80N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b96a164abaa9c9999edf7b5946a39e80N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
b96a164abaa9c9999edf7b5946a39e80N.exe
-
Size
80KB
-
MD5
b96a164abaa9c9999edf7b5946a39e80
-
SHA1
f68aa0c02415c1920feb0b3c1682987ade37f8cd
-
SHA256
63b45e0a74fb32baeb63003fb4ffb47d917a76c7670fd3189f9c0b40efe8e4cb
-
SHA512
3cbda563f0df914436e5b6b562d6f3b451dfb55fd94fcf786418bc375300568e9c8a828793299767fea6e8fcc22f523769fad9c11c1ed29197ef772bf166a41b
-
SSDEEP
1536:HCDdjZtUVOJzTCFJ8Sq9cqZZ8uEMQE3VjBo3P25FeJuqnhCN:i1UVOR2SSq9c8ukQE3VV35FeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpodmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkbcpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmahjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfdbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfcoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjimpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhaep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agchdfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkbjmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidgdcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imaglc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcohbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieflec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigmeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jadnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpndkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncaejie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdmgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhpgeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alfflhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflkiapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnpmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idkdfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehodaqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgmbbkij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmnljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojhmjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhdabemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffoihepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaebkni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcehkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkmkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmigdend.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phphgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giakoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibnodj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbekpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kigidd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2956 Adekhkng.exe 2736 Agchdfmk.exe 2812 Apllml32.exe 2848 Bfieec32.exe 2776 Blcmbmip.exe 2640 Boainhic.exe 2444 Bfkakbpp.exe 2792 Bjgmka32.exe 2068 Bcobdgoj.exe 2116 Bfnnpbnn.exe 272 Blgfml32.exe 1232 Bnicddki.exe 988 Bdbkaoce.exe 1972 Bgagnjbi.exe 2988 Bohoogbk.exe 2292 Bbflkcao.exe 1904 Bgcdcjpf.exe 648 Ckopch32.exe 1816 Cnmlpd32.exe 1684 Cbihpbpl.exe 2392 Ccjehkek.exe 1004 Cgfqii32.exe 1628 Cjdmee32.exe 1292 Cnpieceq.exe 2456 Ccmanjch.exe 2304 Cghmni32.exe 2824 Cnbfkccn.exe 2744 Cconcjae.exe 2920 Cilfka32.exe 2724 Cqcomn32.exe 2684 Ccakij32.exe 2328 Cjkcedgp.exe 2940 Cklpml32.exe 2072 Cbfhjfdk.exe 1940 Dfbdje32.exe 340 Deedfacn.exe 2924 Degqka32.exe 1584 Dicmlpje.exe 2424 Dkaihkih.exe 2428 Danaqbgp.exe 2200 Dghjmlnm.exe 2224 Djffihmp.exe 2516 Dapnfb32.exe 2964 Dgjfbllj.exe 1540 Dabkla32.exe 576 Dhmchljg.exe 572 Dnfkefad.exe 2540 Ephhmn32.exe 2448 Eccdmmpk.exe 2020 Ejmljg32.exe 2900 Eiplecnc.exe 2636 Epjdbn32.exe 2676 Edfqclni.exe 1096 Efdmohmm.exe 2240 Ejpipf32.exe 2044 Elaego32.exe 1752 Epmahmcm.exe 288 Ebkndibq.exe 1976 Eeijpdbd.exe 2156 Eponmmaj.exe 2208 Eoanij32.exe 2272 Efifjg32.exe 892 Eigbfb32.exe 1496 Ehjbaooe.exe -
Loads dropped DLL 64 IoCs
pid Process 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 2956 Adekhkng.exe 2956 Adekhkng.exe 2736 Agchdfmk.exe 2736 Agchdfmk.exe 2812 Apllml32.exe 2812 Apllml32.exe 2848 Bfieec32.exe 2848 Bfieec32.exe 2776 Blcmbmip.exe 2776 Blcmbmip.exe 2640 Boainhic.exe 2640 Boainhic.exe 2444 Bfkakbpp.exe 2444 Bfkakbpp.exe 2792 Bjgmka32.exe 2792 Bjgmka32.exe 2068 Bcobdgoj.exe 2068 Bcobdgoj.exe 2116 Bfnnpbnn.exe 2116 Bfnnpbnn.exe 272 Blgfml32.exe 272 Blgfml32.exe 1232 Bnicddki.exe 1232 Bnicddki.exe 988 Bdbkaoce.exe 988 Bdbkaoce.exe 1972 Bgagnjbi.exe 1972 Bgagnjbi.exe 2988 Bohoogbk.exe 2988 Bohoogbk.exe 2292 Bbflkcao.exe 2292 Bbflkcao.exe 1904 Bgcdcjpf.exe 1904 Bgcdcjpf.exe 648 Ckopch32.exe 648 Ckopch32.exe 1816 Cnmlpd32.exe 1816 Cnmlpd32.exe 1684 Cbihpbpl.exe 1684 Cbihpbpl.exe 2392 Ccjehkek.exe 2392 Ccjehkek.exe 1004 Cgfqii32.exe 1004 Cgfqii32.exe 1628 Cjdmee32.exe 1628 Cjdmee32.exe 1292 Cnpieceq.exe 1292 Cnpieceq.exe 2456 Ccmanjch.exe 2456 Ccmanjch.exe 2304 Cghmni32.exe 2304 Cghmni32.exe 2824 Cnbfkccn.exe 2824 Cnbfkccn.exe 2744 Cconcjae.exe 2744 Cconcjae.exe 2920 Cilfka32.exe 2920 Cilfka32.exe 2724 Cqcomn32.exe 2724 Cqcomn32.exe 2684 Ccakij32.exe 2684 Ccakij32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdpene32.dll Degqka32.exe File created C:\Windows\SysWOW64\Obfoioei.dll Hkidclbb.exe File created C:\Windows\SysWOW64\Bgndnd32.exe Bdpgai32.exe File opened for modification C:\Windows\SysWOW64\Degqka32.exe Deedfacn.exe File created C:\Windows\SysWOW64\Koocqj32.dll Fomndhng.exe File created C:\Windows\SysWOW64\Ihckdmko.dll Ghaeaaki.exe File created C:\Windows\SysWOW64\Oifelfni.exe Oqomkimg.exe File opened for modification C:\Windows\SysWOW64\Aeahjn32.exe Abbknb32.exe File opened for modification C:\Windows\SysWOW64\Jmnpkp32.exe Jibcja32.exe File created C:\Windows\SysWOW64\Mdfcaegj.exe Mahgejhf.exe File created C:\Windows\SysWOW64\Ckgogfmg.exe Chickknc.exe File created C:\Windows\SysWOW64\Jnfbcg32.exe Jkgfgl32.exe File created C:\Windows\SysWOW64\Obfblk32.dll Jkjbml32.exe File opened for modification C:\Windows\SysWOW64\Nkphmc32.exe Nhalag32.exe File created C:\Windows\SysWOW64\Fbfilc32.dll Pnefiq32.exe File created C:\Windows\SysWOW64\Iphpea32.dll Iojoalda.exe File created C:\Windows\SysWOW64\Jmnpkp32.exe Jibcja32.exe File opened for modification C:\Windows\SysWOW64\Lepfoe32.exe Kofnbk32.exe File created C:\Windows\SysWOW64\Jfkdik32.exe Jcmhmp32.exe File created C:\Windows\SysWOW64\Mdhpgeeg.exe Majdkifd.exe File opened for modification C:\Windows\SysWOW64\Baakem32.exe Bnfodojp.exe File created C:\Windows\SysWOW64\Klocba32.exe Kiafff32.exe File opened for modification C:\Windows\SysWOW64\Nokdnail.exe Nkphmc32.exe File created C:\Windows\SysWOW64\Bkbjmd32.exe Bhdmahpn.exe File created C:\Windows\SysWOW64\Ooknkgfh.dll Ccgahe32.exe File opened for modification C:\Windows\SysWOW64\Jkgfgl32.exe Jiiikq32.exe File created C:\Windows\SysWOW64\Bbflkcao.exe Bohoogbk.exe File created C:\Windows\SysWOW64\Aiaqif32.dll Cklpml32.exe File created C:\Windows\SysWOW64\Efifjg32.exe Eoanij32.exe File opened for modification C:\Windows\SysWOW64\Nfqbol32.exe Ncbfcq32.exe File created C:\Windows\SysWOW64\Okgnna32.exe Ocpfmd32.exe File created C:\Windows\SysWOW64\Anilobcj.dll Ccinnd32.exe File created C:\Windows\SysWOW64\Nbbfjogd.dll Khfcgbge.exe File created C:\Windows\SysWOW64\Pblinp32.exe Ppnmbd32.exe File opened for modification C:\Windows\SysWOW64\Fbjchfaq.exe Fooghg32.exe File created C:\Windows\SysWOW64\Bhgjifff.dll Jnaihhgf.exe File opened for modification C:\Windows\SysWOW64\Mpcjfa32.exe Mapjjdjb.exe File opened for modification C:\Windows\SysWOW64\Kmphpc32.exe Kffpcilf.exe File created C:\Windows\SysWOW64\Kpkocpjj.exe Klocba32.exe File created C:\Windows\SysWOW64\Khhpmbeb.exe Kejdqffo.exe File created C:\Windows\SysWOW64\Ngkfnp32.exe Nodnmb32.exe File opened for modification C:\Windows\SysWOW64\Nhalag32.exe Nfcoel32.exe File created C:\Windows\SysWOW64\Aefaemqj.exe Abgeiaaf.exe File created C:\Windows\SysWOW64\Coehnecn.exe Cgnpmg32.exe File created C:\Windows\SysWOW64\Ncdciq32.exe Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Hhnnpolk.exe Heoadcmh.exe File opened for modification C:\Windows\SysWOW64\Laenqg32.exe Lmjbphod.exe File created C:\Windows\SysWOW64\Obniel32.exe Ogiegc32.exe File created C:\Windows\SysWOW64\Npghai32.dll Chmlfj32.exe File created C:\Windows\SysWOW64\Fmdapnnp.dll Hkkaik32.exe File created C:\Windows\SysWOW64\Jbkagpjl.dll Nodnmb32.exe File created C:\Windows\SysWOW64\Appfggjm.exe Amaiklki.exe File opened for modification C:\Windows\SysWOW64\Bdmklico.exe Bpbokj32.exe File created C:\Windows\SysWOW64\Pohpepmf.dll Ijkjde32.exe File created C:\Windows\SysWOW64\Oodcogfd.dll Lmpdoffo.exe File created C:\Windows\SysWOW64\Knkbimbg.exe Kphbmp32.exe File opened for modification C:\Windows\SysWOW64\Mhmfgdch.exe Mdajff32.exe File created C:\Windows\SysWOW64\Mbcbdo32.dll Omhjejai.exe File created C:\Windows\SysWOW64\Ifgpnf32.dll Fidkep32.exe File created C:\Windows\SysWOW64\Inaliedk.exe Ikcpmieg.exe File created C:\Windows\SysWOW64\Jollgl32.exe Jmnpkp32.exe File opened for modification C:\Windows\SysWOW64\Ebcqicem.exe Dpedmhfi.exe File created C:\Windows\SysWOW64\Bbojchdc.dll Gaiijgbi.exe File opened for modification C:\Windows\SysWOW64\Ngiiip32.exe Ncnmhajo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6724 6644 WerFault.exe 652 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fblpnepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbhhdep.dll" Jidppaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fomndhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ognobcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beoanjep.dll" Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmjkf32.dll" Cjkcedgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjblboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpdjb32.dll" Dicmlpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijegeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkbjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lllkaobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mahgejhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllmbj32.dll" Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkniao32.dll" Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnknmgo.dll" Mlikkbga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iionacad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laenqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nncaejie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnjipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} b96a164abaa9c9999edf7b5946a39e80N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghcbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjmp32.dll" Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhfjaph.dll" Fmknko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdophn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjmchhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llnhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cconcjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imccab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnicddki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkocpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjidobcm.dll" Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbqfe32.dll" Jollgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhlogo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggqamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipcb32.dll" Ghcbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmcjjhp.dll" Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnefp32.dll" Ebemnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heoadcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jibcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maejpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfcoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decejkpa.dll" Iipgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmdbkbpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjhgpcn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2956 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 29 PID 2368 wrote to memory of 2956 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 29 PID 2368 wrote to memory of 2956 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 29 PID 2368 wrote to memory of 2956 2368 b96a164abaa9c9999edf7b5946a39e80N.exe 29 PID 2956 wrote to memory of 2736 2956 Adekhkng.exe 30 PID 2956 wrote to memory of 2736 2956 Adekhkng.exe 30 PID 2956 wrote to memory of 2736 2956 Adekhkng.exe 30 PID 2956 wrote to memory of 2736 2956 Adekhkng.exe 30 PID 2736 wrote to memory of 2812 2736 Agchdfmk.exe 31 PID 2736 wrote to memory of 2812 2736 Agchdfmk.exe 31 PID 2736 wrote to memory of 2812 2736 Agchdfmk.exe 31 PID 2736 wrote to memory of 2812 2736 Agchdfmk.exe 31 PID 2812 wrote to memory of 2848 2812 Apllml32.exe 32 PID 2812 wrote to memory of 2848 2812 Apllml32.exe 32 PID 2812 wrote to memory of 2848 2812 Apllml32.exe 32 PID 2812 wrote to memory of 2848 2812 Apllml32.exe 32 PID 2848 wrote to memory of 2776 2848 Bfieec32.exe 33 PID 2848 wrote to memory of 2776 2848 Bfieec32.exe 33 PID 2848 wrote to memory of 2776 2848 Bfieec32.exe 33 PID 2848 wrote to memory of 2776 2848 Bfieec32.exe 33 PID 2776 wrote to memory of 2640 2776 Blcmbmip.exe 34 PID 2776 wrote to memory of 2640 2776 Blcmbmip.exe 34 PID 2776 wrote to memory of 2640 2776 Blcmbmip.exe 34 PID 2776 wrote to memory of 2640 2776 Blcmbmip.exe 34 PID 2640 wrote to memory of 2444 2640 Boainhic.exe 35 PID 2640 wrote to memory of 2444 2640 Boainhic.exe 35 PID 2640 wrote to memory of 2444 2640 Boainhic.exe 35 PID 2640 wrote to memory of 2444 2640 Boainhic.exe 35 PID 2444 wrote to memory of 2792 2444 Bfkakbpp.exe 36 PID 2444 wrote to memory of 2792 2444 Bfkakbpp.exe 36 PID 2444 wrote to memory of 2792 2444 Bfkakbpp.exe 36 PID 2444 wrote to memory of 2792 2444 Bfkakbpp.exe 36 PID 2792 wrote to memory of 2068 2792 Bjgmka32.exe 37 PID 2792 wrote to memory of 2068 2792 Bjgmka32.exe 37 PID 2792 wrote to memory of 2068 2792 Bjgmka32.exe 37 PID 2792 wrote to memory of 2068 2792 Bjgmka32.exe 37 PID 2068 wrote to memory of 2116 2068 Bcobdgoj.exe 38 PID 2068 wrote to memory of 2116 2068 Bcobdgoj.exe 38 PID 2068 wrote to memory of 2116 2068 Bcobdgoj.exe 38 PID 2068 wrote to memory of 2116 2068 Bcobdgoj.exe 38 PID 2116 wrote to memory of 272 2116 Bfnnpbnn.exe 39 PID 2116 wrote to memory of 272 2116 Bfnnpbnn.exe 39 PID 2116 wrote to memory of 272 2116 Bfnnpbnn.exe 39 PID 2116 wrote to memory of 272 2116 Bfnnpbnn.exe 39 PID 272 wrote to memory of 1232 272 Blgfml32.exe 40 PID 272 wrote to memory of 1232 272 Blgfml32.exe 40 PID 272 wrote to memory of 1232 272 Blgfml32.exe 40 PID 272 wrote to memory of 1232 272 Blgfml32.exe 40 PID 1232 wrote to memory of 988 1232 Bnicddki.exe 41 PID 1232 wrote to memory of 988 1232 Bnicddki.exe 41 PID 1232 wrote to memory of 988 1232 Bnicddki.exe 41 PID 1232 wrote to memory of 988 1232 Bnicddki.exe 41 PID 988 wrote to memory of 1972 988 Bdbkaoce.exe 42 PID 988 wrote to memory of 1972 988 Bdbkaoce.exe 42 PID 988 wrote to memory of 1972 988 Bdbkaoce.exe 42 PID 988 wrote to memory of 1972 988 Bdbkaoce.exe 42 PID 1972 wrote to memory of 2988 1972 Bgagnjbi.exe 43 PID 1972 wrote to memory of 2988 1972 Bgagnjbi.exe 43 PID 1972 wrote to memory of 2988 1972 Bgagnjbi.exe 43 PID 1972 wrote to memory of 2988 1972 Bgagnjbi.exe 43 PID 2988 wrote to memory of 2292 2988 Bohoogbk.exe 44 PID 2988 wrote to memory of 2292 2988 Bohoogbk.exe 44 PID 2988 wrote to memory of 2292 2988 Bohoogbk.exe 44 PID 2988 wrote to memory of 2292 2988 Bohoogbk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96a164abaa9c9999edf7b5946a39e80N.exe"C:\Users\Admin\AppData\Local\Temp\b96a164abaa9c9999edf7b5946a39e80N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe35⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe36⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe40⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe42⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe43⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe44⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe45⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe46⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe47⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe48⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe49⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe55⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe56⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe57⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe58⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe59⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe60⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe61⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe63⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe64⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe65⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe66⤵PID:936
-
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe67⤵PID:1560
-
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe68⤵PID:2480
-
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe69⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe70⤵PID:2844
-
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe71⤵PID:2852
-
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe73⤵PID:3044
-
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe74⤵PID:2188
-
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe75⤵PID:888
-
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe76⤵PID:2520
-
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe77⤵PID:2912
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe78⤵PID:2404
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe79⤵PID:1888
-
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe80⤵PID:2976
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe81⤵PID:1792
-
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe82⤵PID:2468
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe84⤵PID:2836
-
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe85⤵PID:2780
-
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe86⤵PID:3060
-
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe87⤵PID:1820
-
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe88⤵PID:2796
-
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe89⤵PID:1768
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe90⤵PID:2312
-
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe91⤵PID:3004
-
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe92⤵PID:864
-
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe93⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe94⤵PID:2532
-
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe95⤵PID:2860
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe96⤵PID:2752
-
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe97⤵PID:2748
-
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe98⤵PID:1556
-
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe99⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe100⤵PID:1892
-
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe101⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe102⤵PID:2916
-
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe103⤵PID:1992
-
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe104⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe105⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe106⤵PID:1624
-
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe107⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe108⤵PID:2800
-
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe109⤵PID:2632
-
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe110⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe111⤵PID:2012
-
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe112⤵PID:1576
-
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe113⤵PID:1020
-
C:\Windows\SysWOW64\Hdloab32.exeC:\Windows\system32\Hdloab32.exe114⤵PID:2568
-
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe115⤵PID:3008
-
C:\Windows\SysWOW64\Hobcok32.exeC:\Windows\system32\Hobcok32.exe116⤵PID:1724
-
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe117⤵PID:1372
-
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe118⤵PID:2732
-
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe119⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe120⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe121⤵PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-