Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe
-
Size
250KB
-
MD5
d317a4334d8084d0e39ec1214e344e31
-
SHA1
c0d5330e7597b33616b208aa4554db12f15a866d
-
SHA256
3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a
-
SHA512
63695d8de28db7ba53c0f9ee20d8bcdb4f461221b4cd447970c91aade27d4993fcb8bea5fabc68159e22c18c24fecfaa510e0c63c16d4384951a9de8c648b83e
-
SSDEEP
6144:zK7S3TEjvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:zKMTh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgamdef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locjhqpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbadjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpebmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andgop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpfadlm.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Fgldnkkf.exe 2500 Flhmfbim.exe 2080 Fhomkcoa.exe 2740 Gfcnegnk.exe 3016 Golbnm32.exe 2480 Gdhkfd32.exe 2928 Gfhgpg32.exe 2712 Gifclb32.exe 1676 Gdmdacnn.exe 1684 Gjjmijme.exe 2032 Gbadjg32.exe 2560 Hjlioj32.exe 1680 Hfcjdkpg.exe 2840 Hnjbeh32.exe 2288 Hgbfnngi.exe 2188 Hcigco32.exe 2456 Hboddk32.exe 2180 Hemqpf32.exe 564 Hihlqeib.exe 1040 Iliebpfc.exe 1512 Ipeaco32.exe 1636 Ibcnojnp.exe 1652 Ibejdjln.exe 2396 Iedfqeka.exe 2136 Ilnomp32.exe 1580 Ijqoilii.exe 2532 Ioohokoo.exe 2748 Iamdkfnc.exe 1800 Jaoqqflp.exe 2636 Jpbalb32.exe 2768 Jliaac32.exe 2736 Jpdnbbah.exe 1980 Jmhnkfpa.exe 1328 Jioopgef.exe 1188 Jpigma32.exe 1688 Jialfgcc.exe 1764 Jhdlad32.exe 308 Jbjpom32.exe 3060 Jampjian.exe 1632 Khghgchk.exe 1820 Kncaojfb.exe 1732 Khielcfh.exe 1740 Kaajei32.exe 780 Kdpfadlm.exe 264 Kgnbnpkp.exe 2252 Kkjnnn32.exe 2028 Kjmnjkjd.exe 2472 Knhjjj32.exe 2364 Kpgffe32.exe 1720 Kgqocoin.exe 1892 Kklkcn32.exe 2800 Kjokokha.exe 2924 Kddomchg.exe 2624 Kcgphp32.exe 2892 Kjahej32.exe 2676 Knmdeioh.exe 2060 Kpkpadnl.exe 1956 Lcjlnpmo.exe 2828 Ljddjj32.exe 2668 Lhfefgkg.exe 2932 Lpnmgdli.exe 2984 Loqmba32.exe 2464 Lboiol32.exe 1444 Lfkeokjp.exe -
Loads dropped DLL 64 IoCs
pid Process 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 2088 Fgldnkkf.exe 2088 Fgldnkkf.exe 2500 Flhmfbim.exe 2500 Flhmfbim.exe 2080 Fhomkcoa.exe 2080 Fhomkcoa.exe 2740 Gfcnegnk.exe 2740 Gfcnegnk.exe 3016 Golbnm32.exe 3016 Golbnm32.exe 2480 Gdhkfd32.exe 2480 Gdhkfd32.exe 2928 Gfhgpg32.exe 2928 Gfhgpg32.exe 2712 Gifclb32.exe 2712 Gifclb32.exe 1676 Gdmdacnn.exe 1676 Gdmdacnn.exe 1684 Gjjmijme.exe 1684 Gjjmijme.exe 2032 Gbadjg32.exe 2032 Gbadjg32.exe 2560 Hjlioj32.exe 2560 Hjlioj32.exe 1680 Hfcjdkpg.exe 1680 Hfcjdkpg.exe 2840 Hnjbeh32.exe 2840 Hnjbeh32.exe 2288 Hgbfnngi.exe 2288 Hgbfnngi.exe 2188 Hcigco32.exe 2188 Hcigco32.exe 2456 Hboddk32.exe 2456 Hboddk32.exe 2180 Hemqpf32.exe 2180 Hemqpf32.exe 564 Hihlqeib.exe 564 Hihlqeib.exe 1040 Iliebpfc.exe 1040 Iliebpfc.exe 1512 Ipeaco32.exe 1512 Ipeaco32.exe 1636 Ibcnojnp.exe 1636 Ibcnojnp.exe 1652 Ibejdjln.exe 1652 Ibejdjln.exe 2396 Iedfqeka.exe 2396 Iedfqeka.exe 2136 Ilnomp32.exe 2136 Ilnomp32.exe 1580 Ijqoilii.exe 1580 Ijqoilii.exe 2532 Ioohokoo.exe 2532 Ioohokoo.exe 2748 Iamdkfnc.exe 2748 Iamdkfnc.exe 1800 Jaoqqflp.exe 1800 Jaoqqflp.exe 2636 Jpbalb32.exe 2636 Jpbalb32.exe 2768 Jliaac32.exe 2768 Jliaac32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkoicb32.exe Pdeqfhjd.exe File created C:\Windows\SysWOW64\Aaimopli.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Hjlioj32.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hcigco32.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hemqpf32.exe File created C:\Windows\SysWOW64\Hofpgamj.dll Hihlqeib.exe File created C:\Windows\SysWOW64\Jliaac32.exe Jpbalb32.exe File opened for modification C:\Windows\SysWOW64\Lqipkhbj.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Apgagg32.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Andgop32.exe File opened for modification C:\Windows\SysWOW64\Fhomkcoa.exe Flhmfbim.exe File created C:\Windows\SysWOW64\Nfdddm32.exe Nnmlcp32.exe File created C:\Windows\SysWOW64\Cmfaflol.dll Qkfocaki.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Njpeip32.dll Kkjnnn32.exe File opened for modification C:\Windows\SysWOW64\Hboddk32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Kncaojfb.exe Khghgchk.exe File created C:\Windows\SysWOW64\Kjokokha.exe Kklkcn32.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Oibmpl32.exe Ofcqcp32.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Bbmcibjp.exe Bqlfaj32.exe File created C:\Windows\SysWOW64\Gfcnegnk.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Khielcfh.exe Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Phkckneq.dll Mgedmb32.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pkoicb32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hfcjdkpg.exe File created C:\Windows\SysWOW64\Gaokcb32.dll Nhlgmd32.exe File created C:\Windows\SysWOW64\Gmoloenf.dll Pebpkk32.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Gbadjg32.exe Gjjmijme.exe File created C:\Windows\SysWOW64\Ofhjopbg.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Bhjlli32.exe File created C:\Windows\SysWOW64\Bqlfaj32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Fhomkcoa.exe File created C:\Windows\SysWOW64\Egfokakc.dll Achjibcl.exe File opened for modification C:\Windows\SysWOW64\Pidfdofi.exe Phcilf32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Mmicfh32.exe Mjkgjl32.exe File opened for modification C:\Windows\SysWOW64\Omklkkpl.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Fkfnnoge.dll Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe Pmpbdm32.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pcljmdmj.exe File created C:\Windows\SysWOW64\Qlomqkmp.dll Ipeaco32.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Bhjlli32.exe File created C:\Windows\SysWOW64\Ajpepm32.exe Aaimopli.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mfmndn32.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pnbojmmp.exe File opened for modification C:\Windows\SysWOW64\Qiioon32.exe Qkfocaki.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Ongkdd32.dll Hboddk32.exe File created C:\Windows\SysWOW64\Lnjeilhc.dll Lcjlnpmo.exe File created C:\Windows\SysWOW64\Akafaiao.dll Nmfbpk32.exe File created C:\Windows\SysWOW64\Hcnfppba.dll Opglafab.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Phnpagdp.exe Pdbdqh32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3440 3392 WerFault.exe 254 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opglafab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjoa32.dll" Nlnpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkeokjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamdkfnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Nnafnopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll" Opihgfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjklenpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpgamj.dll" Hihlqeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pidfdofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohafell.dll" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlcibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Objaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qiioon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2088 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 30 PID 2036 wrote to memory of 2088 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 30 PID 2036 wrote to memory of 2088 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 30 PID 2036 wrote to memory of 2088 2036 3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe 30 PID 2088 wrote to memory of 2500 2088 Fgldnkkf.exe 31 PID 2088 wrote to memory of 2500 2088 Fgldnkkf.exe 31 PID 2088 wrote to memory of 2500 2088 Fgldnkkf.exe 31 PID 2088 wrote to memory of 2500 2088 Fgldnkkf.exe 31 PID 2500 wrote to memory of 2080 2500 Flhmfbim.exe 32 PID 2500 wrote to memory of 2080 2500 Flhmfbim.exe 32 PID 2500 wrote to memory of 2080 2500 Flhmfbim.exe 32 PID 2500 wrote to memory of 2080 2500 Flhmfbim.exe 32 PID 2080 wrote to memory of 2740 2080 Fhomkcoa.exe 33 PID 2080 wrote to memory of 2740 2080 Fhomkcoa.exe 33 PID 2080 wrote to memory of 2740 2080 Fhomkcoa.exe 33 PID 2080 wrote to memory of 2740 2080 Fhomkcoa.exe 33 PID 2740 wrote to memory of 3016 2740 Gfcnegnk.exe 34 PID 2740 wrote to memory of 3016 2740 Gfcnegnk.exe 34 PID 2740 wrote to memory of 3016 2740 Gfcnegnk.exe 34 PID 2740 wrote to memory of 3016 2740 Gfcnegnk.exe 34 PID 3016 wrote to memory of 2480 3016 Golbnm32.exe 35 PID 3016 wrote to memory of 2480 3016 Golbnm32.exe 35 PID 3016 wrote to memory of 2480 3016 Golbnm32.exe 35 PID 3016 wrote to memory of 2480 3016 Golbnm32.exe 35 PID 2480 wrote to memory of 2928 2480 Gdhkfd32.exe 36 PID 2480 wrote to memory of 2928 2480 Gdhkfd32.exe 36 PID 2480 wrote to memory of 2928 2480 Gdhkfd32.exe 36 PID 2480 wrote to memory of 2928 2480 Gdhkfd32.exe 36 PID 2928 wrote to memory of 2712 2928 Gfhgpg32.exe 37 PID 2928 wrote to memory of 2712 2928 Gfhgpg32.exe 37 PID 2928 wrote to memory of 2712 2928 Gfhgpg32.exe 37 PID 2928 wrote to memory of 2712 2928 Gfhgpg32.exe 37 PID 2712 wrote to memory of 1676 2712 Gifclb32.exe 38 PID 2712 wrote to memory of 1676 2712 Gifclb32.exe 38 PID 2712 wrote to memory of 1676 2712 Gifclb32.exe 38 PID 2712 wrote to memory of 1676 2712 Gifclb32.exe 38 PID 1676 wrote to memory of 1684 1676 Gdmdacnn.exe 39 PID 1676 wrote to memory of 1684 1676 Gdmdacnn.exe 39 PID 1676 wrote to memory of 1684 1676 Gdmdacnn.exe 39 PID 1676 wrote to memory of 1684 1676 Gdmdacnn.exe 39 PID 1684 wrote to memory of 2032 1684 Gjjmijme.exe 40 PID 1684 wrote to memory of 2032 1684 Gjjmijme.exe 40 PID 1684 wrote to memory of 2032 1684 Gjjmijme.exe 40 PID 1684 wrote to memory of 2032 1684 Gjjmijme.exe 40 PID 2032 wrote to memory of 2560 2032 Gbadjg32.exe 41 PID 2032 wrote to memory of 2560 2032 Gbadjg32.exe 41 PID 2032 wrote to memory of 2560 2032 Gbadjg32.exe 41 PID 2032 wrote to memory of 2560 2032 Gbadjg32.exe 41 PID 2560 wrote to memory of 1680 2560 Hjlioj32.exe 42 PID 2560 wrote to memory of 1680 2560 Hjlioj32.exe 42 PID 2560 wrote to memory of 1680 2560 Hjlioj32.exe 42 PID 2560 wrote to memory of 1680 2560 Hjlioj32.exe 42 PID 1680 wrote to memory of 2840 1680 Hfcjdkpg.exe 43 PID 1680 wrote to memory of 2840 1680 Hfcjdkpg.exe 43 PID 1680 wrote to memory of 2840 1680 Hfcjdkpg.exe 43 PID 1680 wrote to memory of 2840 1680 Hfcjdkpg.exe 43 PID 2840 wrote to memory of 2288 2840 Hnjbeh32.exe 44 PID 2840 wrote to memory of 2288 2840 Hnjbeh32.exe 44 PID 2840 wrote to memory of 2288 2840 Hnjbeh32.exe 44 PID 2840 wrote to memory of 2288 2840 Hnjbeh32.exe 44 PID 2288 wrote to memory of 2188 2288 Hgbfnngi.exe 45 PID 2288 wrote to memory of 2188 2288 Hgbfnngi.exe 45 PID 2288 wrote to memory of 2188 2288 Hgbfnngi.exe 45 PID 2288 wrote to memory of 2188 2288 Hgbfnngi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe"C:\Users\Admin\AppData\Local\Temp\3c0dbc3c2b4b01bae50ac37f9af9c1493ddbee4389403f06ef24c65c441ce57a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe33⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe34⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe35⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe36⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe38⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe40⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe44⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe46⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe49⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe51⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe56⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe58⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe60⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe62⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe63⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe66⤵PID:1536
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe67⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe69⤵PID:1836
-
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe70⤵PID:3052
-
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe74⤵PID:2944
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe75⤵PID:2168
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe76⤵PID:2408
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe77⤵PID:2112
-
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe79⤵PID:2412
-
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe81⤵PID:1136
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe83⤵PID:2916
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe85⤵PID:2432
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe86⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe90⤵PID:768
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe93⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe94⤵PID:2776
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe95⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe97⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe98⤵PID:1336
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe99⤵PID:2208
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe101⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe102⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe103⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe104⤵PID:2692
-
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe105⤵PID:2604
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe106⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe108⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe110⤵PID:2696
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe111⤵PID:2248
-
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe113⤵PID:908
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe114⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe115⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe116⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe117⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe119⤵PID:2616
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe120⤵PID:2864
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-