Analysis
-
max time kernel
113s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c493153d9c5f0adaf9a7484af8468b0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
9c493153d9c5f0adaf9a7484af8468b0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
9c493153d9c5f0adaf9a7484af8468b0N.exe
-
Size
407KB
-
MD5
9c493153d9c5f0adaf9a7484af8468b0
-
SHA1
6c13a75c1f08f614a8474655d0c8733c4eee5bf0
-
SHA256
02c0fc07571372189d91170d97f24b2ad6dd373fd7b13dfe70af79b43ecb7f01
-
SHA512
e90d832857268c31b682162217dbb67540e05846456eb0e29c03a341b3bb1165e83f62bec50afe9e4c111b76ec739f5d8b4dc35f41c7a902599b0a22539fc7da
-
SSDEEP
6144:byy6Eo0lD5Xpui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:H630lDhpV6yYP3pV6yYPg058KpV6yYPS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpmfoodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idlgohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noepfkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acldpojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimfcedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbgmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmondpbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmoone32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncblo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebfpglkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihefjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmaghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmccnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkbjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjbbmmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edbonh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oncpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onelbfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbqpgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apeakonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilaieljl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcjjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmicnhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pikmob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckeekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnoocab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdjbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffabman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlcnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Condfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleaebna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlebog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Befcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbhcankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jomnpdjb.exe -
Executes dropped EXE 64 IoCs
pid Process 1812 Hejaon32.exe 1104 Haqbcoce.exe 2452 Hngbhp32.exe 2588 Hincna32.exe 2980 Hgbdge32.exe 3060 Iomhkgkb.exe 2888 Ilaieljl.exe 2360 Ijeinphf.exe 2960 Ifljcanj.exe 2308 Ingogcke.exe 684 Ikkoagjo.exe 2632 Idcdjmao.exe 2696 Jbgdcapi.exe 2796 Jjcigcmd.exe 2720 Jggiah32.exe 2152 Jqonjmbn.exe 3008 Jqakompl.exe 3044 Jcpglhpo.exe 1996 Jimodo32.exe 1012 Jkklpk32.exe 916 Kfqpmc32.exe 2256 Kkmhej32.exe 648 Kfcmcckn.exe 1320 Kkpekjie.exe 2952 Kamncagl.exe 1268 Kicednho.exe 2240 Kbljmd32.exe 2512 Kaojiqej.exe 2516 Kgibeklf.exe 2368 Kmeknakn.exe 2984 Kemcookp.exe 2332 Ljjkgfig.exe 2424 Laccdp32.exe 1520 Lhnlqjha.exe 2716 Liohhbno.exe 2248 Lbgmah32.exe 2732 Llpajmkq.exe 2724 Ldgikklb.exe 1100 Lmondpbc.exe 2904 Lpmjplag.exe 2172 Lblflgqk.exe 1944 Lppgfkpd.exe 1640 Lbncbgoh.exe 296 Memonbnl.exe 696 Mihkoa32.exe 2164 Mkihfi32.exe 1668 Mbqpgf32.exe 2316 Meolcb32.exe 2292 Mhmhpm32.exe 1728 Mmjqhd32.exe 3048 Meaiia32.exe 2508 Mknaahhn.exe 2840 Mahinb32.exe 2776 Mdfejn32.exe 2408 Mkqnghfk.exe 2180 Mmojcceo.exe 2640 Mpmfoodb.exe 1692 Mggoli32.exe 2688 Mmaghc32.exe 600 Ndkoemji.exe 2812 Ngikaijm.exe 2140 Nihgndip.exe 3056 Nmccnc32.exe 1460 Noepfkgh.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 1812 Hejaon32.exe 1812 Hejaon32.exe 1104 Haqbcoce.exe 1104 Haqbcoce.exe 2452 Hngbhp32.exe 2452 Hngbhp32.exe 2588 Hincna32.exe 2588 Hincna32.exe 2980 Hgbdge32.exe 2980 Hgbdge32.exe 3060 Iomhkgkb.exe 3060 Iomhkgkb.exe 2888 Ilaieljl.exe 2888 Ilaieljl.exe 2360 Ijeinphf.exe 2360 Ijeinphf.exe 2960 Ifljcanj.exe 2960 Ifljcanj.exe 2308 Ingogcke.exe 2308 Ingogcke.exe 684 Ikkoagjo.exe 684 Ikkoagjo.exe 2632 Idcdjmao.exe 2632 Idcdjmao.exe 2696 Jbgdcapi.exe 2696 Jbgdcapi.exe 2796 Jjcigcmd.exe 2796 Jjcigcmd.exe 2720 Jggiah32.exe 2720 Jggiah32.exe 2152 Jqonjmbn.exe 2152 Jqonjmbn.exe 3008 Jqakompl.exe 3008 Jqakompl.exe 3044 Jcpglhpo.exe 3044 Jcpglhpo.exe 1996 Jimodo32.exe 1996 Jimodo32.exe 1012 Jkklpk32.exe 1012 Jkklpk32.exe 916 Kfqpmc32.exe 916 Kfqpmc32.exe 2256 Kkmhej32.exe 2256 Kkmhej32.exe 648 Kfcmcckn.exe 648 Kfcmcckn.exe 1320 Kkpekjie.exe 1320 Kkpekjie.exe 2952 Kamncagl.exe 2952 Kamncagl.exe 1268 Kicednho.exe 1268 Kicednho.exe 2240 Kbljmd32.exe 2240 Kbljmd32.exe 2512 Kaojiqej.exe 2512 Kaojiqej.exe 2516 Kgibeklf.exe 2516 Kgibeklf.exe 2368 Kmeknakn.exe 2368 Kmeknakn.exe 2984 Kemcookp.exe 2984 Kemcookp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdkkjm32.dll Kkpekjie.exe File created C:\Windows\SysWOW64\Laccdp32.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dfjegl32.exe File created C:\Windows\SysWOW64\Qahnid32.exe Qnjbmh32.exe File created C:\Windows\SysWOW64\Fffabman.exe Fpliec32.exe File created C:\Windows\SysWOW64\Igeljknl.dll Kemcookp.exe File created C:\Windows\SysWOW64\Kcclni32.dll Ofaaghom.exe File opened for modification C:\Windows\SysWOW64\Pgkqeo32.exe Poplqm32.exe File opened for modification C:\Windows\SysWOW64\Hiichkog.exe Hfjglppd.exe File created C:\Windows\SysWOW64\Mikochhm.dll 9c493153d9c5f0adaf9a7484af8468b0N.exe File created C:\Windows\SysWOW64\Ajqoqm32.exe Alnoepam.exe File opened for modification C:\Windows\SysWOW64\Flqmddah.exe Fefdhj32.exe File created C:\Windows\SysWOW64\Nlpnhnoo.dll Ajelmiag.exe File opened for modification C:\Windows\SysWOW64\Eligoe32.exe Edbonh32.exe File created C:\Windows\SysWOW64\Idncdgai.exe Iapghlbe.exe File created C:\Windows\SysWOW64\Idoclg32.dll Pikmob32.exe File opened for modification C:\Windows\SysWOW64\Dfhial32.exe Dpkpie32.exe File created C:\Windows\SysWOW64\Ppdpkopc.dll Fffabman.exe File opened for modification C:\Windows\SysWOW64\Pidgnc32.exe Pfekbg32.exe File created C:\Windows\SysWOW64\Jjbbmmih.exe Jakjlpif.exe File created C:\Windows\SysWOW64\Nglhghgj.exe Noepfkgh.exe File created C:\Windows\SysWOW64\Ocbekmpi.exe Oqdioaqf.exe File created C:\Windows\SysWOW64\Cffpbe32.dll Jlleni32.exe File opened for modification C:\Windows\SysWOW64\Lbgmah32.exe Liohhbno.exe File opened for modification C:\Windows\SysWOW64\Necandjo.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Ofbajq32.dll Lmondpbc.exe File opened for modification C:\Windows\SysWOW64\Enmplm32.exe Egchocif.exe File created C:\Windows\SysWOW64\Gdgadeee.exe Gmmihk32.exe File created C:\Windows\SysWOW64\Mpbgqo32.dll Mhmhpm32.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Pfekbg32.exe File created C:\Windows\SysWOW64\Ekhnip32.dll Nknmplji.exe File created C:\Windows\SysWOW64\Apeakonl.exe Aikine32.exe File opened for modification C:\Windows\SysWOW64\Ffcdlncp.exe Fpjlpclc.exe File opened for modification C:\Windows\SysWOW64\Ijeinphf.exe Ilaieljl.exe File created C:\Windows\SysWOW64\Jpojog32.dll Jggiah32.exe File opened for modification C:\Windows\SysWOW64\Kkmhej32.exe Kfqpmc32.exe File created C:\Windows\SysWOW64\Olbqfb32.dll Eqklhh32.exe File opened for modification C:\Windows\SysWOW64\Jcpglhpo.exe Jqakompl.exe File created C:\Windows\SysWOW64\Jimodo32.exe Jcpglhpo.exe File opened for modification C:\Windows\SysWOW64\Kfcmcckn.exe Kkmhej32.exe File created C:\Windows\SysWOW64\Caiiik32.dll Jqonjmbn.exe File created C:\Windows\SysWOW64\Kicednho.exe Kamncagl.exe File created C:\Windows\SysWOW64\Dlpdifda.exe Dkohanoc.exe File created C:\Windows\SysWOW64\Oajpci32.dll Mmojcceo.exe File opened for modification C:\Windows\SysWOW64\Gabohk32.exe Gncblo32.exe File created C:\Windows\SysWOW64\Blhhag32.dll Peandcih.exe File created C:\Windows\SysWOW64\Bmfpgbcf.dll Dddodd32.exe File opened for modification C:\Windows\SysWOW64\Mmojcceo.exe Mkqnghfk.exe File created C:\Windows\SysWOW64\Eifgeike.dll Cnfnlk32.exe File created C:\Windows\SysWOW64\Ijklmn32.exe Igmppcpm.exe File opened for modification C:\Windows\SysWOW64\Jakjlpif.exe Jomnpdjb.exe File created C:\Windows\SysWOW64\Madiaabn.dll Ffokan32.exe File created C:\Windows\SysWOW64\Hkjekf32.dll Flnpoe32.exe File created C:\Windows\SysWOW64\Igomfb32.exe Idqpjg32.exe File created C:\Windows\SysWOW64\Jccphimo.dll Jojaje32.exe File created C:\Windows\SysWOW64\Epempm32.dll Lhnlqjha.exe File created C:\Windows\SysWOW64\Afhcgjkq.exe Qcigjolm.exe File created C:\Windows\SysWOW64\Jqjddlfd.dll Bbcjfn32.exe File created C:\Windows\SysWOW64\Neohbe32.exe Nglhghgj.exe File opened for modification C:\Windows\SysWOW64\Aikine32.exe Aflmbj32.exe File opened for modification C:\Windows\SysWOW64\Gdgadeee.exe Gmmihk32.exe File opened for modification C:\Windows\SysWOW64\Lppgfkpd.exe Lblflgqk.exe File opened for modification C:\Windows\SysWOW64\Qcgkeonp.exe Qahnid32.exe File created C:\Windows\SysWOW64\Behpcefk.exe Bjclfmfe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3860 3800 WerFault.exe 317 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjimepm.dll" Mdfejn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbkgfki.dll" Dbaflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdijjmef.dll" Chghodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfcnkcn.dll" Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdedcim.dll" Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djocmfki.dll" Ocbekmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amalcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amdhidqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlpdifda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbqpgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onelbfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbii32.dll" Hbokkagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffcdlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqcbihdb.dll" Gncblo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilihij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifljcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mggoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooolkl32.dll" Pidgnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debmplbf.dll" Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Iiiogoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmoone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqnhl32.dll" Bmhncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkdanef.dll" Djhnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhcon32.dll" Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcepic32.dll" Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ommfibdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppepdplg.dll" Gadkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flqmddah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meieho32.dll" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffpbe32.dll" Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iomaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceajdhdn.dll" Dpnmoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qajccegk.dll" Ijmibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoakfcf.dll" Befcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djfagjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Memonbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkiikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edbonh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Infpbgeb.dll" Nceeaikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhiqhdca.dll" Ojlmgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1812 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 29 PID 2876 wrote to memory of 1812 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 29 PID 2876 wrote to memory of 1812 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 29 PID 2876 wrote to memory of 1812 2876 9c493153d9c5f0adaf9a7484af8468b0N.exe 29 PID 1812 wrote to memory of 1104 1812 Hejaon32.exe 30 PID 1812 wrote to memory of 1104 1812 Hejaon32.exe 30 PID 1812 wrote to memory of 1104 1812 Hejaon32.exe 30 PID 1812 wrote to memory of 1104 1812 Hejaon32.exe 30 PID 1104 wrote to memory of 2452 1104 Haqbcoce.exe 31 PID 1104 wrote to memory of 2452 1104 Haqbcoce.exe 31 PID 1104 wrote to memory of 2452 1104 Haqbcoce.exe 31 PID 1104 wrote to memory of 2452 1104 Haqbcoce.exe 31 PID 2452 wrote to memory of 2588 2452 Hngbhp32.exe 32 PID 2452 wrote to memory of 2588 2452 Hngbhp32.exe 32 PID 2452 wrote to memory of 2588 2452 Hngbhp32.exe 32 PID 2452 wrote to memory of 2588 2452 Hngbhp32.exe 32 PID 2588 wrote to memory of 2980 2588 Hincna32.exe 33 PID 2588 wrote to memory of 2980 2588 Hincna32.exe 33 PID 2588 wrote to memory of 2980 2588 Hincna32.exe 33 PID 2588 wrote to memory of 2980 2588 Hincna32.exe 33 PID 2980 wrote to memory of 3060 2980 Hgbdge32.exe 34 PID 2980 wrote to memory of 3060 2980 Hgbdge32.exe 34 PID 2980 wrote to memory of 3060 2980 Hgbdge32.exe 34 PID 2980 wrote to memory of 3060 2980 Hgbdge32.exe 34 PID 3060 wrote to memory of 2888 3060 Iomhkgkb.exe 35 PID 3060 wrote to memory of 2888 3060 Iomhkgkb.exe 35 PID 3060 wrote to memory of 2888 3060 Iomhkgkb.exe 35 PID 3060 wrote to memory of 2888 3060 Iomhkgkb.exe 35 PID 2888 wrote to memory of 2360 2888 Ilaieljl.exe 36 PID 2888 wrote to memory of 2360 2888 Ilaieljl.exe 36 PID 2888 wrote to memory of 2360 2888 Ilaieljl.exe 36 PID 2888 wrote to memory of 2360 2888 Ilaieljl.exe 36 PID 2360 wrote to memory of 2960 2360 Ijeinphf.exe 37 PID 2360 wrote to memory of 2960 2360 Ijeinphf.exe 37 PID 2360 wrote to memory of 2960 2360 Ijeinphf.exe 37 PID 2360 wrote to memory of 2960 2360 Ijeinphf.exe 37 PID 2960 wrote to memory of 2308 2960 Ifljcanj.exe 38 PID 2960 wrote to memory of 2308 2960 Ifljcanj.exe 38 PID 2960 wrote to memory of 2308 2960 Ifljcanj.exe 38 PID 2960 wrote to memory of 2308 2960 Ifljcanj.exe 38 PID 2308 wrote to memory of 684 2308 Ingogcke.exe 39 PID 2308 wrote to memory of 684 2308 Ingogcke.exe 39 PID 2308 wrote to memory of 684 2308 Ingogcke.exe 39 PID 2308 wrote to memory of 684 2308 Ingogcke.exe 39 PID 684 wrote to memory of 2632 684 Ikkoagjo.exe 40 PID 684 wrote to memory of 2632 684 Ikkoagjo.exe 40 PID 684 wrote to memory of 2632 684 Ikkoagjo.exe 40 PID 684 wrote to memory of 2632 684 Ikkoagjo.exe 40 PID 2632 wrote to memory of 2696 2632 Idcdjmao.exe 41 PID 2632 wrote to memory of 2696 2632 Idcdjmao.exe 41 PID 2632 wrote to memory of 2696 2632 Idcdjmao.exe 41 PID 2632 wrote to memory of 2696 2632 Idcdjmao.exe 41 PID 2696 wrote to memory of 2796 2696 Jbgdcapi.exe 42 PID 2696 wrote to memory of 2796 2696 Jbgdcapi.exe 42 PID 2696 wrote to memory of 2796 2696 Jbgdcapi.exe 42 PID 2696 wrote to memory of 2796 2696 Jbgdcapi.exe 42 PID 2796 wrote to memory of 2720 2796 Jjcigcmd.exe 43 PID 2796 wrote to memory of 2720 2796 Jjcigcmd.exe 43 PID 2796 wrote to memory of 2720 2796 Jjcigcmd.exe 43 PID 2796 wrote to memory of 2720 2796 Jjcigcmd.exe 43 PID 2720 wrote to memory of 2152 2720 Jggiah32.exe 44 PID 2720 wrote to memory of 2152 2720 Jggiah32.exe 44 PID 2720 wrote to memory of 2152 2720 Jggiah32.exe 44 PID 2720 wrote to memory of 2152 2720 Jggiah32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c493153d9c5f0adaf9a7484af8468b0N.exe"C:\Users\Admin\AppData\Local\Temp\9c493153d9c5f0adaf9a7484af8468b0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe34⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe38⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe39⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe41⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe43⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe44⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe47⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Meolcb32.exeC:\Windows\system32\Meolcb32.exe49⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe52⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe53⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe61⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe62⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe63⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe66⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe67⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe68⤵PID:2208
-
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe69⤵PID:1760
-
C:\Windows\SysWOW64\Ncbilimn.exeC:\Windows\system32\Ncbilimn.exe70⤵PID:2552
-
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:348 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe74⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe76⤵PID:444
-
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe77⤵PID:1968
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe78⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe79⤵PID:1604
-
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe80⤵PID:568
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe81⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe82⤵PID:1852
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:620 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe84⤵PID:2520
-
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe85⤵PID:3004
-
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe87⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe88⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe89⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe90⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe91⤵PID:1780
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe92⤵PID:2336
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe93⤵PID:956
-
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe94⤵PID:2168
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe95⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe96⤵PID:2088
-
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe97⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe98⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe99⤵PID:2580
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe100⤵PID:2996
-
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe101⤵PID:2380
-
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe102⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe103⤵PID:1496
-
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe104⤵PID:1700
-
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe105⤵PID:2820
-
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe109⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe110⤵PID:1484
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe111⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe113⤵PID:2436
-
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe114⤵PID:2232
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe116⤵PID:1672
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe117⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe118⤵PID:2040
-
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe119⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe121⤵
- Drops file in System32 directory
PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-