Analysis
-
max time kernel
86s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe
-
Size
98KB
-
MD5
0efb6e5771648dc7fec6881def814e90
-
SHA1
d97347709653ce313d203c547aaba3e0d9d4715f
-
SHA256
b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690
-
SHA512
458bfcca97d70d8e31e156a109d27c8009131375b1a7d62d7e498d37c772fb0bdd61702c07a4b45bc9fc4a776c721857eb2865512324d32811222dc72be5456f
-
SSDEEP
1536:XMw+WlcTzdBjVk0FDnjWMdDOgLJww6pE1QZ+:cw+WlcPdBRkeDhjLJww6pE1o+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikiahac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhccgdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccqog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enebegil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmicak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbibge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnoan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipbnhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgdojci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicage32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgfgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghpfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahckgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnkfnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfcfca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjniolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjalbgko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcimnpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjajkjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labpbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagfnimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhiagjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palejjja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoilbbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppgqpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemphjlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpldie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkmnoon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obefoaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkblnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlofoca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnndhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnkfnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjdeln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daoeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokfoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoaogmdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfjigcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqfkoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpkakhhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenafb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjijkna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiklpakd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkllkkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ababoclc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolgdbnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdcjmke.exe -
Executes dropped EXE 64 IoCs
pid Process 840 Diafaj32.exe 520 Elbpce32.exe 916 Enalmh32.exe 1580 Egjqfnfo.exe 1684 Ejkigicp.exe 1020 Eccnpnja.exe 868 Eojoeo32.exe 1388 Fhbcnefe.exe 1000 Folkkomb.exe 1576 Fggpoakn.exe 1788 Fqpdhg32.exe 1920 Fgjmdaik.exe 1520 Fqbanfok.exe 1104 Fglijq32.exe 1696 Fmibbg32.exe 2044 Fgofpp32.exe 1292 Fqgkif32.exe 572 Gbhgpnad.exe 1556 Gjooakaf.exe 2024 Gmnkngaj.exe 1100 Golgjbpn.exe 1168 Gbkdfnoa.exe 1992 Gidlbh32.exe 1084 Gpodob32.exe 1228 Gbmqkm32.exe 836 Gigihgdl.exe 948 Gpaaea32.exe 308 Gabnmjbg.exe 1560 Gglfid32.exe 556 Gadjbi32.exe 764 Gccfne32.exe 468 Hljnob32.exe 1408 Hnhkkn32.exe 1964 Hfcopp32.exe 1280 Hpldie32.exe 1036 Hidhakij.exe 828 Hjdeln32.exe 996 Hdlidc32.exe 1552 Hiiamj32.exe 616 Iiknbj32.exe 432 Iafcfl32.exe 1932 Iojcpqof.exe 1852 Ikadea32.exe 924 Iheenfcd.exe 1004 Ipqichap.exe 1804 Jpcfhhom.exe 1720 Jligmida.exe 1164 Jinggmck.exe 1916 Jipdlm32.exe 1856 Jakiqo32.exe 896 Jckekbff.exe 1524 Jeiagmej.exe 1628 Klcjcgmf.exe 824 Kdnohjja.exe 1780 Kgmkdeie.exe 1940 Knfcqo32.exe 1976 Kgogjegb.exe 1108 Kadlgn32.exe 1640 Kkmppcmi.exe 1724 Kdedhi32.exe 1776 Knnian32.exe 1548 Lcjaje32.exe 1680 Ligjbl32.exe 1700 Lcmnoe32.exe -
Loads dropped DLL 64 IoCs
pid Process 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 840 Diafaj32.exe 840 Diafaj32.exe 520 Elbpce32.exe 520 Elbpce32.exe 916 Enalmh32.exe 916 Enalmh32.exe 1580 Egjqfnfo.exe 1580 Egjqfnfo.exe 1684 Ejkigicp.exe 1684 Ejkigicp.exe 1020 Eccnpnja.exe 1020 Eccnpnja.exe 868 Eojoeo32.exe 868 Eojoeo32.exe 1388 Fhbcnefe.exe 1388 Fhbcnefe.exe 1000 Folkkomb.exe 1000 Folkkomb.exe 1576 Fggpoakn.exe 1576 Fggpoakn.exe 1788 Fqpdhg32.exe 1788 Fqpdhg32.exe 1920 Fgjmdaik.exe 1920 Fgjmdaik.exe 1520 Fqbanfok.exe 1520 Fqbanfok.exe 1104 Fglijq32.exe 1104 Fglijq32.exe 1696 Fmibbg32.exe 1696 Fmibbg32.exe 2044 Fgofpp32.exe 2044 Fgofpp32.exe 1292 Fqgkif32.exe 1292 Fqgkif32.exe 572 Gbhgpnad.exe 572 Gbhgpnad.exe 1556 Gjooakaf.exe 1556 Gjooakaf.exe 2024 Gmnkngaj.exe 2024 Gmnkngaj.exe 1100 Golgjbpn.exe 1100 Golgjbpn.exe 1168 Gbkdfnoa.exe 1168 Gbkdfnoa.exe 1992 Gidlbh32.exe 1992 Gidlbh32.exe 1084 Gpodob32.exe 1084 Gpodob32.exe 1228 Gbmqkm32.exe 1228 Gbmqkm32.exe 836 Gigihgdl.exe 836 Gigihgdl.exe 948 Gpaaea32.exe 948 Gpaaea32.exe 308 Gabnmjbg.exe 308 Gabnmjbg.exe 1560 Gglfid32.exe 1560 Gglfid32.exe 556 Gadjbi32.exe 556 Gadjbi32.exe 764 Gccfne32.exe 764 Gccfne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Djchlqpb.dll Diapgcho.exe File opened for modification C:\Windows\SysWOW64\Deipiiml.exe Cibodhhh.exe File opened for modification C:\Windows\SysWOW64\Eilnij32.exe Ebaflp32.exe File created C:\Windows\SysWOW64\Dpdpaiie.dll Jejjikaf.exe File created C:\Windows\SysWOW64\Pmkidfbb.exe Pbfegmbl.exe File created C:\Windows\SysWOW64\Qgojnqqd.dll Elbpce32.exe File created C:\Windows\SysWOW64\Ggmplo32.dll Liqmhk32.exe File opened for modification C:\Windows\SysWOW64\Odnigh32.exe Omdqjnaf.exe File opened for modification C:\Windows\SysWOW64\Ngceam32.exe Nqimdcdp.exe File created C:\Windows\SysWOW64\Eoiqedge.dll Nnbplf32.exe File opened for modification C:\Windows\SysWOW64\Bmcmbp32.exe Beldac32.exe File created C:\Windows\SysWOW64\Ealdnc32.dll Lglphbhe.exe File created C:\Windows\SysWOW64\Bcgcge32.dll Nohgga32.exe File opened for modification C:\Windows\SysWOW64\Nhnhpagd.exe Nqfpoc32.exe File created C:\Windows\SysWOW64\Eghjlm32.dll Oindodjp.exe File opened for modification C:\Windows\SysWOW64\Bklefa32.exe Bhnije32.exe File created C:\Windows\SysWOW64\Lobianok.dll Ckkhaepa.exe File opened for modification C:\Windows\SysWOW64\Jjalbgko.exe Fhhheldd.exe File opened for modification C:\Windows\SysWOW64\Phggjc32.exe Poobanfn.exe File created C:\Windows\SysWOW64\Faiocl32.exe Fokcgq32.exe File opened for modification C:\Windows\SysWOW64\Pnpgqbjd.exe Pgfodh32.exe File opened for modification C:\Windows\SysWOW64\Cfnpinaj.exe Codhmd32.exe File created C:\Windows\SysWOW64\Iomemfhf.dll Bghpfa32.exe File created C:\Windows\SysWOW64\Pngefhij.exe Pliijmjf.exe File created C:\Windows\SysWOW64\Dhacma32.exe Decgqe32.exe File created C:\Windows\SysWOW64\Njehpo32.exe Nppdbf32.exe File opened for modification C:\Windows\SysWOW64\Oolgdbnq.exe Olnkhfom.exe File created C:\Windows\SysWOW64\Aklgne32.exe Ahnkbi32.exe File created C:\Windows\SysWOW64\Egbfde32.dll Aajecnop.exe File created C:\Windows\SysWOW64\Joafqn32.dll Jloeji32.exe File created C:\Windows\SysWOW64\Ihanloon.exe Fppgqpib.exe File created C:\Windows\SysWOW64\Geigdbbl.dll Pablieoq.exe File opened for modification C:\Windows\SysWOW64\Ebdbbpii.exe Epffedje.exe File created C:\Windows\SysWOW64\Cmgbko32.exe Cgjjbh32.exe File created C:\Windows\SysWOW64\Coblknik.dll Omobnaic.exe File opened for modification C:\Windows\SysWOW64\Ahckgo32.exe Afeokcpe.exe File created C:\Windows\SysWOW64\Gmcnlehe.exe Gjeapjia.exe File opened for modification C:\Windows\SysWOW64\Naqiohbc.exe Nnbmcmcp.exe File created C:\Windows\SysWOW64\Nmdgdcfo.exe Niikde32.exe File opened for modification C:\Windows\SysWOW64\Doodfbmb.exe Dmqgjfnn.exe File opened for modification C:\Windows\SysWOW64\Njobopeo.exe Ngpfbefk.exe File created C:\Windows\SysWOW64\Kghfhkbg.dll Cqhajlnh.exe File opened for modification C:\Windows\SysWOW64\Liqmhk32.exe Leeaglfe.exe File opened for modification C:\Windows\SysWOW64\Ocloja32.exe Obkbcilk.exe File created C:\Windows\SysWOW64\Moimafgf.exe Mkmaph32.exe File opened for modification C:\Windows\SysWOW64\Fqpdhg32.exe Fggpoakn.exe File created C:\Windows\SysWOW64\Fmibbg32.exe Fglijq32.exe File created C:\Windows\SysWOW64\Eemcjcdn.exe Eockmi32.exe File opened for modification C:\Windows\SysWOW64\Qigjol32.exe Pginba32.exe File opened for modification C:\Windows\SysWOW64\Nkoaaldf.exe Ngceam32.exe File opened for modification C:\Windows\SysWOW64\Oeldhcdl.exe Obnhlheh.exe File opened for modification C:\Windows\SysWOW64\Dmneja32.exe Dibijbco.exe File opened for modification C:\Windows\SysWOW64\Cfpimm32.exe Ccampb32.exe File created C:\Windows\SysWOW64\Npfidm32.exe Nhoacp32.exe File opened for modification C:\Windows\SysWOW64\Gbmqkm32.exe Gpodob32.exe File created C:\Windows\SysWOW64\Cpohhp32.exe Calhlbbo.exe File opened for modification C:\Windows\SysWOW64\Qleppa32.exe Qigcdfda.exe File created C:\Windows\SysWOW64\Mlmdka32.dll Pefgnbla.exe File opened for modification C:\Windows\SysWOW64\Niikde32.exe Nfjnhi32.exe File created C:\Windows\SysWOW64\Bllbpdph.exe Bebjcj32.exe File created C:\Windows\SysWOW64\Hklopmcf.dll Kgogjegb.exe File opened for modification C:\Windows\SysWOW64\Loflje32.exe Lepglm32.exe File created C:\Windows\SysWOW64\Cpcaocgk.dll Foggdm32.exe File created C:\Windows\SysWOW64\Bcanifcf.exe Bkjfgh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2916 2960 WerFault.exe 762 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnnjkcmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfgqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accgqm32.dll" Pginba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpcpa32.dll" Aegnjlef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpddicak.dll" Bcinmdin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaafp32.dll" Cbqgcpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhamnlib.dll" Kdnohjja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmddlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkanbk32.dll" Adjgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjflbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqpdog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbofiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpelfhok.dll" Enjkqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aafoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foklkgbh.dll" Cjpebadi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkbcilk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpdgdfh.dll" Aidcmjio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjiogb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbdhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkaifkn.dll" Biedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfpemdc.dll" Gcimnpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbibge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcfkhhm.dll" Kjfoqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celqonen.dll" Oipolkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cecmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnkfnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmlaqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napndd32.dll" Ogpmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpilgap.dll" Ahckgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahckgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbgpn32.dll" Cnibeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjophknb.dll" Dfcfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpkakhhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngndkhlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmlifng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eopedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekkodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeeaffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npngmgac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gldggg32.dll" Cimlejqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcabnf32.dll" Djglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdpeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agedhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadlgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnkfnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjgqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caebkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkkdj32.dll" Fkionn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peflpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqniak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahodeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afeokcpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbgpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medepknn.dll" Mfnfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghmipmn.dll" Adjllpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddcmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobjhqgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obclbj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1356 wrote to memory of 840 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 27 PID 1356 wrote to memory of 840 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 27 PID 1356 wrote to memory of 840 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 27 PID 1356 wrote to memory of 840 1356 b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe 27 PID 840 wrote to memory of 520 840 Diafaj32.exe 28 PID 840 wrote to memory of 520 840 Diafaj32.exe 28 PID 840 wrote to memory of 520 840 Diafaj32.exe 28 PID 840 wrote to memory of 520 840 Diafaj32.exe 28 PID 520 wrote to memory of 916 520 Elbpce32.exe 29 PID 520 wrote to memory of 916 520 Elbpce32.exe 29 PID 520 wrote to memory of 916 520 Elbpce32.exe 29 PID 520 wrote to memory of 916 520 Elbpce32.exe 29 PID 916 wrote to memory of 1580 916 Enalmh32.exe 30 PID 916 wrote to memory of 1580 916 Enalmh32.exe 30 PID 916 wrote to memory of 1580 916 Enalmh32.exe 30 PID 916 wrote to memory of 1580 916 Enalmh32.exe 30 PID 1580 wrote to memory of 1684 1580 Egjqfnfo.exe 31 PID 1580 wrote to memory of 1684 1580 Egjqfnfo.exe 31 PID 1580 wrote to memory of 1684 1580 Egjqfnfo.exe 31 PID 1580 wrote to memory of 1684 1580 Egjqfnfo.exe 31 PID 1684 wrote to memory of 1020 1684 Ejkigicp.exe 32 PID 1684 wrote to memory of 1020 1684 Ejkigicp.exe 32 PID 1684 wrote to memory of 1020 1684 Ejkigicp.exe 32 PID 1684 wrote to memory of 1020 1684 Ejkigicp.exe 32 PID 1020 wrote to memory of 868 1020 Eccnpnja.exe 33 PID 1020 wrote to memory of 868 1020 Eccnpnja.exe 33 PID 1020 wrote to memory of 868 1020 Eccnpnja.exe 33 PID 1020 wrote to memory of 868 1020 Eccnpnja.exe 33 PID 868 wrote to memory of 1388 868 Eojoeo32.exe 34 PID 868 wrote to memory of 1388 868 Eojoeo32.exe 34 PID 868 wrote to memory of 1388 868 Eojoeo32.exe 34 PID 868 wrote to memory of 1388 868 Eojoeo32.exe 34 PID 1388 wrote to memory of 1000 1388 Fhbcnefe.exe 35 PID 1388 wrote to memory of 1000 1388 Fhbcnefe.exe 35 PID 1388 wrote to memory of 1000 1388 Fhbcnefe.exe 35 PID 1388 wrote to memory of 1000 1388 Fhbcnefe.exe 35 PID 1000 wrote to memory of 1576 1000 Folkkomb.exe 36 PID 1000 wrote to memory of 1576 1000 Folkkomb.exe 36 PID 1000 wrote to memory of 1576 1000 Folkkomb.exe 36 PID 1000 wrote to memory of 1576 1000 Folkkomb.exe 36 PID 1576 wrote to memory of 1788 1576 Fggpoakn.exe 37 PID 1576 wrote to memory of 1788 1576 Fggpoakn.exe 37 PID 1576 wrote to memory of 1788 1576 Fggpoakn.exe 37 PID 1576 wrote to memory of 1788 1576 Fggpoakn.exe 37 PID 1788 wrote to memory of 1920 1788 Fqpdhg32.exe 38 PID 1788 wrote to memory of 1920 1788 Fqpdhg32.exe 38 PID 1788 wrote to memory of 1920 1788 Fqpdhg32.exe 38 PID 1788 wrote to memory of 1920 1788 Fqpdhg32.exe 38 PID 1920 wrote to memory of 1520 1920 Fgjmdaik.exe 39 PID 1920 wrote to memory of 1520 1920 Fgjmdaik.exe 39 PID 1920 wrote to memory of 1520 1920 Fgjmdaik.exe 39 PID 1920 wrote to memory of 1520 1920 Fgjmdaik.exe 39 PID 1520 wrote to memory of 1104 1520 Fqbanfok.exe 40 PID 1520 wrote to memory of 1104 1520 Fqbanfok.exe 40 PID 1520 wrote to memory of 1104 1520 Fqbanfok.exe 40 PID 1520 wrote to memory of 1104 1520 Fqbanfok.exe 40 PID 1104 wrote to memory of 1696 1104 Fglijq32.exe 41 PID 1104 wrote to memory of 1696 1104 Fglijq32.exe 41 PID 1104 wrote to memory of 1696 1104 Fglijq32.exe 41 PID 1104 wrote to memory of 1696 1104 Fglijq32.exe 41 PID 1696 wrote to memory of 2044 1696 Fmibbg32.exe 42 PID 1696 wrote to memory of 2044 1696 Fmibbg32.exe 42 PID 1696 wrote to memory of 2044 1696 Fmibbg32.exe 42 PID 1696 wrote to memory of 2044 1696 Fmibbg32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe"C:\Users\Admin\AppData\Local\Temp\b8a8e413d8cfb19d98978a1f706183ff09370aaf8572f78e4bf73c2dd1de4690.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Diafaj32.exeC:\Windows\system32\Diafaj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Elbpce32.exeC:\Windows\system32\Elbpce32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Enalmh32.exeC:\Windows\system32\Enalmh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Egjqfnfo.exeC:\Windows\system32\Egjqfnfo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Ejkigicp.exeC:\Windows\system32\Ejkigicp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Eccnpnja.exeC:\Windows\system32\Eccnpnja.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Eojoeo32.exeC:\Windows\system32\Eojoeo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Fhbcnefe.exeC:\Windows\system32\Fhbcnefe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Folkkomb.exeC:\Windows\system32\Folkkomb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Fggpoakn.exeC:\Windows\system32\Fggpoakn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Fqpdhg32.exeC:\Windows\system32\Fqpdhg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Fgjmdaik.exeC:\Windows\system32\Fgjmdaik.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Fqbanfok.exeC:\Windows\system32\Fqbanfok.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Fglijq32.exeC:\Windows\system32\Fglijq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Fmibbg32.exeC:\Windows\system32\Fmibbg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Fgofpp32.exeC:\Windows\system32\Fgofpp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Fqgkif32.exeC:\Windows\system32\Fqgkif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Gbhgpnad.exeC:\Windows\system32\Gbhgpnad.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Gjooakaf.exeC:\Windows\system32\Gjooakaf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Gmnkngaj.exeC:\Windows\system32\Gmnkngaj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Golgjbpn.exeC:\Windows\system32\Golgjbpn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Gbkdfnoa.exeC:\Windows\system32\Gbkdfnoa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Gidlbh32.exeC:\Windows\system32\Gidlbh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Gpodob32.exeC:\Windows\system32\Gpodob32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Gbmqkm32.exeC:\Windows\system32\Gbmqkm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Gigihgdl.exeC:\Windows\system32\Gigihgdl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Gpaaea32.exeC:\Windows\system32\Gpaaea32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Gabnmjbg.exeC:\Windows\system32\Gabnmjbg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Gglfid32.exeC:\Windows\system32\Gglfid32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Gadjbi32.exeC:\Windows\system32\Gadjbi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Gccfne32.exeC:\Windows\system32\Gccfne32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Hljnob32.exeC:\Windows\system32\Hljnob32.exe33⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Hnhkkn32.exeC:\Windows\system32\Hnhkkn32.exe34⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Hfcopp32.exeC:\Windows\system32\Hfcopp32.exe35⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hpldie32.exeC:\Windows\system32\Hpldie32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Hidhakij.exeC:\Windows\system32\Hidhakij.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hjdeln32.exeC:\Windows\system32\Hjdeln32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Hdlidc32.exeC:\Windows\system32\Hdlidc32.exe39⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Hiiamj32.exeC:\Windows\system32\Hiiamj32.exe40⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Iiknbj32.exeC:\Windows\system32\Iiknbj32.exe41⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Iafcfl32.exeC:\Windows\system32\Iafcfl32.exe42⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Iojcpqof.exeC:\Windows\system32\Iojcpqof.exe43⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ikadea32.exeC:\Windows\system32\Ikadea32.exe44⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Iheenfcd.exeC:\Windows\system32\Iheenfcd.exe45⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ipqichap.exeC:\Windows\system32\Ipqichap.exe46⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Jpcfhhom.exeC:\Windows\system32\Jpcfhhom.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Jligmida.exeC:\Windows\system32\Jligmida.exe48⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jinggmck.exeC:\Windows\system32\Jinggmck.exe49⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Jipdlm32.exeC:\Windows\system32\Jipdlm32.exe50⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jakiqo32.exeC:\Windows\system32\Jakiqo32.exe51⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jckekbff.exeC:\Windows\system32\Jckekbff.exe52⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Jeiagmej.exeC:\Windows\system32\Jeiagmej.exe53⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Klcjcgmf.exeC:\Windows\system32\Klcjcgmf.exe54⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Kdnohjja.exeC:\Windows\system32\Kdnohjja.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Kgmkdeie.exeC:\Windows\system32\Kgmkdeie.exe56⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Knfcqo32.exeC:\Windows\system32\Knfcqo32.exe57⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Kgogjegb.exeC:\Windows\system32\Kgogjegb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Kadlgn32.exeC:\Windows\system32\Kadlgn32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Kkmppcmi.exeC:\Windows\system32\Kkmppcmi.exe60⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kdedhi32.exeC:\Windows\system32\Kdedhi32.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Knnian32.exeC:\Windows\system32\Knnian32.exe62⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lcjaje32.exeC:\Windows\system32\Lcjaje32.exe63⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ligjbl32.exeC:\Windows\system32\Ligjbl32.exe64⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Lcmnoe32.exeC:\Windows\system32\Lcmnoe32.exe65⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Lkhccgdj.exeC:\Windows\system32\Lkhccgdj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Lbbkpa32.exeC:\Windows\system32\Lbbkpa32.exe67⤵PID:1252
-
C:\Windows\SysWOW64\Lepglm32.exeC:\Windows\system32\Lepglm32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Loflje32.exeC:\Windows\system32\Loflje32.exe69⤵PID:1860
-
C:\Windows\SysWOW64\Lbdhfa32.exeC:\Windows\system32\Lbdhfa32.exe70⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Linpbkqq.exeC:\Windows\system32\Linpbkqq.exe71⤵PID:540
-
C:\Windows\SysWOW64\Lohhoehn.exeC:\Windows\system32\Lohhoehn.exe72⤵PID:1908
-
C:\Windows\SysWOW64\Leeaglfe.exeC:\Windows\system32\Leeaglfe.exe73⤵
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Liqmhk32.exeC:\Windows\system32\Liqmhk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Mkoidf32.exeC:\Windows\system32\Mkoidf32.exe75⤵PID:1400
-
C:\Windows\SysWOW64\Mgfjigcf.exeC:\Windows\system32\Mgfjigcf.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Mjdfebbj.exeC:\Windows\system32\Mjdfebbj.exe77⤵PID:1924
-
C:\Windows\SysWOW64\Mmbban32.exeC:\Windows\system32\Mmbban32.exe78⤵PID:1816
-
C:\Windows\SysWOW64\Mcmknhij.exeC:\Windows\system32\Mcmknhij.exe79⤵PID:1820
-
C:\Windows\SysWOW64\Mfkgjchn.exeC:\Windows\system32\Mfkgjchn.exe80⤵PID:1616
-
C:\Windows\SysWOW64\Mnbokaip.exeC:\Windows\system32\Mnbokaip.exe81⤵PID:1444
-
C:\Windows\SysWOW64\Mgjcdf32.exeC:\Windows\system32\Mgjcdf32.exe82⤵PID:2056
-
C:\Windows\SysWOW64\Milploeo.exeC:\Windows\system32\Milploeo.exe83⤵PID:2088
-
C:\Windows\SysWOW64\Mllinj32.exeC:\Windows\system32\Mllinj32.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Nccqog32.exeC:\Windows\system32\Nccqog32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Neemfoiq.exeC:\Windows\system32\Neemfoiq.exe86⤵PID:2504
-
C:\Windows\SysWOW64\Poimjfho.exeC:\Windows\system32\Poimjfho.exe87⤵PID:2512
-
C:\Windows\SysWOW64\Pagjfbgc.exeC:\Windows\system32\Pagjfbgc.exe88⤵PID:2520
-
C:\Windows\SysWOW64\Pdefbm32.exeC:\Windows\system32\Pdefbm32.exe89⤵PID:2528
-
C:\Windows\SysWOW64\Pkpnogmc.exeC:\Windows\system32\Pkpnogmc.exe90⤵PID:2536
-
C:\Windows\SysWOW64\Pnnjkcmg.exeC:\Windows\system32\Pnnjkcmg.exe91⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Paifla32.exeC:\Windows\system32\Paifla32.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Pgfodh32.exeC:\Windows\system32\Pgfodh32.exe93⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Pnpgqbjd.exeC:\Windows\system32\Pnpgqbjd.exe94⤵PID:2568
-
C:\Windows\SysWOW64\Pdjomm32.exeC:\Windows\system32\Pdjomm32.exe95⤵PID:2576
-
C:\Windows\SysWOW64\Pghljhae.exeC:\Windows\system32\Pghljhae.exe96⤵PID:2584
-
C:\Windows\SysWOW64\Pjghfcph.exeC:\Windows\system32\Pjghfcph.exe97⤵PID:2592
-
C:\Windows\SysWOW64\Qdmlclpo.exeC:\Windows\system32\Qdmlclpo.exe98⤵PID:2600
-
C:\Windows\SysWOW64\Qgkhohob.exeC:\Windows\system32\Qgkhohob.exe99⤵PID:2608
-
C:\Windows\SysWOW64\Qneqlb32.exeC:\Windows\system32\Qneqlb32.exe100⤵PID:2616
-
C:\Windows\SysWOW64\Qofmcjlm.exeC:\Windows\system32\Qofmcjlm.exe101⤵PID:2624
-
C:\Windows\SysWOW64\Qgmedg32.exeC:\Windows\system32\Qgmedg32.exe102⤵PID:2632
-
C:\Windows\SysWOW64\Ahoalpcn.exeC:\Windows\system32\Ahoalpcn.exe103⤵PID:2644
-
C:\Windows\SysWOW64\Aqeinmcp.exeC:\Windows\system32\Aqeinmcp.exe104⤵PID:2668
-
C:\Windows\SysWOW64\Abgfee32.exeC:\Windows\system32\Abgfee32.exe105⤵PID:2676
-
C:\Windows\SysWOW64\Ajnnfb32.exeC:\Windows\system32\Ajnnfb32.exe106⤵PID:2692
-
C:\Windows\SysWOW64\Akojnkpo.exeC:\Windows\system32\Akojnkpo.exe107⤵PID:2708
-
C:\Windows\SysWOW64\Aokfoi32.exeC:\Windows\system32\Aokfoi32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Afeokcpe.exeC:\Windows\system32\Afeokcpe.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Ahckgo32.exeC:\Windows\system32\Ahckgo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Akagcj32.exeC:\Windows\system32\Akagcj32.exe111⤵PID:2788
-
C:\Windows\SysWOW64\Ablopdei.exeC:\Windows\system32\Ablopdei.exe112⤵PID:2808
-
C:\Windows\SysWOW64\Adjllpdm.exeC:\Windows\system32\Adjllpdm.exe113⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Akddij32.exeC:\Windows\system32\Akddij32.exe114⤵PID:2848
-
C:\Windows\SysWOW64\Anbpee32.exeC:\Windows\system32\Anbpee32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Ajiajf32.exeC:\Windows\system32\Ajiajf32.exe116⤵PID:2972
-
C:\Windows\SysWOW64\Bgmack32.exeC:\Windows\system32\Bgmack32.exe117⤵PID:2996
-
C:\Windows\SysWOW64\Bmjjla32.exeC:\Windows\system32\Bmjjla32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Bcdbileo.exeC:\Windows\system32\Bcdbileo.exe119⤵PID:3032
-
C:\Windows\SysWOW64\Bfbnegdc.exeC:\Windows\system32\Bfbnegdc.exe120⤵PID:3040
-
C:\Windows\SysWOW64\Bmlfaalp.exeC:\Windows\system32\Bmlfaalp.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-