Analysis
-
max time kernel
125s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 17:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe
-
Size
227KB
-
MD5
dfaa5b6067a2b0393eba4972bb341009
-
SHA1
93a551ae898fbe9f8deba501137af48898caf5a8
-
SHA256
02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397
-
SHA512
a250bf18772bc51b70d8912a6cf643474e73d654eb7238be309a9ca68aa87372373395a014d73666c97da77cb485c1a1b7a914f07c7f6ba72acb11e62565a71b
-
SSDEEP
3072:EI+4VYSPjG9xT80nPhcEaeyqpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:EInV3K9xYILYm7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhcpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqhhanig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahqkocmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpebidam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dapjdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkifhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fofbhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebcmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gipqpplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nemhhpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgqpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlkqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjidgfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbajkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaqbln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Ehoocgeb.exe 2584 Egdlec32.exe 2648 Fnndan32.exe 2552 Fdjidgfa.exe 2428 Glbqje32.exe 1256 Ghkndf32.exe 1876 Jkgcab32.exe 1996 Jgqpkc32.exe 1888 Lmdkcl32.exe 1928 Lflplbpi.exe 768 Lklejh32.exe 1448 Ledibnco.exe 1096 Meicnm32.exe 1892 Mapccndn.exe 2620 Mbeiefff.exe 2300 Nlpkdkkd.exe 1688 Nhgkil32.exe 2784 Nemhhpmp.exe 2780 Nadimacd.exe 952 Oklnff32.exe 292 Oiakgcnl.exe 2032 Ogekpg32.exe 776 Olbchn32.exe 1368 Ocllehcj.exe 1464 Oaaifdhb.exe 2088 Poeipifl.exe 1180 Phnnho32.exe 2596 Pnjfae32.exe 2616 Pgegok32.exe 2488 Pqnlhpfb.exe 1724 Pjfpafmb.exe 2416 Qfmafg32.exe 2460 Afajafoa.exe 2844 Acekjjmk.exe 2676 Aollokco.exe 2652 Abkhkgbb.exe 1988 Anahqh32.exe 1616 Ajhiei32.exe 1296 Aennba32.exe 588 Agljom32.exe 1020 Badnhbce.exe 756 Bfagpiam.exe 1924 Bagkmb32.exe 548 Bjoofhgc.exe 564 Bffpki32.exe 2172 Bigimdjh.exe 2016 Bfkifhib.exe 1816 Clgbno32.exe 3028 Cbajkiof.exe 2020 Cikbhc32.exe 896 Cebcmdlg.exe 612 Chqoipkk.exe 560 Cmmhaf32.exe 1696 Caidaeak.exe 2116 Cffljlpc.exe 2612 Joiappkp.exe 2696 Lcomce32.exe 2404 Lcfbdd32.exe 2828 Odjdmjgo.exe 2364 Ohfqmi32.exe 1484 Odmabj32.exe 1120 Ogknoe32.exe 2000 Oaqbln32.exe 1884 Pkifdd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 2900 Ehoocgeb.exe 2900 Ehoocgeb.exe 2584 Egdlec32.exe 2584 Egdlec32.exe 2648 Fnndan32.exe 2648 Fnndan32.exe 2552 Fdjidgfa.exe 2552 Fdjidgfa.exe 2428 Glbqje32.exe 2428 Glbqje32.exe 1256 Ghkndf32.exe 1256 Ghkndf32.exe 1876 Jkgcab32.exe 1876 Jkgcab32.exe 1996 Jgqpkc32.exe 1996 Jgqpkc32.exe 1888 Lmdkcl32.exe 1888 Lmdkcl32.exe 1928 Lflplbpi.exe 1928 Lflplbpi.exe 768 Lklejh32.exe 768 Lklejh32.exe 1448 Ledibnco.exe 1448 Ledibnco.exe 1096 Meicnm32.exe 1096 Meicnm32.exe 1892 Mapccndn.exe 1892 Mapccndn.exe 2620 Mbeiefff.exe 2620 Mbeiefff.exe 2300 Nlpkdkkd.exe 2300 Nlpkdkkd.exe 1688 Nhgkil32.exe 1688 Nhgkil32.exe 2784 Nemhhpmp.exe 2784 Nemhhpmp.exe 2780 Nadimacd.exe 2780 Nadimacd.exe 952 Oklnff32.exe 952 Oklnff32.exe 292 Oiakgcnl.exe 292 Oiakgcnl.exe 2032 Ogekpg32.exe 2032 Ogekpg32.exe 776 Olbchn32.exe 776 Olbchn32.exe 1368 Ocllehcj.exe 1368 Ocllehcj.exe 1464 Oaaifdhb.exe 1464 Oaaifdhb.exe 2088 Poeipifl.exe 2088 Poeipifl.exe 1180 Phnnho32.exe 1180 Phnnho32.exe 2596 Pnjfae32.exe 2596 Pnjfae32.exe 2616 Pgegok32.exe 2616 Pgegok32.exe 2488 Pqnlhpfb.exe 2488 Pqnlhpfb.exe 1724 Pjfpafmb.exe 1724 Pjfpafmb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aanddk32.dll Akfnkmei.exe File opened for modification C:\Windows\SysWOW64\Ejabqi32.exe Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Ibkhak32.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Ebofcd32.exe Ehgaknbp.exe File created C:\Windows\SysWOW64\Aicipgqe.exe Nkbcgnie.exe File created C:\Windows\SysWOW64\Galopp32.dll Fdjidgfa.exe File created C:\Windows\SysWOW64\Egkoigpo.dll Pcdkif32.exe File created C:\Windows\SysWOW64\Cdfddadf.dll Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe Ndafcmci.exe File created C:\Windows\SysWOW64\Qkdlpgkc.dll Agccbenc.exe File created C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe File created C:\Windows\SysWOW64\Abnjmd32.dll Acjdgf32.exe File created C:\Windows\SysWOW64\Apepdbkl.dll Gegaeabe.exe File created C:\Windows\SysWOW64\Qnfkge32.dll Abkhkgbb.exe File created C:\Windows\SysWOW64\Ambnnc32.dll Cbajkiof.exe File created C:\Windows\SysWOW64\Agpcihcf.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\Bhjlli32.exe Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Egdlec32.exe Ehoocgeb.exe File created C:\Windows\SysWOW64\Ebfbbc32.dll Aennba32.exe File created C:\Windows\SysWOW64\Odmabj32.exe Ohfqmi32.exe File opened for modification C:\Windows\SysWOW64\Bbcjca32.exe Blibghmm.exe File opened for modification C:\Windows\SysWOW64\Lklejh32.exe Lflplbpi.exe File created C:\Windows\SysWOW64\Ekkjheja.exe Edaalk32.exe File opened for modification C:\Windows\SysWOW64\Mapccndn.exe Meicnm32.exe File created C:\Windows\SysWOW64\Nqmice32.dll Hekefkig.exe File created C:\Windows\SysWOW64\Dkjpdcfj.exe Djicmk32.exe File created C:\Windows\SysWOW64\Glbqje32.exe Fdjidgfa.exe File created C:\Windows\SysWOW64\Fgilkf32.dll Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Bjdkjpkb.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Hilcfe32.dll Daplkmbg.exe File opened for modification C:\Windows\SysWOW64\Olbchn32.exe Ogekpg32.exe File created C:\Windows\SysWOW64\Ekndacia.dll Pdjjag32.exe File created C:\Windows\SysWOW64\Jpdihq32.dll Gidhbgag.exe File created C:\Windows\SysWOW64\Llebnfpe.exe Lbkaoalg.exe File created C:\Windows\SysWOW64\Ijjhkqme.dll Epipql32.exe File created C:\Windows\SysWOW64\Cdljhf32.dll Lflplbpi.exe File created C:\Windows\SysWOW64\Beackp32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Cagienkb.exe File opened for modification C:\Windows\SysWOW64\Dipjkn32.exe Dbfbnddq.exe File created C:\Windows\SysWOW64\Fameoj32.dll Fofbhgde.exe File opened for modification C:\Windows\SysWOW64\Anpahn32.exe Aicipgqe.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Pojecajj.exe Mpgobc32.exe File created C:\Windows\SysWOW64\Pcdkif32.exe Pmgbao32.exe File created C:\Windows\SysWOW64\Aaipghcn.exe Ahqkocmm.exe File created C:\Windows\SysWOW64\Fbpfll32.dll Hoalia32.exe File opened for modification C:\Windows\SysWOW64\Ejohdbok.exe Dpgckm32.exe File opened for modification C:\Windows\SysWOW64\Decdmi32.exe Dkjpdcfj.exe File created C:\Windows\SysWOW64\Ibkhak32.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Ehcgkpie.dll Ejohdbok.exe File opened for modification C:\Windows\SysWOW64\Hjhchg32.exe Gdnkkmej.exe File created C:\Windows\SysWOW64\Hpdgka32.dll Gjdldd32.exe File created C:\Windows\SysWOW64\Pjfpafmb.exe Pqnlhpfb.exe File created C:\Windows\SysWOW64\Ndqbnp32.dll Pjfpafmb.exe File opened for modification C:\Windows\SysWOW64\Aqhhanig.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Chnlno32.dll Ggdcbi32.exe File created C:\Windows\SysWOW64\Anlhkbhq.exe Acfdnihk.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Eodicd32.exe File created C:\Windows\SysWOW64\Leaohdkk.dll Glnkcc32.exe File created C:\Windows\SysWOW64\Ammoel32.exe Ajociq32.exe File created C:\Windows\SysWOW64\Caepdk32.exe Celbik32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2792 1676 WerFault.exe 396 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmcfpfk.dll" Dbdehdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfepod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llebnfpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbjkop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdffnl32.dll" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfeoiq.dll" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monoflqe.dll" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmahec32.dll" Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmkljal.dll" Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecmjid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjqhld.dll" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffjegma.dll" Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipbmjcc.dll" Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbcjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aicipgqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Celbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagjihoe.dll" Pgbdodnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilifndlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbkaoalg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfkifhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qanmcdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhpfnbe.dll" Cdchneko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdgpc32.dll" Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdee32.dll" Mapccndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgphhbi.dll" Abdbflnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojnea32.dll" Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcomknkd.dll" Agljom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhgkil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chhbpfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mapccndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lknebaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaflo32.dll" Feiddbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejohdbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anpahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feiddbbj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2900 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 28 PID 2468 wrote to memory of 2900 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 28 PID 2468 wrote to memory of 2900 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 28 PID 2468 wrote to memory of 2900 2468 02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe 28 PID 2900 wrote to memory of 2584 2900 Ehoocgeb.exe 29 PID 2900 wrote to memory of 2584 2900 Ehoocgeb.exe 29 PID 2900 wrote to memory of 2584 2900 Ehoocgeb.exe 29 PID 2900 wrote to memory of 2584 2900 Ehoocgeb.exe 29 PID 2584 wrote to memory of 2648 2584 Egdlec32.exe 30 PID 2584 wrote to memory of 2648 2584 Egdlec32.exe 30 PID 2584 wrote to memory of 2648 2584 Egdlec32.exe 30 PID 2584 wrote to memory of 2648 2584 Egdlec32.exe 30 PID 2648 wrote to memory of 2552 2648 Fnndan32.exe 31 PID 2648 wrote to memory of 2552 2648 Fnndan32.exe 31 PID 2648 wrote to memory of 2552 2648 Fnndan32.exe 31 PID 2648 wrote to memory of 2552 2648 Fnndan32.exe 31 PID 2552 wrote to memory of 2428 2552 Fdjidgfa.exe 32 PID 2552 wrote to memory of 2428 2552 Fdjidgfa.exe 32 PID 2552 wrote to memory of 2428 2552 Fdjidgfa.exe 32 PID 2552 wrote to memory of 2428 2552 Fdjidgfa.exe 32 PID 2428 wrote to memory of 1256 2428 Glbqje32.exe 33 PID 2428 wrote to memory of 1256 2428 Glbqje32.exe 33 PID 2428 wrote to memory of 1256 2428 Glbqje32.exe 33 PID 2428 wrote to memory of 1256 2428 Glbqje32.exe 33 PID 1256 wrote to memory of 1876 1256 Ghkndf32.exe 34 PID 1256 wrote to memory of 1876 1256 Ghkndf32.exe 34 PID 1256 wrote to memory of 1876 1256 Ghkndf32.exe 34 PID 1256 wrote to memory of 1876 1256 Ghkndf32.exe 34 PID 1876 wrote to memory of 1996 1876 Jkgcab32.exe 35 PID 1876 wrote to memory of 1996 1876 Jkgcab32.exe 35 PID 1876 wrote to memory of 1996 1876 Jkgcab32.exe 35 PID 1876 wrote to memory of 1996 1876 Jkgcab32.exe 35 PID 1996 wrote to memory of 1888 1996 Jgqpkc32.exe 36 PID 1996 wrote to memory of 1888 1996 Jgqpkc32.exe 36 PID 1996 wrote to memory of 1888 1996 Jgqpkc32.exe 36 PID 1996 wrote to memory of 1888 1996 Jgqpkc32.exe 36 PID 1888 wrote to memory of 1928 1888 Lmdkcl32.exe 37 PID 1888 wrote to memory of 1928 1888 Lmdkcl32.exe 37 PID 1888 wrote to memory of 1928 1888 Lmdkcl32.exe 37 PID 1888 wrote to memory of 1928 1888 Lmdkcl32.exe 37 PID 1928 wrote to memory of 768 1928 Lflplbpi.exe 38 PID 1928 wrote to memory of 768 1928 Lflplbpi.exe 38 PID 1928 wrote to memory of 768 1928 Lflplbpi.exe 38 PID 1928 wrote to memory of 768 1928 Lflplbpi.exe 38 PID 768 wrote to memory of 1448 768 Lklejh32.exe 39 PID 768 wrote to memory of 1448 768 Lklejh32.exe 39 PID 768 wrote to memory of 1448 768 Lklejh32.exe 39 PID 768 wrote to memory of 1448 768 Lklejh32.exe 39 PID 1448 wrote to memory of 1096 1448 Ledibnco.exe 40 PID 1448 wrote to memory of 1096 1448 Ledibnco.exe 40 PID 1448 wrote to memory of 1096 1448 Ledibnco.exe 40 PID 1448 wrote to memory of 1096 1448 Ledibnco.exe 40 PID 1096 wrote to memory of 1892 1096 Meicnm32.exe 41 PID 1096 wrote to memory of 1892 1096 Meicnm32.exe 41 PID 1096 wrote to memory of 1892 1096 Meicnm32.exe 41 PID 1096 wrote to memory of 1892 1096 Meicnm32.exe 41 PID 1892 wrote to memory of 2620 1892 Mapccndn.exe 42 PID 1892 wrote to memory of 2620 1892 Mapccndn.exe 42 PID 1892 wrote to memory of 2620 1892 Mapccndn.exe 42 PID 1892 wrote to memory of 2620 1892 Mapccndn.exe 42 PID 2620 wrote to memory of 2300 2620 Mbeiefff.exe 43 PID 2620 wrote to memory of 2300 2620 Mbeiefff.exe 43 PID 2620 wrote to memory of 2300 2620 Mbeiefff.exe 43 PID 2620 wrote to memory of 2300 2620 Mbeiefff.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe"C:\Users\Admin\AppData\Local\Temp\02ff9f02ef10b2a4e2f36414bf1a804cb257078366c854103ea54d322ba9c397.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe36⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe38⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe42⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe43⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe44⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe45⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe47⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe49⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe56⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe57⤵PID:3000
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe60⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe61⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe63⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe64⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe66⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe67⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe68⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe69⤵PID:940
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe70⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe72⤵PID:948
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe73⤵PID:1228
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe74⤵PID:2788
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe75⤵PID:1796
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe79⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe80⤵PID:3008
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe81⤵PID:2896
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe82⤵PID:2752
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe83⤵PID:2608
-
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe85⤵PID:2680
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe87⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe89⤵PID:2484
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe90⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe91⤵PID:1116
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe92⤵PID:268
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe93⤵PID:1904
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe94⤵PID:860
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe95⤵PID:1648
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe96⤵PID:2760
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe97⤵PID:2480
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe98⤵PID:1980
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe99⤵PID:904
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe100⤵PID:1600
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe101⤵PID:2320
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe102⤵PID:1708
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe103⤵PID:1960
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe104⤵PID:1920
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe105⤵PID:2624
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe106⤵PID:2176
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe108⤵PID:1576
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe109⤵PID:2396
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe111⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe112⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe114⤵PID:1668
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe115⤵PID:2564
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe118⤵PID:2168
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe120⤵PID:836
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe121⤵PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-