Analysis
-
max time kernel
10s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe
-
Size
352KB
-
MD5
125f2efd4b2ff0fd21d288b4da7692e1
-
SHA1
0274be65645d046fc25e00ba67a39d58df2afd31
-
SHA256
8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd
-
SHA512
efbf198c1b4526304f71eac1e7cc76d9abb33e451a6dc773a039fcc55281f14fba29f5db886182d3ad873fbbc574cb56839678da933dc978ea2e70f09fa3cac2
-
SSDEEP
6144:cWoCWbSe5z9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:VMbgsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqabkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1708 Djpmccqq.exe 2980 Djbiicon.exe 2640 Dqlafm32.exe 2548 Doobajme.exe 2736 Dgfjbgmh.exe 2416 Eqonkmdh.exe 2876 Ebpkce32.exe 1644 Eijcpoac.exe 2732 Ekholjqg.exe 2892 Eilpeooq.exe 1788 Efppoc32.exe 1184 Eiomkn32.exe 1800 Elmigj32.exe 3052 Ebgacddo.exe 672 Fjdbnf32.exe 2648 Faokjpfd.exe 1296 Fhhcgj32.exe 2968 Ffkcbgek.exe 2372 Fhkpmjln.exe 1580 Fjilieka.exe 696 Fmhheqje.exe 1340 Fpfdalii.exe 1968 Flmefm32.exe 1396 Fddmgjpo.exe 876 Ffbicfoc.exe 1588 Fiaeoang.exe 2188 Gonnhhln.exe 2716 Gicbeald.exe 2588 Gpmjak32.exe 2492 Gangic32.exe 308 Gieojq32.exe 2752 Gldkfl32.exe 2008 Gaqcoc32.exe 2432 Ghkllmoi.exe 1212 Gkihhhnm.exe 288 Gmgdddmq.exe 2748 Gdamqndn.exe 2272 Ggpimica.exe 1336 Gogangdc.exe 1720 Gaemjbcg.exe 580 Gddifnbk.exe 2860 Hgbebiao.exe 312 Hknach32.exe 2896 Hiqbndpb.exe 1680 Hahjpbad.exe 568 Hpkjko32.exe 2028 Hcifgjgc.exe 612 Hgdbhi32.exe 1748 Hkpnhgge.exe 2124 Hicodd32.exe 2608 Hlakpp32.exe 2504 Hdhbam32.exe 2448 Hckcmjep.exe 2012 Hejoiedd.exe 2724 Hnagjbdf.exe 2656 Hlcgeo32.exe 2020 Hobcak32.exe 320 Hcnpbi32.exe 1760 Hellne32.exe 804 Hhjhkq32.exe 2268 Hodpgjha.exe 2148 Hacmcfge.exe 2480 Hhmepp32.exe 2676 Hogmmjfo.exe -
Loads dropped DLL 64 IoCs
pid Process 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 1708 Djpmccqq.exe 1708 Djpmccqq.exe 2980 Djbiicon.exe 2980 Djbiicon.exe 2640 Dqlafm32.exe 2640 Dqlafm32.exe 2548 Doobajme.exe 2548 Doobajme.exe 2736 Dgfjbgmh.exe 2736 Dgfjbgmh.exe 2416 Eqonkmdh.exe 2416 Eqonkmdh.exe 2876 Ebpkce32.exe 2876 Ebpkce32.exe 1644 Eijcpoac.exe 1644 Eijcpoac.exe 2732 Ekholjqg.exe 2732 Ekholjqg.exe 2892 Eilpeooq.exe 2892 Eilpeooq.exe 1788 Efppoc32.exe 1788 Efppoc32.exe 1184 Eiomkn32.exe 1184 Eiomkn32.exe 1800 Elmigj32.exe 1800 Elmigj32.exe 3052 Ebgacddo.exe 3052 Ebgacddo.exe 672 Fjdbnf32.exe 672 Fjdbnf32.exe 2648 Faokjpfd.exe 2648 Faokjpfd.exe 1296 Fhhcgj32.exe 1296 Fhhcgj32.exe 2968 Ffkcbgek.exe 2968 Ffkcbgek.exe 2372 Fhkpmjln.exe 2372 Fhkpmjln.exe 1580 Fjilieka.exe 1580 Fjilieka.exe 696 Fmhheqje.exe 696 Fmhheqje.exe 1340 Fpfdalii.exe 1340 Fpfdalii.exe 1968 Flmefm32.exe 1968 Flmefm32.exe 1396 Fddmgjpo.exe 1396 Fddmgjpo.exe 876 Ffbicfoc.exe 876 Ffbicfoc.exe 1588 Fiaeoang.exe 1588 Fiaeoang.exe 2188 Gonnhhln.exe 2188 Gonnhhln.exe 2716 Gicbeald.exe 2716 Gicbeald.exe 2588 Gpmjak32.exe 2588 Gpmjak32.exe 2492 Gangic32.exe 2492 Gangic32.exe 308 Gieojq32.exe 308 Gieojq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dpeekh32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Fddcahee.dll Ogblbo32.exe File created C:\Windows\SysWOW64\Cjdfmo32.exe Cgejac32.exe File created C:\Windows\SysWOW64\Mghohc32.dll Cgejac32.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Dglpkenb.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hkpnhgge.exe File created C:\Windows\SysWOW64\Lkppbl32.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Olmhdf32.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Objbcm32.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Icmlam32.exe Idklfpon.exe File opened for modification C:\Windows\SysWOW64\Mlmlecec.exe Miooigfo.exe File created C:\Windows\SysWOW64\Ocnfbo32.exe Omdneebf.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Ofelmloo.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Cnobnmpl.exe File created C:\Windows\SysWOW64\Acahnedo.dll Oklkmnbp.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File created C:\Windows\SysWOW64\Mmfbogcn.exe Mkgfckcj.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Oqideepg.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Gicbeald.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Qkophk32.dll Maoajf32.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Oincig32.dll Mgnfhlin.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Hacmcfge.exe File opened for modification C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Hjbpkign.dll Jgnamk32.exe File opened for modification C:\Windows\SysWOW64\Jmocpado.exe Jehkodcm.exe File created C:\Windows\SysWOW64\Fdmahkol.dll Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Djhphncm.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dolnad32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Fpffnl32.dll Igihbknb.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lliflp32.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Monhhk32.exe File created C:\Windows\SysWOW64\Npdjje32.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Npdjje32.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cdikkg32.exe File opened for modification C:\Windows\SysWOW64\Bmmiij32.exe Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Clilkfnb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baoohhdn.dll" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgplkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pclfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhopq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmngmj32.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiehea32.dll" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkiogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfioffab.dll" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll" Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdhhh32.dll" Nhfipcid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1708 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 28 PID 1244 wrote to memory of 1708 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 28 PID 1244 wrote to memory of 1708 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 28 PID 1244 wrote to memory of 1708 1244 8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe 28 PID 1708 wrote to memory of 2980 1708 Djpmccqq.exe 29 PID 1708 wrote to memory of 2980 1708 Djpmccqq.exe 29 PID 1708 wrote to memory of 2980 1708 Djpmccqq.exe 29 PID 1708 wrote to memory of 2980 1708 Djpmccqq.exe 29 PID 2980 wrote to memory of 2640 2980 Djbiicon.exe 30 PID 2980 wrote to memory of 2640 2980 Djbiicon.exe 30 PID 2980 wrote to memory of 2640 2980 Djbiicon.exe 30 PID 2980 wrote to memory of 2640 2980 Djbiicon.exe 30 PID 2640 wrote to memory of 2548 2640 Dqlafm32.exe 31 PID 2640 wrote to memory of 2548 2640 Dqlafm32.exe 31 PID 2640 wrote to memory of 2548 2640 Dqlafm32.exe 31 PID 2640 wrote to memory of 2548 2640 Dqlafm32.exe 31 PID 2548 wrote to memory of 2736 2548 Doobajme.exe 32 PID 2548 wrote to memory of 2736 2548 Doobajme.exe 32 PID 2548 wrote to memory of 2736 2548 Doobajme.exe 32 PID 2548 wrote to memory of 2736 2548 Doobajme.exe 32 PID 2736 wrote to memory of 2416 2736 Dgfjbgmh.exe 33 PID 2736 wrote to memory of 2416 2736 Dgfjbgmh.exe 33 PID 2736 wrote to memory of 2416 2736 Dgfjbgmh.exe 33 PID 2736 wrote to memory of 2416 2736 Dgfjbgmh.exe 33 PID 2416 wrote to memory of 2876 2416 Eqonkmdh.exe 34 PID 2416 wrote to memory of 2876 2416 Eqonkmdh.exe 34 PID 2416 wrote to memory of 2876 2416 Eqonkmdh.exe 34 PID 2416 wrote to memory of 2876 2416 Eqonkmdh.exe 34 PID 2876 wrote to memory of 1644 2876 Ebpkce32.exe 35 PID 2876 wrote to memory of 1644 2876 Ebpkce32.exe 35 PID 2876 wrote to memory of 1644 2876 Ebpkce32.exe 35 PID 2876 wrote to memory of 1644 2876 Ebpkce32.exe 35 PID 1644 wrote to memory of 2732 1644 Eijcpoac.exe 36 PID 1644 wrote to memory of 2732 1644 Eijcpoac.exe 36 PID 1644 wrote to memory of 2732 1644 Eijcpoac.exe 36 PID 1644 wrote to memory of 2732 1644 Eijcpoac.exe 36 PID 2732 wrote to memory of 2892 2732 Ekholjqg.exe 37 PID 2732 wrote to memory of 2892 2732 Ekholjqg.exe 37 PID 2732 wrote to memory of 2892 2732 Ekholjqg.exe 37 PID 2732 wrote to memory of 2892 2732 Ekholjqg.exe 37 PID 2892 wrote to memory of 1788 2892 Eilpeooq.exe 38 PID 2892 wrote to memory of 1788 2892 Eilpeooq.exe 38 PID 2892 wrote to memory of 1788 2892 Eilpeooq.exe 38 PID 2892 wrote to memory of 1788 2892 Eilpeooq.exe 38 PID 1788 wrote to memory of 1184 1788 Efppoc32.exe 39 PID 1788 wrote to memory of 1184 1788 Efppoc32.exe 39 PID 1788 wrote to memory of 1184 1788 Efppoc32.exe 39 PID 1788 wrote to memory of 1184 1788 Efppoc32.exe 39 PID 1184 wrote to memory of 1800 1184 Eiomkn32.exe 40 PID 1184 wrote to memory of 1800 1184 Eiomkn32.exe 40 PID 1184 wrote to memory of 1800 1184 Eiomkn32.exe 40 PID 1184 wrote to memory of 1800 1184 Eiomkn32.exe 40 PID 1800 wrote to memory of 3052 1800 Elmigj32.exe 41 PID 1800 wrote to memory of 3052 1800 Elmigj32.exe 41 PID 1800 wrote to memory of 3052 1800 Elmigj32.exe 41 PID 1800 wrote to memory of 3052 1800 Elmigj32.exe 41 PID 3052 wrote to memory of 672 3052 Ebgacddo.exe 42 PID 3052 wrote to memory of 672 3052 Ebgacddo.exe 42 PID 3052 wrote to memory of 672 3052 Ebgacddo.exe 42 PID 3052 wrote to memory of 672 3052 Ebgacddo.exe 42 PID 672 wrote to memory of 2648 672 Fjdbnf32.exe 43 PID 672 wrote to memory of 2648 672 Fjdbnf32.exe 43 PID 672 wrote to memory of 2648 672 Fjdbnf32.exe 43 PID 672 wrote to memory of 2648 672 Fjdbnf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe"C:\Users\Admin\AppData\Local\Temp\8c67b7d22dba2471c49f9cc074cf9b5cb5d970a6265cdef0d06f9677737078fd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe35⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe36⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe37⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe40⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe41⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe43⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe46⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe48⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe52⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe54⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe55⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe56⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe58⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe61⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe64⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe66⤵PID:2172
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe68⤵PID:448
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe69⤵PID:1744
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe72⤵PID:1940
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe73⤵PID:1972
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe75⤵PID:3024
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:488 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe77⤵PID:2484
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe78⤵PID:2368
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe79⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe80⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe81⤵PID:1368
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe82⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe83⤵PID:2296
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe85⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe87⤵PID:292
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe88⤵PID:1540
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe89⤵PID:2472
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe90⤵PID:3028
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe92⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe93⤵PID:2664
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe94⤵PID:1840
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe95⤵PID:2944
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe98⤵PID:2524
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe99⤵PID:1640
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe100⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe101⤵PID:2596
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe102⤵PID:1664
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe103⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe104⤵PID:2068
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe106⤵PID:2756
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe107⤵PID:2624
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe108⤵PID:2088
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe110⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe111⤵PID:272
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe112⤵PID:2620
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe113⤵PID:1576
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe114⤵PID:1692
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe115⤵
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe116⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe117⤵PID:1964
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe118⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe119⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe120⤵PID:2444
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-