Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 00:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe
-
Size
64KB
-
MD5
f91b8452d6407537bec415436304d061
-
SHA1
83827d698d24be7963e3dbe19b95558f733e3d0d
-
SHA256
bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621
-
SHA512
f77ba83334c732fb3d52cabefb633605c99a9a177399f8474accbcadad357314b8840da4600fab6c32e0aecc0b31b1ebc2763c0f04a77ca2bb6b82e8d20a441e
-
SSDEEP
1536:JJYXz0byGZMjQooFmXOZXuGBEePqniYKgNtn:bczY/IQjFmXOjEePqiYKgL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhbpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holacm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhocmnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naikkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fklpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioagno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpbhkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbalnnam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcekcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midcpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafheedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkdqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohhhmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdnehci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekneebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaidjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbeojgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaihlapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioojhpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakfkfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibdla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpllhkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcgco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koocdnai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhqfbebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe -
Executes dropped EXE 64 IoCs
pid Process 1936 Dcpbhkbi.exe 2012 Dimjqapa.exe 2640 Dimjqapa.exe 2756 Dqdbboac.exe 1792 Dogbnl32.exe 1080 Dbeojgga.exe 2512 Dfakjf32.exe 2448 Dipgfa32.exe 2720 Dkncbm32.exe 2556 Dpiockfk.exe 1940 Dcekcj32.exe 2900 Dfchpe32.exe 1980 Defhkbdb.exe 1140 Dibdla32.exe 3040 Dmmplpdd.exe 2256 Dpllhkdh.exe 680 Dbjhefcl.exe 108 Deidab32.exe 2392 Didqaqji.exe 696 Dggamm32.exe 1536 Dpnink32.exe 1452 Dnaijghp.exe 644 Daoefcgd.exe 2408 Eifmgphf.exe 3016 Eginbm32.exe 880 Ejhjoh32.exe 1600 Eemnlanj.exe 2620 Ehljhmmn.exe 2028 Elgfik32.exe 2508 Enfbeg32.exe 2200 Emhbpcke.exe 2696 Ecbkmn32.exe 1248 Efagii32.exe 2796 Ejlcjhjo.exe 2660 Enhojf32.exe 1440 Eafkfb32.exe 864 Efcdoipc.exe 2732 Eiapkdog.exe 2132 Eaihlapi.exe 784 Eplhgn32.exe 2936 Edgdhmom.exe 1868 Ebjdcj32.exe 2100 Ejameg32.exe 2064 Eidmqdmd.exe 2052 Empiab32.exe 2416 Elbimplh.exe 888 Fdianmmj.exe 2092 Fblaii32.exe 2348 Ffhmjhln.exe 2676 Fekneebh.exe 2496 Fififc32.exe 2036 Fmbefbck.exe 1512 Flefbo32.exe 2972 Fppbbnbo.exe 2916 Focbnj32.exe 1944 Fbonoiab.exe 1412 Ffjjoh32.exe 1132 Femjkdqf.exe 2224 Fiifkc32.exe 2788 Flgbho32.exe 2932 Fpbohmpl.exe 2004 Foeodj32.exe 2356 Fbakdiop.exe 1088 Fepgqdnc.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 1936 Dcpbhkbi.exe 1936 Dcpbhkbi.exe 2012 Dimjqapa.exe 2012 Dimjqapa.exe 2640 Dimjqapa.exe 2640 Dimjqapa.exe 2756 Dqdbboac.exe 2756 Dqdbboac.exe 1792 Dogbnl32.exe 1792 Dogbnl32.exe 1080 Dbeojgga.exe 1080 Dbeojgga.exe 2512 Dfakjf32.exe 2512 Dfakjf32.exe 2448 Dipgfa32.exe 2448 Dipgfa32.exe 2720 Dkncbm32.exe 2720 Dkncbm32.exe 2556 Dpiockfk.exe 2556 Dpiockfk.exe 1940 Dcekcj32.exe 1940 Dcekcj32.exe 2900 Dfchpe32.exe 2900 Dfchpe32.exe 1980 Defhkbdb.exe 1980 Defhkbdb.exe 1140 Dibdla32.exe 1140 Dibdla32.exe 3040 Dmmplpdd.exe 3040 Dmmplpdd.exe 2256 Dpllhkdh.exe 2256 Dpllhkdh.exe 680 Dbjhefcl.exe 680 Dbjhefcl.exe 108 Deidab32.exe 108 Deidab32.exe 2392 Didqaqji.exe 2392 Didqaqji.exe 696 Dggamm32.exe 696 Dggamm32.exe 1536 Dpnink32.exe 1536 Dpnink32.exe 1452 Dnaijghp.exe 1452 Dnaijghp.exe 644 Daoefcgd.exe 644 Daoefcgd.exe 2408 Eifmgphf.exe 2408 Eifmgphf.exe 3016 Eginbm32.exe 3016 Eginbm32.exe 880 Ejhjoh32.exe 880 Ejhjoh32.exe 1600 Eemnlanj.exe 1600 Eemnlanj.exe 2620 Ehljhmmn.exe 2620 Ehljhmmn.exe 2028 Elgfik32.exe 2028 Elgfik32.exe 2508 Enfbeg32.exe 2508 Enfbeg32.exe 2200 Emhbpcke.exe 2200 Emhbpcke.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Igcecmfg.exe Iolmbpfe.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Afiecb32.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Lggiipie.dll Kedaeh32.exe File created C:\Windows\SysWOW64\Ldhebk32.dll Pigeqkai.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Ibapoj32.exe Ioccco32.exe File created C:\Windows\SysWOW64\Jagmpg32.exe Jbdlejmn.exe File created C:\Windows\SysWOW64\Lfqqcc32.dll Labhkh32.exe File created C:\Windows\SysWOW64\Lkkmdn32.exe Lkkmdn32.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fdapak32.exe File created C:\Windows\SysWOW64\Piehkkcl.exe Peiljl32.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Fepgqdnc.exe Fbakdiop.exe File opened for modification C:\Windows\SysWOW64\Lmdpejfq.exe Lkfciogm.exe File created C:\Windows\SysWOW64\Acjgoa32.dll Lkkmdn32.exe File opened for modification C:\Windows\SysWOW64\Nnplpl32.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Dfakjf32.exe Dbeojgga.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Flabbihl.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Jancafna.exe Jmbgpg32.exe File created C:\Windows\SysWOW64\Iagjfjkn.dll Lefkjkmc.exe File opened for modification C:\Windows\SysWOW64\Nlgefh32.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Nhnfkigh.exe File created C:\Windows\SysWOW64\Odegpj32.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Fhbmho32.exe Fedplc32.exe File created C:\Windows\SysWOW64\Oojknblb.exe Okoomd32.exe File created C:\Windows\SysWOW64\Febhomkh.dll Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Flllcndm.exe Fhppbp32.exe File created C:\Windows\SysWOW64\Fiqpkfmo.dll Hjmhdi32.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File created C:\Windows\SysWOW64\Lpoddchb.dll Hakmph32.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Jbdlejmn.exe Joepio32.exe File created C:\Windows\SysWOW64\Jjoailji.exe Jklanp32.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cjndop32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Fojhoica.exe Fkolnk32.exe File created C:\Windows\SysWOW64\Lfkqohle.dll Gcagcl32.exe File created C:\Windows\SysWOW64\Ejpdgffb.dll Jmpjkggj.exe File opened for modification C:\Windows\SysWOW64\Maphdl32.exe Mcmhiojk.exe File created C:\Windows\SysWOW64\Icbimi32.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Edhban32.dll Kbhbom32.exe File created C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Enkece32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Inljnfkg.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Ecbkmn32.exe Emhbpcke.exe File opened for modification C:\Windows\SysWOW64\Klnjbbdh.exe Khcnad32.exe File opened for modification C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Dipgfa32.exe Dfakjf32.exe File created C:\Windows\SysWOW64\Moeodd32.dll Fmbefbck.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Aljgfioc.exe File opened for modification C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Fififc32.exe Fekneebh.exe File created C:\Windows\SysWOW64\Hamjehqk.exe Hnandi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7712 7652 WerFault.exe 775 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icemmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjikf32.dll" Jcjbgaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgegdkp.dll" Hgjbmoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkgk32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhojf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnalagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdncgbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcabqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcidhml.dll" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnieom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhppbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghplac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcbcgcb.dll" Gghjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiekj32.dll" Hoonilag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghplac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkegn32.dll" Eplhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoakolod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjgei32.dll" Gakaqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjkhm32.dll" Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amclfbco.dll" Lipjejgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdekin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 1936 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 28 PID 2268 wrote to memory of 1936 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 28 PID 2268 wrote to memory of 1936 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 28 PID 2268 wrote to memory of 1936 2268 bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe 28 PID 1936 wrote to memory of 2012 1936 Dcpbhkbi.exe 29 PID 1936 wrote to memory of 2012 1936 Dcpbhkbi.exe 29 PID 1936 wrote to memory of 2012 1936 Dcpbhkbi.exe 29 PID 1936 wrote to memory of 2012 1936 Dcpbhkbi.exe 29 PID 2012 wrote to memory of 2640 2012 Dimjqapa.exe 30 PID 2012 wrote to memory of 2640 2012 Dimjqapa.exe 30 PID 2012 wrote to memory of 2640 2012 Dimjqapa.exe 30 PID 2012 wrote to memory of 2640 2012 Dimjqapa.exe 30 PID 2640 wrote to memory of 2756 2640 Dimjqapa.exe 31 PID 2640 wrote to memory of 2756 2640 Dimjqapa.exe 31 PID 2640 wrote to memory of 2756 2640 Dimjqapa.exe 31 PID 2640 wrote to memory of 2756 2640 Dimjqapa.exe 31 PID 2756 wrote to memory of 1792 2756 Dqdbboac.exe 32 PID 2756 wrote to memory of 1792 2756 Dqdbboac.exe 32 PID 2756 wrote to memory of 1792 2756 Dqdbboac.exe 32 PID 2756 wrote to memory of 1792 2756 Dqdbboac.exe 32 PID 1792 wrote to memory of 1080 1792 Dogbnl32.exe 33 PID 1792 wrote to memory of 1080 1792 Dogbnl32.exe 33 PID 1792 wrote to memory of 1080 1792 Dogbnl32.exe 33 PID 1792 wrote to memory of 1080 1792 Dogbnl32.exe 33 PID 1080 wrote to memory of 2512 1080 Dbeojgga.exe 34 PID 1080 wrote to memory of 2512 1080 Dbeojgga.exe 34 PID 1080 wrote to memory of 2512 1080 Dbeojgga.exe 34 PID 1080 wrote to memory of 2512 1080 Dbeojgga.exe 34 PID 2512 wrote to memory of 2448 2512 Dfakjf32.exe 35 PID 2512 wrote to memory of 2448 2512 Dfakjf32.exe 35 PID 2512 wrote to memory of 2448 2512 Dfakjf32.exe 35 PID 2512 wrote to memory of 2448 2512 Dfakjf32.exe 35 PID 2448 wrote to memory of 2720 2448 Dipgfa32.exe 36 PID 2448 wrote to memory of 2720 2448 Dipgfa32.exe 36 PID 2448 wrote to memory of 2720 2448 Dipgfa32.exe 36 PID 2448 wrote to memory of 2720 2448 Dipgfa32.exe 36 PID 2720 wrote to memory of 2556 2720 Dkncbm32.exe 37 PID 2720 wrote to memory of 2556 2720 Dkncbm32.exe 37 PID 2720 wrote to memory of 2556 2720 Dkncbm32.exe 37 PID 2720 wrote to memory of 2556 2720 Dkncbm32.exe 37 PID 2556 wrote to memory of 1940 2556 Dpiockfk.exe 38 PID 2556 wrote to memory of 1940 2556 Dpiockfk.exe 38 PID 2556 wrote to memory of 1940 2556 Dpiockfk.exe 38 PID 2556 wrote to memory of 1940 2556 Dpiockfk.exe 38 PID 1940 wrote to memory of 2900 1940 Dcekcj32.exe 39 PID 1940 wrote to memory of 2900 1940 Dcekcj32.exe 39 PID 1940 wrote to memory of 2900 1940 Dcekcj32.exe 39 PID 1940 wrote to memory of 2900 1940 Dcekcj32.exe 39 PID 2900 wrote to memory of 1980 2900 Dfchpe32.exe 40 PID 2900 wrote to memory of 1980 2900 Dfchpe32.exe 40 PID 2900 wrote to memory of 1980 2900 Dfchpe32.exe 40 PID 2900 wrote to memory of 1980 2900 Dfchpe32.exe 40 PID 1980 wrote to memory of 1140 1980 Defhkbdb.exe 41 PID 1980 wrote to memory of 1140 1980 Defhkbdb.exe 41 PID 1980 wrote to memory of 1140 1980 Defhkbdb.exe 41 PID 1980 wrote to memory of 1140 1980 Defhkbdb.exe 41 PID 1140 wrote to memory of 3040 1140 Dibdla32.exe 42 PID 1140 wrote to memory of 3040 1140 Dibdla32.exe 42 PID 1140 wrote to memory of 3040 1140 Dibdla32.exe 42 PID 1140 wrote to memory of 3040 1140 Dibdla32.exe 42 PID 3040 wrote to memory of 2256 3040 Dmmplpdd.exe 43 PID 3040 wrote to memory of 2256 3040 Dmmplpdd.exe 43 PID 3040 wrote to memory of 2256 3040 Dmmplpdd.exe 43 PID 3040 wrote to memory of 2256 3040 Dmmplpdd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe"C:\Users\Admin\AppData\Local\Temp\bfc3fa7baea6fd496913c05696a4ce42e705aa1ff5c3b89c09b72b3f77417621.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dcpbhkbi.exeC:\Windows\system32\Dcpbhkbi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Dimjqapa.exeC:\Windows\system32\Dimjqapa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dimjqapa.exeC:\Windows\system32\Dimjqapa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dqdbboac.exeC:\Windows\system32\Dqdbboac.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dogbnl32.exeC:\Windows\system32\Dogbnl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Dbeojgga.exeC:\Windows\system32\Dbeojgga.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Dfakjf32.exeC:\Windows\system32\Dfakjf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Dipgfa32.exeC:\Windows\system32\Dipgfa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dkncbm32.exeC:\Windows\system32\Dkncbm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Dpiockfk.exeC:\Windows\system32\Dpiockfk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dcekcj32.exeC:\Windows\system32\Dcekcj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Dfchpe32.exeC:\Windows\system32\Dfchpe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Defhkbdb.exeC:\Windows\system32\Defhkbdb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Dibdla32.exeC:\Windows\system32\Dibdla32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Dmmplpdd.exeC:\Windows\system32\Dmmplpdd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Dpllhkdh.exeC:\Windows\system32\Dpllhkdh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Dbjhefcl.exeC:\Windows\system32\Dbjhefcl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Deidab32.exeC:\Windows\system32\Deidab32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Didqaqji.exeC:\Windows\system32\Didqaqji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Dggamm32.exeC:\Windows\system32\Dggamm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Dpnink32.exeC:\Windows\system32\Dpnink32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Dnaijghp.exeC:\Windows\system32\Dnaijghp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Daoefcgd.exeC:\Windows\system32\Daoefcgd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Eifmgphf.exeC:\Windows\system32\Eifmgphf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Eginbm32.exeC:\Windows\system32\Eginbm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ejhjoh32.exeC:\Windows\system32\Ejhjoh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Eemnlanj.exeC:\Windows\system32\Eemnlanj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ehljhmmn.exeC:\Windows\system32\Ehljhmmn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Elgfik32.exeC:\Windows\system32\Elgfik32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Enfbeg32.exeC:\Windows\system32\Enfbeg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Emhbpcke.exeC:\Windows\system32\Emhbpcke.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ecbkmn32.exeC:\Windows\system32\Ecbkmn32.exe33⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Efagii32.exeC:\Windows\system32\Efagii32.exe34⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ejlcjhjo.exeC:\Windows\system32\Ejlcjhjo.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Enhojf32.exeC:\Windows\system32\Enhojf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Eafkfb32.exeC:\Windows\system32\Eafkfb32.exe37⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Efcdoipc.exeC:\Windows\system32\Efcdoipc.exe38⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Eiapkdog.exeC:\Windows\system32\Eiapkdog.exe39⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Eaihlapi.exeC:\Windows\system32\Eaihlapi.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Eplhgn32.exeC:\Windows\system32\Eplhgn32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Edgdhmom.exeC:\Windows\system32\Edgdhmom.exe42⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ebjdcj32.exeC:\Windows\system32\Ebjdcj32.exe43⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ejameg32.exeC:\Windows\system32\Ejameg32.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe45⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Empiab32.exeC:\Windows\system32\Empiab32.exe46⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe47⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe48⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Fblaii32.exeC:\Windows\system32\Fblaii32.exe49⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ffhmjhln.exeC:\Windows\system32\Ffhmjhln.exe50⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fekneebh.exeC:\Windows\system32\Fekneebh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Fififc32.exeC:\Windows\system32\Fififc32.exe52⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Flefbo32.exeC:\Windows\system32\Flefbo32.exe54⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Fppbbnbo.exeC:\Windows\system32\Fppbbnbo.exe55⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Focbnj32.exeC:\Windows\system32\Focbnj32.exe56⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Fbonoiab.exeC:\Windows\system32\Fbonoiab.exe57⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ffjjoh32.exeC:\Windows\system32\Ffjjoh32.exe58⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Femjkdqf.exeC:\Windows\system32\Femjkdqf.exe59⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Fiifkc32.exeC:\Windows\system32\Fiifkc32.exe60⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe61⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Fpbohmpl.exeC:\Windows\system32\Fpbohmpl.exe62⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Foeodj32.exeC:\Windows\system32\Foeodj32.exe63⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fbakdiop.exeC:\Windows\system32\Fbakdiop.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe65⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Fikcacgl.exeC:\Windows\system32\Fikcacgl.exe66⤵PID:2008
-
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe67⤵PID:548
-
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Fohkijed.exeC:\Windows\system32\Fohkijed.exe69⤵PID:2896
-
C:\Windows\SysWOW64\Fbcgjh32.exeC:\Windows\system32\Fbcgjh32.exe70⤵PID:1572
-
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Fdddaqck.exeC:\Windows\system32\Fdddaqck.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe74⤵PID:2652
-
C:\Windows\SysWOW64\Fkolnk32.exeC:\Windows\system32\Fkolnk32.exe75⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Fojhoica.exeC:\Windows\system32\Fojhoica.exe76⤵PID:2600
-
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe77⤵PID:1720
-
C:\Windows\SysWOW64\Fahdkebe.exeC:\Windows\system32\Fahdkebe.exe78⤵PID:1268
-
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe79⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Fhbmho32.exeC:\Windows\system32\Fhbmho32.exe80⤵PID:2876
-
C:\Windows\SysWOW64\Ggemclpl.exeC:\Windows\system32\Ggemclpl.exe81⤵PID:2692
-
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe83⤵PID:1136
-
C:\Windows\SysWOW64\Gmoepfhi.exeC:\Windows\system32\Gmoepfhi.exe84⤵PID:908
-
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe85⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Gpnalagm.exeC:\Windows\system32\Gpnalagm.exe86⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe87⤵PID:2644
-
C:\Windows\SysWOW64\Gghjil32.exeC:\Windows\system32\Gghjil32.exe88⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe90⤵PID:2060
-
C:\Windows\SysWOW64\Gppnaaej.exeC:\Windows\system32\Gppnaaej.exe91⤵PID:2844
-
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe92⤵PID:1424
-
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe93⤵PID:948
-
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe94⤵PID:2912
-
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe95⤵PID:2664
-
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe96⤵PID:2748
-
C:\Windows\SysWOW64\Gcagcl32.exeC:\Windows\system32\Gcagcl32.exe97⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe99⤵PID:2988
-
C:\Windows\SysWOW64\Gnfkqe32.exeC:\Windows\system32\Gnfkqe32.exe100⤵PID:2404
-
C:\Windows\SysWOW64\Gpegmq32.exeC:\Windows\system32\Gpegmq32.exe101⤵PID:2528
-
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe103⤵PID:2564
-
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe104⤵PID:2684
-
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe105⤵PID:1728
-
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe106⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe107⤵PID:2380
-
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe108⤵PID:2708
-
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe109⤵PID:1372
-
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe110⤵PID:1624
-
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe111⤵PID:940
-
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe112⤵PID:2368
-
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe113⤵PID:2712
-
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe114⤵PID:764
-
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe116⤵PID:1888
-
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe117⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Hdijlc32.exeC:\Windows\system32\Hdijlc32.exe118⤵PID:2604
-
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe119⤵PID:600
-
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe120⤵PID:3004
-
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe121⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-