Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-03-2024 06:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe
-
Size
80KB
-
MD5
4eed59c8340372807b3fb9ec83cf0745
-
SHA1
da01523018129c8b8b6be8b658456e3392886d24
-
SHA256
60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840
-
SHA512
442da17ec029ad6dbb1022394f8601580585c47df19d0e77d40d34020004114582fa87fd89fec9631c54e4fdf90239517d66c3162efb62cc509579ac021e7f06
-
SSDEEP
1536:dTBAR6xY/0saEcA5BAWWIWpGSlEqaiV7bN+zL20gJi1i9:dTBAUBsaB6BApG+EBiV7bgzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meagci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe -
Executes dropped EXE 64 IoCs
pid Process 3020 Dngoibmo.exe 2524 Dhmcfkme.exe 2576 Dgodbh32.exe 2668 Djnpnc32.exe 2520 Dbehoa32.exe 2412 Ddcdkl32.exe 3056 Dcfdgiid.exe 1260 Dkmmhf32.exe 2604 Dnlidb32.exe 2116 Dmoipopd.exe 1244 Ddeaalpg.exe 2212 Dchali32.exe 2300 Dfgmhd32.exe 1680 Dnneja32.exe 1416 Dmafennb.exe 2056 Dcknbh32.exe 1776 Dgfjbgmh.exe 1196 Eihfjo32.exe 548 Emcbkn32.exe 2776 Epaogi32.exe 1472 Ecmkghcl.exe 1672 Eflgccbp.exe 1824 Ejgcdb32.exe 2980 Eijcpoac.exe 2784 Emeopn32.exe 1712 Ecpgmhai.exe 1636 Ekklaj32.exe 2568 Ebedndfa.exe 2544 Eecqjpee.exe 2420 Egamfkdh.exe 2396 Enkece32.exe 2836 Eajaoq32.exe 2120 Eeempocb.exe 2640 Egdilkbf.exe 2456 Eloemi32.exe 112 Ennaieib.exe 1504 Ebinic32.exe 2008 Ealnephf.exe 2708 Fckjalhj.exe 2332 Fhffaj32.exe 2688 Flabbihl.exe 672 Fnpnndgp.exe 2004 Faokjpfd.exe 1880 Fejgko32.exe 2720 Fcmgfkeg.exe 2168 Ffkcbgek.exe 1716 Fjgoce32.exe 700 Fmekoalh.exe 2856 Faagpp32.exe 1788 Fdoclk32.exe 2736 Fhkpmjln.exe 2292 Ffnphf32.exe 2540 Fjilieka.exe 2572 Fmhheqje.exe 1876 Facdeo32.exe 2044 Fdapak32.exe 628 Fbdqmghm.exe 2588 Ffpmnf32.exe 2096 Ffpmnf32.exe 1720 Fjlhneio.exe 1996 Fmjejphb.exe 2184 Flmefm32.exe 2344 Fphafl32.exe 3052 Fddmgjpo.exe -
Loads dropped DLL 64 IoCs
pid Process 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 3020 Dngoibmo.exe 3020 Dngoibmo.exe 2524 Dhmcfkme.exe 2524 Dhmcfkme.exe 2576 Dgodbh32.exe 2576 Dgodbh32.exe 2668 Djnpnc32.exe 2668 Djnpnc32.exe 2520 Dbehoa32.exe 2520 Dbehoa32.exe 2412 Ddcdkl32.exe 2412 Ddcdkl32.exe 3056 Dcfdgiid.exe 3056 Dcfdgiid.exe 1260 Dkmmhf32.exe 1260 Dkmmhf32.exe 2604 Dnlidb32.exe 2604 Dnlidb32.exe 2116 Dmoipopd.exe 2116 Dmoipopd.exe 1244 Ddeaalpg.exe 1244 Ddeaalpg.exe 2212 Dchali32.exe 2212 Dchali32.exe 2300 Dfgmhd32.exe 2300 Dfgmhd32.exe 1680 Dnneja32.exe 1680 Dnneja32.exe 1416 Dmafennb.exe 1416 Dmafennb.exe 2056 Dcknbh32.exe 2056 Dcknbh32.exe 1776 Dgfjbgmh.exe 1776 Dgfjbgmh.exe 1196 Eihfjo32.exe 1196 Eihfjo32.exe 548 Emcbkn32.exe 548 Emcbkn32.exe 2776 Epaogi32.exe 2776 Epaogi32.exe 1472 Ecmkghcl.exe 1472 Ecmkghcl.exe 1672 Eflgccbp.exe 1672 Eflgccbp.exe 1824 Ejgcdb32.exe 1824 Ejgcdb32.exe 2980 Eijcpoac.exe 2980 Eijcpoac.exe 2784 Emeopn32.exe 2784 Emeopn32.exe 1712 Ecpgmhai.exe 1712 Ecpgmhai.exe 1636 Ekklaj32.exe 1636 Ekklaj32.exe 2568 Ebedndfa.exe 2568 Ebedndfa.exe 2544 Eecqjpee.exe 2544 Eecqjpee.exe 2420 Egamfkdh.exe 2420 Egamfkdh.exe 2396 Enkece32.exe 2396 Enkece32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bleago32.dll Ikbgmj32.exe File created C:\Windows\SysWOW64\Ldidkbpb.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hellne32.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe Egoife32.exe File created C:\Windows\SysWOW64\Feeiob32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Pedleg32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Pmanoifd.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Dmafennb.exe File created C:\Windows\SysWOW64\Ndpaod32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Hpjbaocl.dll Mgqcmlgl.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Ijeghgoh.exe Ikbgmj32.exe File created C:\Windows\SysWOW64\Anccmo32.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Mmjale32.dll Ekhhadmk.exe File created C:\Windows\SysWOW64\Hkabadei.dll Ekklaj32.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Nehmdhja.exe Namqci32.exe File created C:\Windows\SysWOW64\Idhqkpcf.dll Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Nmlnnp32.dll Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aehboi32.exe File created C:\Windows\SysWOW64\Inegme32.dll Ejobhppq.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Jkoginch.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Ihankokm.exe Idfbkq32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Mhdplq32.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Onqamf32.dll Afcenm32.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Egjpkffe.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hpocfncj.exe File created C:\Windows\SysWOW64\Henidd32.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cdgneh32.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Nfmjcmjd.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jjojofgn.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Alegac32.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Lhmjkaoc.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Eppmppld.dll Mpfkqb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4820 4856 WerFault.exe 436 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bifgdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoiajfm.dll" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfioffab.dll" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Ifcbodli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgodfkh.dll" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Obojhlbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Nejiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlilc32.dll" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhodf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlmmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3020 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 28 PID 2916 wrote to memory of 3020 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 28 PID 2916 wrote to memory of 3020 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 28 PID 2916 wrote to memory of 3020 2916 60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe 28 PID 3020 wrote to memory of 2524 3020 Dngoibmo.exe 29 PID 3020 wrote to memory of 2524 3020 Dngoibmo.exe 29 PID 3020 wrote to memory of 2524 3020 Dngoibmo.exe 29 PID 3020 wrote to memory of 2524 3020 Dngoibmo.exe 29 PID 2524 wrote to memory of 2576 2524 Dhmcfkme.exe 30 PID 2524 wrote to memory of 2576 2524 Dhmcfkme.exe 30 PID 2524 wrote to memory of 2576 2524 Dhmcfkme.exe 30 PID 2524 wrote to memory of 2576 2524 Dhmcfkme.exe 30 PID 2576 wrote to memory of 2668 2576 Dgodbh32.exe 31 PID 2576 wrote to memory of 2668 2576 Dgodbh32.exe 31 PID 2576 wrote to memory of 2668 2576 Dgodbh32.exe 31 PID 2576 wrote to memory of 2668 2576 Dgodbh32.exe 31 PID 2668 wrote to memory of 2520 2668 Djnpnc32.exe 32 PID 2668 wrote to memory of 2520 2668 Djnpnc32.exe 32 PID 2668 wrote to memory of 2520 2668 Djnpnc32.exe 32 PID 2668 wrote to memory of 2520 2668 Djnpnc32.exe 32 PID 2520 wrote to memory of 2412 2520 Dbehoa32.exe 33 PID 2520 wrote to memory of 2412 2520 Dbehoa32.exe 33 PID 2520 wrote to memory of 2412 2520 Dbehoa32.exe 33 PID 2520 wrote to memory of 2412 2520 Dbehoa32.exe 33 PID 2412 wrote to memory of 3056 2412 Ddcdkl32.exe 34 PID 2412 wrote to memory of 3056 2412 Ddcdkl32.exe 34 PID 2412 wrote to memory of 3056 2412 Ddcdkl32.exe 34 PID 2412 wrote to memory of 3056 2412 Ddcdkl32.exe 34 PID 3056 wrote to memory of 1260 3056 Dcfdgiid.exe 35 PID 3056 wrote to memory of 1260 3056 Dcfdgiid.exe 35 PID 3056 wrote to memory of 1260 3056 Dcfdgiid.exe 35 PID 3056 wrote to memory of 1260 3056 Dcfdgiid.exe 35 PID 1260 wrote to memory of 2604 1260 Dkmmhf32.exe 36 PID 1260 wrote to memory of 2604 1260 Dkmmhf32.exe 36 PID 1260 wrote to memory of 2604 1260 Dkmmhf32.exe 36 PID 1260 wrote to memory of 2604 1260 Dkmmhf32.exe 36 PID 2604 wrote to memory of 2116 2604 Dnlidb32.exe 37 PID 2604 wrote to memory of 2116 2604 Dnlidb32.exe 37 PID 2604 wrote to memory of 2116 2604 Dnlidb32.exe 37 PID 2604 wrote to memory of 2116 2604 Dnlidb32.exe 37 PID 2116 wrote to memory of 1244 2116 Dmoipopd.exe 38 PID 2116 wrote to memory of 1244 2116 Dmoipopd.exe 38 PID 2116 wrote to memory of 1244 2116 Dmoipopd.exe 38 PID 2116 wrote to memory of 1244 2116 Dmoipopd.exe 38 PID 1244 wrote to memory of 2212 1244 Ddeaalpg.exe 39 PID 1244 wrote to memory of 2212 1244 Ddeaalpg.exe 39 PID 1244 wrote to memory of 2212 1244 Ddeaalpg.exe 39 PID 1244 wrote to memory of 2212 1244 Ddeaalpg.exe 39 PID 2212 wrote to memory of 2300 2212 Dchali32.exe 40 PID 2212 wrote to memory of 2300 2212 Dchali32.exe 40 PID 2212 wrote to memory of 2300 2212 Dchali32.exe 40 PID 2212 wrote to memory of 2300 2212 Dchali32.exe 40 PID 2300 wrote to memory of 1680 2300 Dfgmhd32.exe 41 PID 2300 wrote to memory of 1680 2300 Dfgmhd32.exe 41 PID 2300 wrote to memory of 1680 2300 Dfgmhd32.exe 41 PID 2300 wrote to memory of 1680 2300 Dfgmhd32.exe 41 PID 1680 wrote to memory of 1416 1680 Dnneja32.exe 42 PID 1680 wrote to memory of 1416 1680 Dnneja32.exe 42 PID 1680 wrote to memory of 1416 1680 Dnneja32.exe 42 PID 1680 wrote to memory of 1416 1680 Dnneja32.exe 42 PID 1416 wrote to memory of 2056 1416 Dmafennb.exe 43 PID 1416 wrote to memory of 2056 1416 Dmafennb.exe 43 PID 1416 wrote to memory of 2056 1416 Dmafennb.exe 43 PID 1416 wrote to memory of 2056 1416 Dmafennb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe"C:\Users\Admin\AppData\Local\Temp\60531adb144d336c91e55ef337f490f9bb499603a3836fcdea35e3d15ffee840.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe34⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe35⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe36⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe37⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe38⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe40⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe41⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe43⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe44⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe46⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe48⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe49⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe50⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe51⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe53⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe56⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe61⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe64⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe66⤵
- Drops file in System32 directory
PID:488 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe67⤵PID:448
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe69⤵PID:1212
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe70⤵PID:944
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe71⤵PID:2448
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe72⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe73⤵PID:348
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe74⤵PID:880
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe75⤵PID:1656
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe78⤵PID:2700
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe79⤵PID:2644
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe81⤵PID:384
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe82⤵PID:580
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe83⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe84⤵PID:1400
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe86⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe87⤵PID:1500
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe88⤵PID:1688
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe89⤵PID:1676
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe92⤵PID:1528
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe93⤵PID:2900
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe94⤵PID:2488
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe95⤵PID:2616
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe96⤵PID:1944
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe97⤵PID:1200
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe98⤵PID:340
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe101⤵PID:1852
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe102⤵PID:1256
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe103⤵PID:1884
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe104⤵PID:2408
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe105⤵PID:2612
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe107⤵PID:1496
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe108⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe109⤵PID:2584
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe110⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe111⤵PID:2172
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe112⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe114⤵PID:2228
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe116⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe118⤵PID:2828
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe119⤵PID:2304
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe120⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-