Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3b2728e8465dee9cd6f08ca82d39fa52.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3b2728e8465dee9cd6f08ca82d39fa52.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3b2728e8465dee9cd6f08ca82d39fa52.exe
-
Size
64KB
-
MD5
3b2728e8465dee9cd6f08ca82d39fa52
-
SHA1
c584fd6371e97b607296f8fbc80fb8aaa3516b06
-
SHA256
bf804619f7d6d3aa32ad94189d06d8e1c3956434928e101d18dedf8112a3997a
-
SHA512
e20ca207db2d9e25dbeea695ac0e02447c4d97636e0034a9cb2452d603afb5feb29064751a34323e30932112a15eed3de6c5e4114c6cf272b3a5e33472f114c8
-
SSDEEP
1536:qTV2DNaV2BBayzycTFKvN2LXCYrum8SPE:qTIDNV/ycTFieXVT8SE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejopog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhlfgppj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnhlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmlkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiifkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjiin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgdhmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loooca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmgkdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laplei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncoamb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjfnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbonoiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclcnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikggbpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldnhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjbmoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgpkfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe -
Executes dropped EXE 64 IoCs
pid Process 1724 Dimjqapa.exe 2012 Dcbonj32.exe 2700 Dbeojgga.exe 2768 Djmgkdgc.exe 2672 Dipgfa32.exe 2604 Dkncbm32.exe 1660 Dpiockfk.exe 3068 Dbhlogeo.exe 2584 Defhkbdb.exe 2792 Dibdla32.exe 1096 Dmmplpdd.exe 2888 Dkpphl32.exe 1424 Dpllhkdh.exe 1296 Dbjhefcl.exe 2056 Dffdeeke.exe 1272 Didqaqji.exe 1236 Dggamm32.exe 2136 Dpnink32.exe 772 Dnaijghp.exe 860 Dbmejf32.exe 1088 Daoefcgd.exe 1960 Eifmgphf.exe 1688 Eginbm32.exe 908 Ejhjoh32.exe 2144 Encfogfn.exe 2088 Ebobpf32.exe 1836 Elgfik32.exe 2640 Enfbeg32.exe 2972 Emhbpcke.exe 2652 Eepkaalh.exe 2508 Ecbkmn32.exe 2928 Efagii32.exe 2628 Ejlcjhjo.exe 2492 Emkofcic.exe 1352 Ecehbm32.exe 2876 Ejopog32.exe 3060 Eiapkdog.exe 2064 Emmlkc32.exe 2556 Eaihlapi.exe 2864 Edgdhmom.exe 488 Ebjdcj32.exe 1880 Efeqdhnq.exe 1100 Eidmqdmd.exe 1764 Empiab32.exe 680 Elbimplh.exe 2860 Fpnemn32.exe 980 Fdianmmj.exe 404 Fblaii32.exe 3008 Ffhmjhln.exe 1268 Ffhmjhln.exe 2092 Fekneebh.exe 1936 Fififc32.exe 2680 Fmbefbck.exe 2196 Flefbo32.exe 1780 Fppbbnbo.exe 2540 Focbnj32.exe 2644 Fbonoiab.exe 2520 Ffjjoh32.exe 1844 Ffjjoh32.exe 1248 Femjkdqf.exe 1792 Fiifkc32.exe 2516 Fhlfgppj.exe 2156 Flgbho32.exe 2720 Flgbho32.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 1724 Dimjqapa.exe 1724 Dimjqapa.exe 2012 Dcbonj32.exe 2012 Dcbonj32.exe 2700 Dbeojgga.exe 2700 Dbeojgga.exe 2768 Djmgkdgc.exe 2768 Djmgkdgc.exe 2672 Dipgfa32.exe 2672 Dipgfa32.exe 2604 Dkncbm32.exe 2604 Dkncbm32.exe 1660 Dpiockfk.exe 1660 Dpiockfk.exe 3068 Dbhlogeo.exe 3068 Dbhlogeo.exe 2584 Defhkbdb.exe 2584 Defhkbdb.exe 2792 Dibdla32.exe 2792 Dibdla32.exe 1096 Dmmplpdd.exe 1096 Dmmplpdd.exe 2888 Dkpphl32.exe 2888 Dkpphl32.exe 1424 Dpllhkdh.exe 1424 Dpllhkdh.exe 1296 Dbjhefcl.exe 1296 Dbjhefcl.exe 2056 Dffdeeke.exe 2056 Dffdeeke.exe 1272 Didqaqji.exe 1272 Didqaqji.exe 1236 Dggamm32.exe 1236 Dggamm32.exe 2136 Dpnink32.exe 2136 Dpnink32.exe 772 Dnaijghp.exe 772 Dnaijghp.exe 860 Dbmejf32.exe 860 Dbmejf32.exe 1088 Daoefcgd.exe 1088 Daoefcgd.exe 1960 Eifmgphf.exe 1960 Eifmgphf.exe 1688 Eginbm32.exe 1688 Eginbm32.exe 908 Ejhjoh32.exe 908 Ejhjoh32.exe 2144 Encfogfn.exe 2144 Encfogfn.exe 2088 Ebobpf32.exe 2088 Ebobpf32.exe 1836 Elgfik32.exe 1836 Elgfik32.exe 2640 Enfbeg32.exe 2640 Enfbeg32.exe 2972 Emhbpcke.exe 2972 Emhbpcke.exe 2652 Eepkaalh.exe 2652 Eepkaalh.exe 2508 Ecbkmn32.exe 2508 Ecbkmn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Jnmgmhmc.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Labcqfek.dll Fedplc32.exe File created C:\Windows\SysWOW64\Hheelbjj.exe Hdijlc32.exe File created C:\Windows\SysWOW64\Kbalnnam.exe Kcolba32.exe File opened for modification C:\Windows\SysWOW64\Nqcagfim.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Jnhqdkde.exe Jkjdhpea.exe File created C:\Windows\SysWOW64\Khekgc32.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Kcehqcli.dll Lhlqhb32.exe File opened for modification C:\Windows\SysWOW64\Lipjejgp.exe Lkmjin32.exe File created C:\Windows\SysWOW64\Pgobhcac.exe Pccfge32.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bbdocc32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Dhjgei32.dll Gakaqd32.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Cillgpen.dll Doobajme.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hpapln32.exe File created C:\Windows\SysWOW64\Hqbgfd32.exe Haogkgoh.exe File created C:\Windows\SysWOW64\Menakj32.exe Mcodno32.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Chcqpmep.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Bdooajdc.exe File created C:\Windows\SysWOW64\Mqkgkfhp.dll Gliklahk.exe File created C:\Windows\SysWOW64\Kpcpbb32.exe Kappfeln.exe File created C:\Windows\SysWOW64\Oicpfh32.exe Odgcfijj.exe File created C:\Windows\SysWOW64\Poaljn32.dll Oicpfh32.exe File opened for modification C:\Windows\SysWOW64\Mpjoqhah.exe Mnkbdlbd.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Alhjai32.exe File created C:\Windows\SysWOW64\Ghplac32.exe Geapeg32.exe File opened for modification C:\Windows\SysWOW64\Laplei32.exe Loapim32.exe File created C:\Windows\SysWOW64\Kqdoodim.dll Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Bdmeje32.dll Dpnink32.exe File opened for modification C:\Windows\SysWOW64\Fdddaqck.exe Febcfd32.exe File created C:\Windows\SysWOW64\Hglocnmp.exe Hhioga32.exe File opened for modification C:\Windows\SysWOW64\Kappfeln.exe Jmdcfg32.exe File created C:\Windows\SysWOW64\Hjmhdi32.exe Hgolhn32.exe File opened for modification C:\Windows\SysWOW64\Jgcabqic.exe Jedefejo.exe File created C:\Windows\SysWOW64\Nccdgp32.dll Dffdeeke.exe File created C:\Windows\SysWOW64\Emhbpcke.exe Enfbeg32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Dpiockfk.exe Dkncbm32.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Kcpgmhoi.dll Gikopfih.exe File created C:\Windows\SysWOW64\Hajlcapp.dll Hnfgphdl.exe File created C:\Windows\SysWOW64\Ioojhpdb.exe Iidbke32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eiaiqn32.exe File created C:\Windows\SysWOW64\Didqaqji.exe Dffdeeke.exe File created C:\Windows\SysWOW64\Jgcabqic.exe Jedefejo.exe File created C:\Windows\SysWOW64\Pijbfj32.exe Pabjem32.exe File created C:\Windows\SysWOW64\Oockje32.dll Cjbmjplb.exe File created C:\Windows\SysWOW64\Eginbm32.exe Eifmgphf.exe File opened for modification C:\Windows\SysWOW64\Lbfahp32.exe Ldcamcih.exe File opened for modification C:\Windows\SysWOW64\Fekneebh.exe Ffhmjhln.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7092 6992 WerFault.exe 679 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopljni.dll" Mepnpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgjmd32.dll" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnghpkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kikdkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgpkfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabnbook.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgmeg32.dll" Dmmplpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilbno32.dll" Fiifkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmjnkm32.dll" Eepkaalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjhefcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnpflh.dll" Gmoepfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oplgihma.dll" Emkofcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakbjibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pminkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 3b2728e8465dee9cd6f08ca82d39fa52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheocend.dll" Gmabeeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbonoiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchmdklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcpbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ongnonkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fepgqdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbohmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoagldoe.dll" Fbakdiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpnalagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3b2728e8465dee9cd6f08ca82d39fa52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkolnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpekigf.dll" Jjanolhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnfaffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcnlglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1724 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 28 PID 2468 wrote to memory of 1724 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 28 PID 2468 wrote to memory of 1724 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 28 PID 2468 wrote to memory of 1724 2468 3b2728e8465dee9cd6f08ca82d39fa52.exe 28 PID 1724 wrote to memory of 2012 1724 Dimjqapa.exe 29 PID 1724 wrote to memory of 2012 1724 Dimjqapa.exe 29 PID 1724 wrote to memory of 2012 1724 Dimjqapa.exe 29 PID 1724 wrote to memory of 2012 1724 Dimjqapa.exe 29 PID 2012 wrote to memory of 2700 2012 Dcbonj32.exe 30 PID 2012 wrote to memory of 2700 2012 Dcbonj32.exe 30 PID 2012 wrote to memory of 2700 2012 Dcbonj32.exe 30 PID 2012 wrote to memory of 2700 2012 Dcbonj32.exe 30 PID 2700 wrote to memory of 2768 2700 Dbeojgga.exe 31 PID 2700 wrote to memory of 2768 2700 Dbeojgga.exe 31 PID 2700 wrote to memory of 2768 2700 Dbeojgga.exe 31 PID 2700 wrote to memory of 2768 2700 Dbeojgga.exe 31 PID 2768 wrote to memory of 2672 2768 Djmgkdgc.exe 32 PID 2768 wrote to memory of 2672 2768 Djmgkdgc.exe 32 PID 2768 wrote to memory of 2672 2768 Djmgkdgc.exe 32 PID 2768 wrote to memory of 2672 2768 Djmgkdgc.exe 32 PID 2672 wrote to memory of 2604 2672 Dipgfa32.exe 33 PID 2672 wrote to memory of 2604 2672 Dipgfa32.exe 33 PID 2672 wrote to memory of 2604 2672 Dipgfa32.exe 33 PID 2672 wrote to memory of 2604 2672 Dipgfa32.exe 33 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 2604 wrote to memory of 1660 2604 Dkncbm32.exe 34 PID 1660 wrote to memory of 3068 1660 Dpiockfk.exe 35 PID 1660 wrote to memory of 3068 1660 Dpiockfk.exe 35 PID 1660 wrote to memory of 3068 1660 Dpiockfk.exe 35 PID 1660 wrote to memory of 3068 1660 Dpiockfk.exe 35 PID 3068 wrote to memory of 2584 3068 Dbhlogeo.exe 36 PID 3068 wrote to memory of 2584 3068 Dbhlogeo.exe 36 PID 3068 wrote to memory of 2584 3068 Dbhlogeo.exe 36 PID 3068 wrote to memory of 2584 3068 Dbhlogeo.exe 36 PID 2584 wrote to memory of 2792 2584 Defhkbdb.exe 37 PID 2584 wrote to memory of 2792 2584 Defhkbdb.exe 37 PID 2584 wrote to memory of 2792 2584 Defhkbdb.exe 37 PID 2584 wrote to memory of 2792 2584 Defhkbdb.exe 37 PID 2792 wrote to memory of 1096 2792 Dibdla32.exe 38 PID 2792 wrote to memory of 1096 2792 Dibdla32.exe 38 PID 2792 wrote to memory of 1096 2792 Dibdla32.exe 38 PID 2792 wrote to memory of 1096 2792 Dibdla32.exe 38 PID 1096 wrote to memory of 2888 1096 Dmmplpdd.exe 39 PID 1096 wrote to memory of 2888 1096 Dmmplpdd.exe 39 PID 1096 wrote to memory of 2888 1096 Dmmplpdd.exe 39 PID 1096 wrote to memory of 2888 1096 Dmmplpdd.exe 39 PID 2888 wrote to memory of 1424 2888 Dkpphl32.exe 40 PID 2888 wrote to memory of 1424 2888 Dkpphl32.exe 40 PID 2888 wrote to memory of 1424 2888 Dkpphl32.exe 40 PID 2888 wrote to memory of 1424 2888 Dkpphl32.exe 40 PID 1424 wrote to memory of 1296 1424 Dpllhkdh.exe 41 PID 1424 wrote to memory of 1296 1424 Dpllhkdh.exe 41 PID 1424 wrote to memory of 1296 1424 Dpllhkdh.exe 41 PID 1424 wrote to memory of 1296 1424 Dpllhkdh.exe 41 PID 1296 wrote to memory of 2056 1296 Dbjhefcl.exe 42 PID 1296 wrote to memory of 2056 1296 Dbjhefcl.exe 42 PID 1296 wrote to memory of 2056 1296 Dbjhefcl.exe 42 PID 1296 wrote to memory of 2056 1296 Dbjhefcl.exe 42 PID 2056 wrote to memory of 1272 2056 Dffdeeke.exe 43 PID 2056 wrote to memory of 1272 2056 Dffdeeke.exe 43 PID 2056 wrote to memory of 1272 2056 Dffdeeke.exe 43 PID 2056 wrote to memory of 1272 2056 Dffdeeke.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b2728e8465dee9cd6f08ca82d39fa52.exe"C:\Users\Admin\AppData\Local\Temp\3b2728e8465dee9cd6f08ca82d39fa52.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Dimjqapa.exeC:\Windows\system32\Dimjqapa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Dcbonj32.exeC:\Windows\system32\Dcbonj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dbeojgga.exeC:\Windows\system32\Dbeojgga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Djmgkdgc.exeC:\Windows\system32\Djmgkdgc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dipgfa32.exeC:\Windows\system32\Dipgfa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dkncbm32.exeC:\Windows\system32\Dkncbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dpiockfk.exeC:\Windows\system32\Dpiockfk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Dbhlogeo.exeC:\Windows\system32\Dbhlogeo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Defhkbdb.exeC:\Windows\system32\Defhkbdb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Dibdla32.exeC:\Windows\system32\Dibdla32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dmmplpdd.exeC:\Windows\system32\Dmmplpdd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Dkpphl32.exeC:\Windows\system32\Dkpphl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Dpllhkdh.exeC:\Windows\system32\Dpllhkdh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Dbjhefcl.exeC:\Windows\system32\Dbjhefcl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Dffdeeke.exeC:\Windows\system32\Dffdeeke.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Didqaqji.exeC:\Windows\system32\Didqaqji.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Dggamm32.exeC:\Windows\system32\Dggamm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Dpnink32.exeC:\Windows\system32\Dpnink32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Dnaijghp.exeC:\Windows\system32\Dnaijghp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Dbmejf32.exeC:\Windows\system32\Dbmejf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Daoefcgd.exeC:\Windows\system32\Daoefcgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Eifmgphf.exeC:\Windows\system32\Eifmgphf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Eginbm32.exeC:\Windows\system32\Eginbm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ejhjoh32.exeC:\Windows\system32\Ejhjoh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Encfogfn.exeC:\Windows\system32\Encfogfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ebobpf32.exeC:\Windows\system32\Ebobpf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Elgfik32.exeC:\Windows\system32\Elgfik32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Enfbeg32.exeC:\Windows\system32\Enfbeg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Emhbpcke.exeC:\Windows\system32\Emhbpcke.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Eepkaalh.exeC:\Windows\system32\Eepkaalh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Ecbkmn32.exeC:\Windows\system32\Ecbkmn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Efagii32.exeC:\Windows\system32\Efagii32.exe33⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ejlcjhjo.exeC:\Windows\system32\Ejlcjhjo.exe34⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Emkofcic.exeC:\Windows\system32\Emkofcic.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ecehbm32.exeC:\Windows\system32\Ecehbm32.exe36⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ejopog32.exeC:\Windows\system32\Ejopog32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Eiapkdog.exeC:\Windows\system32\Eiapkdog.exe38⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Emmlkc32.exeC:\Windows\system32\Emmlkc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Eaihlapi.exeC:\Windows\system32\Eaihlapi.exe40⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Edgdhmom.exeC:\Windows\system32\Edgdhmom.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ebjdcj32.exeC:\Windows\system32\Ebjdcj32.exe42⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Efeqdhnq.exeC:\Windows\system32\Efeqdhnq.exe43⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Eidmqdmd.exeC:\Windows\system32\Eidmqdmd.exe44⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Empiab32.exeC:\Windows\system32\Empiab32.exe45⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe46⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Fpnemn32.exeC:\Windows\system32\Fpnemn32.exe47⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe48⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Fblaii32.exeC:\Windows\system32\Fblaii32.exe49⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Ffhmjhln.exeC:\Windows\system32\Ffhmjhln.exe50⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ffhmjhln.exeC:\Windows\system32\Ffhmjhln.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Fekneebh.exeC:\Windows\system32\Fekneebh.exe52⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Fififc32.exeC:\Windows\system32\Fififc32.exe53⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe54⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Flefbo32.exeC:\Windows\system32\Flefbo32.exe55⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Fppbbnbo.exeC:\Windows\system32\Fppbbnbo.exe56⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Focbnj32.exeC:\Windows\system32\Focbnj32.exe57⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fbonoiab.exeC:\Windows\system32\Fbonoiab.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ffjjoh32.exeC:\Windows\system32\Ffjjoh32.exe59⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ffjjoh32.exeC:\Windows\system32\Ffjjoh32.exe60⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Femjkdqf.exeC:\Windows\system32\Femjkdqf.exe61⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Fiifkc32.exeC:\Windows\system32\Fiifkc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Fhlfgppj.exeC:\Windows\system32\Fhlfgppj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe64⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe65⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fpbohmpl.exeC:\Windows\system32\Fpbohmpl.exe66⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Fbakdiop.exeC:\Windows\system32\Fbakdiop.exe67⤵PID:2796
-
C:\Windows\SysWOW64\Fbakdiop.exeC:\Windows\system32\Fbakdiop.exe68⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Fadkpe32.exeC:\Windows\system32\Fadkpe32.exe69⤵PID:2656
-
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe70⤵
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Fikcacgl.exeC:\Windows\system32\Fikcacgl.exe71⤵PID:2668
-
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe72⤵PID:584
-
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe73⤵PID:2164
-
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Fohkijed.exeC:\Windows\system32\Fohkijed.exe75⤵PID:2504
-
C:\Windows\SysWOW64\Fbcgjh32.exeC:\Windows\system32\Fbcgjh32.exe76⤵PID:1940
-
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe77⤵PID:548
-
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe78⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Fdddaqck.exeC:\Windows\system32\Fdddaqck.exe79⤵PID:3016
-
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe80⤵PID:1016
-
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe81⤵PID:1120
-
C:\Windows\SysWOW64\Fkolnk32.exeC:\Windows\system32\Fkolnk32.exe82⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Fojhoica.exeC:\Windows\system32\Fojhoica.exe83⤵PID:1824
-
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe84⤵PID:2744
-
C:\Windows\SysWOW64\Fahdkebe.exeC:\Windows\system32\Fahdkebe.exe85⤵PID:2764
-
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe86⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Fdgqgqah.exeC:\Windows\system32\Fdgqgqah.exe87⤵PID:3024
-
C:\Windows\SysWOW64\Fhbmho32.exeC:\Windows\system32\Fhbmho32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Ggemclpl.exeC:\Windows\system32\Ggemclpl.exe89⤵PID:1680
-
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Gmoepfhi.exeC:\Windows\system32\Gmoepfhi.exe91⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe92⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Gpnalagm.exeC:\Windows\system32\Gpnalagm.exe93⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Gdimmp32.exeC:\Windows\system32\Gdimmp32.exe94⤵PID:2940
-
C:\Windows\SysWOW64\Gghjil32.exeC:\Windows\system32\Gghjil32.exe95⤵PID:2496
-
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe96⤵PID:472
-
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe97⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Gamnfd32.exeC:\Windows\system32\Gamnfd32.exe98⤵PID:1292
-
C:\Windows\SysWOW64\Gdljbp32.exeC:\Windows\system32\Gdljbp32.exe99⤵PID:108
-
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe100⤵PID:1684
-
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe102⤵PID:1868
-
C:\Windows\SysWOW64\Gihbjfkj.exeC:\Windows\system32\Gihbjfkj.exe103⤵PID:1592
-
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe105⤵PID:352
-
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe106⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Gcagcl32.exeC:\Windows\system32\Gcagcl32.exe107⤵PID:2704
-
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe108⤵PID:2608
-
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe110⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe111⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe112⤵PID:1488
-
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe113⤵PID:864
-
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe114⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe115⤵PID:2880
-
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe116⤵PID:1060
-
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe117⤵PID:2320
-
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe118⤵PID:2212
-
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe119⤵PID:1928
-
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe120⤵PID:1888
-
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-