Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe
-
Size
80KB
-
MD5
60eff8e9e5d19bc7c865df607b630028
-
SHA1
05a2ca656380638446437cfc10f7fa8ed852aa1f
-
SHA256
b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac
-
SHA512
844b01eab1b8003dde3f2995c267de0768b3f7e6c5c89a72ed02cceed25df2e399431bc2081f329bc70f9c29110c545d2f636b97ec912d3c5babb3d97a232657
-
SSDEEP
1536:6J2XVAlulkn4tVHZqTsSNukqZNGG9q2dEXzDfWqdMVrlEFtyb7IYOOqw4Tv:6welO7tVHZqh0ZNSXzTWqAhELy1MTTv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgqlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpngd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oknjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankabh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqleifna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfeic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naihdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlnkmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobkfqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefjpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdplfflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiflpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njammhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobpmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajapoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpiicdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfgahao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppqoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhaobfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdipfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbamc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnhmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acejlfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plhaeofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknnnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooemcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppqoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeoimeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camqpnel.exe -
Executes dropped EXE 64 IoCs
pid Process 1736 Cpmjhk32.exe 2980 Dlfgcl32.exe 2528 Dmhdkdlg.exe 1900 Dhmhhmlm.exe 2420 Dklddhka.exe 2460 Dddimn32.exe 2692 Dpkibo32.exe 2884 Dgeaoinb.exe 2076 Eclbcj32.exe 2740 Emagacdm.exe 2668 Eeohkeoe.exe 1020 Eogmcjef.exe 2784 Eddeladm.exe 1448 Eecafd32.exe 2292 Fkpjnkig.exe 2200 Fnofjfhk.exe 2216 Fhdjgoha.exe 1200 Famope32.exe 2032 Fgigil32.exe 700 Fncpef32.exe 3000 Fdmhbplb.exe 1084 Ffodjh32.exe 460 Flhmfbim.exe 2120 Fgnadkic.exe 2512 Fhomkcoa.exe 2028 Gcgnnlle.exe 2624 Gdkgkcpq.exe 2632 Gkephn32.exe 1992 Gqahqd32.exe 2572 Gjjmijme.exe 2580 Gqdefddb.exe 2476 Gcbabpcf.exe 2488 Hnheohcl.exe 1960 Hfcjdkpg.exe 2928 Hnjbeh32.exe 2932 Hmmbqegc.exe 2648 Hpkompgg.exe 2688 Hgbfnngi.exe 2396 Hmoofdea.exe 2820 Hcigco32.exe 1492 Hblgnkdh.exe 1656 Hboddk32.exe 1320 Hemqpf32.exe 1300 Hmdhad32.exe 1284 Hpbdmo32.exe 1120 Hneeilgj.exe 2112 Ihniaa32.exe 1660 Inhanl32.exe 2244 Iafnjg32.exe 1068 Ihpfgalh.exe 1584 Ijnbcmkk.exe 696 Ibejdjln.exe 2300 Idgglb32.exe 612 Ijqoilii.exe 2364 Ihdpbq32.exe 2732 Ioohokoo.exe 1608 Iamdkfnc.exe 2712 Alqnah32.exe 2436 Laqojfli.exe 2468 Adaiee32.exe 2236 Ojmbgh32.exe 2900 Oqgjdbpi.exe 3028 Opjkpo32.exe 1600 Ojpomh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 1736 Cpmjhk32.exe 1736 Cpmjhk32.exe 2980 Dlfgcl32.exe 2980 Dlfgcl32.exe 2528 Dmhdkdlg.exe 2528 Dmhdkdlg.exe 1900 Dhmhhmlm.exe 1900 Dhmhhmlm.exe 2420 Dklddhka.exe 2420 Dklddhka.exe 2460 Dddimn32.exe 2460 Dddimn32.exe 2692 Dpkibo32.exe 2692 Dpkibo32.exe 2884 Dgeaoinb.exe 2884 Dgeaoinb.exe 2076 Eclbcj32.exe 2076 Eclbcj32.exe 2740 Emagacdm.exe 2740 Emagacdm.exe 2668 Eeohkeoe.exe 2668 Eeohkeoe.exe 1020 Eogmcjef.exe 1020 Eogmcjef.exe 2784 Eddeladm.exe 2784 Eddeladm.exe 1448 Eecafd32.exe 1448 Eecafd32.exe 2292 Fkpjnkig.exe 2292 Fkpjnkig.exe 2200 Fnofjfhk.exe 2200 Fnofjfhk.exe 2216 Fhdjgoha.exe 2216 Fhdjgoha.exe 1200 Famope32.exe 1200 Famope32.exe 2032 Fgigil32.exe 2032 Fgigil32.exe 700 Fncpef32.exe 700 Fncpef32.exe 3000 Fdmhbplb.exe 3000 Fdmhbplb.exe 1084 Ffodjh32.exe 1084 Ffodjh32.exe 460 Flhmfbim.exe 460 Flhmfbim.exe 2120 Fgnadkic.exe 2120 Fgnadkic.exe 2512 Fhomkcoa.exe 2512 Fhomkcoa.exe 1712 Gonocmbi.exe 1712 Gonocmbi.exe 2624 Gdkgkcpq.exe 2624 Gdkgkcpq.exe 2632 Gkephn32.exe 2632 Gkephn32.exe 1992 Gqahqd32.exe 1992 Gqahqd32.exe 2572 Gjjmijme.exe 2572 Gjjmijme.exe 2580 Gqdefddb.exe 2580 Gqdefddb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lceeqk32.dll Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Ndgdpn32.exe Naihdb32.exe File created C:\Windows\SysWOW64\Qchmll32.exe Plneoace.exe File created C:\Windows\SysWOW64\Lgdcmc32.dll Cjifpdib.exe File created C:\Windows\SysWOW64\Oighcd32.exe Oekmceaf.exe File created C:\Windows\SysWOW64\Nmhqokcq.exe Noepdo32.exe File created C:\Windows\SysWOW64\Bfmeqjdf.dll Bbcjca32.exe File created C:\Windows\SysWOW64\Ogljib32.dll Ekgfkl32.exe File created C:\Windows\SysWOW64\Bqffna32.exe Bjlnaghp.exe File created C:\Windows\SysWOW64\Anaeppkc.dll Bcdbjl32.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Pllkpn32.exe Pdecoa32.exe File created C:\Windows\SysWOW64\Gknfqppk.dll Pfflql32.exe File created C:\Windows\SysWOW64\Nldpgbhe.dll Cbpbgk32.exe File opened for modification C:\Windows\SysWOW64\Npkfff32.exe Nmmjjk32.exe File created C:\Windows\SysWOW64\Qfifmghc.exe Qcjjakip.exe File created C:\Windows\SysWOW64\Gplknnnh.dll Fgcpkldh.exe File created C:\Windows\SysWOW64\Acaoflhe.dll Imfgahao.exe File created C:\Windows\SysWOW64\Nhkddaih.dll Icponb32.exe File created C:\Windows\SysWOW64\Hbblpf32.exe Gllabp32.exe File created C:\Windows\SysWOW64\Phcleoho.exe Paiche32.exe File created C:\Windows\SysWOW64\Ogjhnp32.exe Nobpmb32.exe File opened for modification C:\Windows\SysWOW64\Omdbdb32.exe Oemjbe32.exe File created C:\Windows\SysWOW64\Pehblofm.dll Beplcfmd.exe File created C:\Windows\SysWOW64\Iadphghe.exe Ijjgkmqh.exe File created C:\Windows\SysWOW64\Dcdgqq32.dll Ihniaa32.exe File opened for modification C:\Windows\SysWOW64\Fapgblob.exe Fobkfqpo.exe File opened for modification C:\Windows\SysWOW64\Bjoohdbd.exe Bhpclica.exe File opened for modification C:\Windows\SysWOW64\Pkebgj32.exe Oedqcdim.exe File created C:\Windows\SysWOW64\Pgopak32.exe Ppegdapd.exe File created C:\Windows\SysWOW64\Ococgpfb.dll Eahkag32.exe File opened for modification C:\Windows\SysWOW64\Gcgnnlle.exe Fhomkcoa.exe File opened for modification C:\Windows\SysWOW64\Ioohokoo.exe Ihdpbq32.exe File opened for modification C:\Windows\SysWOW64\Dcjaeamd.exe Cqleifna.exe File opened for modification C:\Windows\SysWOW64\Aplkah32.exe Anjojphb.exe File created C:\Windows\SysWOW64\Ppfbdmgb.dll Nlefjpid.exe File opened for modification C:\Windows\SysWOW64\Opjkpo32.exe Oqgjdbpi.exe File created C:\Windows\SysWOW64\Chgnneiq.exe Baneak32.exe File opened for modification C:\Windows\SysWOW64\Dqobnf32.exe Dnpebj32.exe File created C:\Windows\SysWOW64\Anjojphb.exe Ajociq32.exe File opened for modification C:\Windows\SysWOW64\Imfgahao.exe Incgfl32.exe File created C:\Windows\SysWOW64\Jdbljhig.dll Oemjbe32.exe File opened for modification C:\Windows\SysWOW64\Bfphmi32.exe Bnhqll32.exe File created C:\Windows\SysWOW64\Dpkibo32.exe Dddimn32.exe File created C:\Windows\SysWOW64\Dmhgjdli.dll Hgbfnngi.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Idgglb32.exe File opened for modification C:\Windows\SysWOW64\Ojpomh32.exe Opjkpo32.exe File created C:\Windows\SysWOW64\Pebbcdkn.exe Pnhjgj32.exe File created C:\Windows\SysWOW64\Fdapcg32.exe Facdgl32.exe File created C:\Windows\SysWOW64\Eefdgeig.exe Eolljk32.exe File created C:\Windows\SysWOW64\Ajmkkbbd.dll Flbehbqm.exe File created C:\Windows\SysWOW64\Ijnbcmkk.exe Ihpfgalh.exe File created C:\Windows\SysWOW64\Loglaegj.dll Opodknco.exe File created C:\Windows\SysWOW64\Pdecoa32.exe Pebbcdkn.exe File opened for modification C:\Windows\SysWOW64\Aepbmhpl.exe Pdjljpnc.exe File opened for modification C:\Windows\SysWOW64\Bdckobhd.exe Bllcnega.exe File opened for modification C:\Windows\SysWOW64\Floeof32.exe Fjnignob.exe File opened for modification C:\Windows\SysWOW64\Biiiempl.exe Bboahbio.exe File created C:\Windows\SysWOW64\Cpbnaj32.exe Capmemci.exe File created C:\Windows\SysWOW64\Ibmldh32.dll Dfgdpj32.exe File opened for modification C:\Windows\SysWOW64\Iggbdb32.exe Ibjikk32.exe File created C:\Windows\SysWOW64\Obnpcb32.dll Qbmhdp32.exe File opened for modification C:\Windows\SysWOW64\Qlpadaac.exe Qjbehfbo.exe File opened for modification C:\Windows\SysWOW64\Gaajfi32.exe Gocnjn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2992 2760 WerFault.exe 505 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oielnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpcblfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfggipp.dll" Blibghmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddeladm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehdpcahk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqkji32.dll" Mdplfflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpdil32.dll" Pglacbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhbpahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfifmghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkbccdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdemhj32.dll" Ckomqopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkhh32.dll" Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbidbf32.dll" Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacppppl.dll" Lamjph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eencfjlb.dll" Opjkpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcbcngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcnnnje.dll" Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefbpdca.dll" Hkkaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebiifka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdpinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnaonia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcbgbdo.dll" Cnjbfhqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflobh32.dll" Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpngmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplkah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaaiakh.dll" Biiiempl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opmaii32.dll" Hbblpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjmijme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqojfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgqlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhpoi32.dll" Dhekodik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngjjj32.dll" Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoqeekme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaeleak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfbbabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfdcidn.dll" Aeghng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnklmfhi.dll" Fdfmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollljo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeepl32.dll" Bmgddcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfhog32.dll" Eojoelcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijjgkmqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnaekil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1736 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 28 PID 2600 wrote to memory of 1736 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 28 PID 2600 wrote to memory of 1736 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 28 PID 2600 wrote to memory of 1736 2600 b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe 28 PID 1736 wrote to memory of 2980 1736 Cpmjhk32.exe 29 PID 1736 wrote to memory of 2980 1736 Cpmjhk32.exe 29 PID 1736 wrote to memory of 2980 1736 Cpmjhk32.exe 29 PID 1736 wrote to memory of 2980 1736 Cpmjhk32.exe 29 PID 2980 wrote to memory of 2528 2980 Dlfgcl32.exe 30 PID 2980 wrote to memory of 2528 2980 Dlfgcl32.exe 30 PID 2980 wrote to memory of 2528 2980 Dlfgcl32.exe 30 PID 2980 wrote to memory of 2528 2980 Dlfgcl32.exe 30 PID 2528 wrote to memory of 1900 2528 Dmhdkdlg.exe 31 PID 2528 wrote to memory of 1900 2528 Dmhdkdlg.exe 31 PID 2528 wrote to memory of 1900 2528 Dmhdkdlg.exe 31 PID 2528 wrote to memory of 1900 2528 Dmhdkdlg.exe 31 PID 1900 wrote to memory of 2420 1900 Dhmhhmlm.exe 32 PID 1900 wrote to memory of 2420 1900 Dhmhhmlm.exe 32 PID 1900 wrote to memory of 2420 1900 Dhmhhmlm.exe 32 PID 1900 wrote to memory of 2420 1900 Dhmhhmlm.exe 32 PID 2420 wrote to memory of 2460 2420 Dklddhka.exe 33 PID 2420 wrote to memory of 2460 2420 Dklddhka.exe 33 PID 2420 wrote to memory of 2460 2420 Dklddhka.exe 33 PID 2420 wrote to memory of 2460 2420 Dklddhka.exe 33 PID 2460 wrote to memory of 2692 2460 Dddimn32.exe 34 PID 2460 wrote to memory of 2692 2460 Dddimn32.exe 34 PID 2460 wrote to memory of 2692 2460 Dddimn32.exe 34 PID 2460 wrote to memory of 2692 2460 Dddimn32.exe 34 PID 2692 wrote to memory of 2884 2692 Dpkibo32.exe 35 PID 2692 wrote to memory of 2884 2692 Dpkibo32.exe 35 PID 2692 wrote to memory of 2884 2692 Dpkibo32.exe 35 PID 2692 wrote to memory of 2884 2692 Dpkibo32.exe 35 PID 2884 wrote to memory of 2076 2884 Dgeaoinb.exe 36 PID 2884 wrote to memory of 2076 2884 Dgeaoinb.exe 36 PID 2884 wrote to memory of 2076 2884 Dgeaoinb.exe 36 PID 2884 wrote to memory of 2076 2884 Dgeaoinb.exe 36 PID 2076 wrote to memory of 2740 2076 Eclbcj32.exe 37 PID 2076 wrote to memory of 2740 2076 Eclbcj32.exe 37 PID 2076 wrote to memory of 2740 2076 Eclbcj32.exe 37 PID 2076 wrote to memory of 2740 2076 Eclbcj32.exe 37 PID 2740 wrote to memory of 2668 2740 Emagacdm.exe 38 PID 2740 wrote to memory of 2668 2740 Emagacdm.exe 38 PID 2740 wrote to memory of 2668 2740 Emagacdm.exe 38 PID 2740 wrote to memory of 2668 2740 Emagacdm.exe 38 PID 2668 wrote to memory of 1020 2668 Eeohkeoe.exe 39 PID 2668 wrote to memory of 1020 2668 Eeohkeoe.exe 39 PID 2668 wrote to memory of 1020 2668 Eeohkeoe.exe 39 PID 2668 wrote to memory of 1020 2668 Eeohkeoe.exe 39 PID 1020 wrote to memory of 2784 1020 Eogmcjef.exe 40 PID 1020 wrote to memory of 2784 1020 Eogmcjef.exe 40 PID 1020 wrote to memory of 2784 1020 Eogmcjef.exe 40 PID 1020 wrote to memory of 2784 1020 Eogmcjef.exe 40 PID 2784 wrote to memory of 1448 2784 Eddeladm.exe 41 PID 2784 wrote to memory of 1448 2784 Eddeladm.exe 41 PID 2784 wrote to memory of 1448 2784 Eddeladm.exe 41 PID 2784 wrote to memory of 1448 2784 Eddeladm.exe 41 PID 1448 wrote to memory of 2292 1448 Eecafd32.exe 42 PID 1448 wrote to memory of 2292 1448 Eecafd32.exe 42 PID 1448 wrote to memory of 2292 1448 Eecafd32.exe 42 PID 1448 wrote to memory of 2292 1448 Eecafd32.exe 42 PID 2292 wrote to memory of 2200 2292 Fkpjnkig.exe 43 PID 2292 wrote to memory of 2200 2292 Fkpjnkig.exe 43 PID 2292 wrote to memory of 2200 2292 Fkpjnkig.exe 43 PID 2292 wrote to memory of 2200 2292 Fkpjnkig.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe"C:\Users\Admin\AppData\Local\Temp\b6a788d5f0fc14301cf0e90e09401e88ec1fd7629dd0eeefca96af3dce67b8ac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:460 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe27⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe28⤵
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe36⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe37⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe38⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe44⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe46⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe47⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe50⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe51⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe54⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe58⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe59⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe60⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe62⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe63⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe66⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe67⤵PID:2768
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe68⤵PID:1528
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe69⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe70⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe71⤵PID:1176
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe72⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe73⤵PID:1704
-
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe74⤵PID:1944
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe75⤵PID:1968
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe76⤵PID:2312
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe78⤵PID:3068
-
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe79⤵PID:1012
-
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe80⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe81⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe82⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe83⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe84⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe85⤵PID:2592
-
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe86⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe87⤵PID:2920
-
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe88⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe89⤵PID:2064
-
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe90⤵PID:2744
-
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe91⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe92⤵PID:2840
-
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe93⤵PID:1476
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe95⤵PID:2320
-
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe96⤵PID:1912
-
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe97⤵PID:2040
-
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe98⤵PID:1740
-
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe99⤵PID:664
-
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe100⤵PID:544
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe101⤵PID:1008
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe102⤵PID:2552
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe103⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe106⤵PID:2944
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe107⤵PID:440
-
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe108⤵PID:2824
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe109⤵PID:1488
-
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe110⤵PID:2792
-
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe111⤵PID:2376
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe112⤵PID:1624
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe113⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe114⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe116⤵PID:1672
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe117⤵PID:784
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe118⤵PID:2520
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe120⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe121⤵
- Drops file in System32 directory
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-