Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2024, 23:43
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe
-
Size
249KB
-
MD5
730542f02384d2f6d6df27b8131a2aac
-
SHA1
dcf174ce447c8e246cb7b854ffb46fab14ae8f9b
-
SHA256
76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863
-
SHA512
9d65d4d0231350060dc64f142bd0e411fd1e9ac82064976752150d0095b7a098689706cea974c19a327070b7e1bb0e11aeb5246909f0e5f0e46b7402753c6342
-
SSDEEP
3072:JZCxQJNGk0ArGzWeWUEdmjRrz3TIUV4BKxAcL5CY2VePI8C3U/XYMJ2okZk:JZhLItVEdGTBki5CYtI8TAokZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmdigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgfooop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppcbjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjqeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqfooodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgneampk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dopigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbppbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejjqeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmaioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpngk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcepkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acjjfggb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fllpbldb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpablkhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqohnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojalgcnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aniajnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkmlofol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajanck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffgqqaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebbafoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmoliohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fojlngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfgjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfjhkjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceoibflm.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x0007000000023288-6.dat UPX behavioral2/files/0x000700000002341b-14.dat UPX behavioral2/files/0x000700000002341d-22.dat UPX behavioral2/files/0x000700000002341f-30.dat UPX behavioral2/files/0x0007000000023421-39.dat UPX behavioral2/files/0x0007000000023423-46.dat UPX behavioral2/files/0x0007000000023425-54.dat UPX behavioral2/files/0x0007000000023427-62.dat UPX behavioral2/files/0x0007000000023429-70.dat UPX behavioral2/files/0x000700000002342b-78.dat UPX behavioral2/files/0x000700000002342d-86.dat UPX behavioral2/files/0x000700000002342f-94.dat UPX behavioral2/files/0x0007000000023431-102.dat UPX behavioral2/files/0x0007000000023433-110.dat UPX behavioral2/files/0x0007000000023435-118.dat UPX behavioral2/files/0x0007000000023437-127.dat UPX behavioral2/files/0x0007000000023439-134.dat UPX behavioral2/files/0x000700000002343b-142.dat UPX behavioral2/files/0x000700000002343d-150.dat UPX behavioral2/files/0x000700000002343f-158.dat UPX behavioral2/files/0x0007000000023441-166.dat UPX behavioral2/files/0x0007000000023443-175.dat UPX behavioral2/files/0x0007000000023445-182.dat UPX behavioral2/files/0x0007000000023447-190.dat UPX behavioral2/files/0x0009000000023412-198.dat UPX behavioral2/files/0x000700000002344a-206.dat UPX behavioral2/files/0x000700000002344c-214.dat UPX behavioral2/files/0x000700000002344e-222.dat UPX behavioral2/files/0x0007000000023450-230.dat UPX behavioral2/files/0x0007000000023452-238.dat UPX behavioral2/files/0x0007000000023454-246.dat UPX behavioral2/files/0x0007000000023456-255.dat UPX behavioral2/files/0x0007000000023466-305.dat UPX behavioral2/files/0x0007000000023479-365.dat UPX behavioral2/files/0x000700000002347d-377.dat UPX behavioral2/files/0x0007000000023483-395.dat UPX behavioral2/files/0x00070000000234a3-491.dat UPX behavioral2/files/0x00070000000234a7-503.dat UPX behavioral2/files/0x00070000000234b4-539.dat UPX behavioral2/files/0x00070000000234d1-629.dat UPX behavioral2/files/0x00070000000234de-670.dat UPX behavioral2/files/0x00070000000234e6-697.dat UPX behavioral2/files/0x00070000000234ea-711.dat UPX behavioral2/files/0x00070000000234f7-753.dat UPX behavioral2/files/0x000700000002350f-827.dat UPX behavioral2/files/0x0007000000023515-847.dat UPX behavioral2/files/0x000700000002355b-1114.dat UPX behavioral2/files/0x0007000000023561-1133.dat UPX behavioral2/files/0x000700000002356f-1180.dat UPX behavioral2/files/0x0007000000023573-1192.dat UPX behavioral2/files/0x0007000000023579-1211.dat UPX behavioral2/files/0x0007000000023581-1238.dat UPX behavioral2/files/0x0007000000023585-1251.dat UPX behavioral2/files/0x0007000000023591-1292.dat UPX behavioral2/files/0x0007000000023599-1320.dat UPX behavioral2/files/0x00070000000235a3-1353.dat UPX behavioral2/files/0x00070000000235a9-1373.dat UPX behavioral2/files/0x00070000000235af-1393.dat UPX behavioral2/files/0x00070000000235b5-1414.dat UPX behavioral2/files/0x00070000000235bf-1445.dat UPX behavioral2/files/0x00070000000235c3-1457.dat UPX behavioral2/files/0x00070000000235cd-1490.dat UPX behavioral2/files/0x00070000000235d5-1518.dat UPX behavioral2/files/0x00070000000235db-1536.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3092 Efgodj32.exe 3500 Elagacbk.exe 3080 Eoocmoao.exe 64 Ebnoikqb.exe 3364 Ejegjh32.exe 4664 Eoapbo32.exe 952 Ecmlcmhe.exe 3704 Ejgdpg32.exe 3800 Eqalmafo.exe 2236 Ebbidj32.exe 1940 Ejjqeg32.exe 432 Eofinnkf.exe 1436 Efpajh32.exe 3196 Emjjgbjp.exe 4084 Eoifcnid.exe 3620 Ffbnph32.exe 2744 Fjnjqfij.exe 4936 Fmmfmbhn.exe 3672 Ffekegon.exe 2632 Fmocba32.exe 2592 Fqkocpod.exe 2768 Fbllkh32.exe 4808 Fjcclf32.exe 5112 Fqmlhpla.exe 3516 Fbnhphbp.exe 4836 Fjepaecb.exe 3896 Fqohnp32.exe 3236 Fflaff32.exe 2856 Fmficqpc.exe 3624 Gcpapkgp.exe 4972 Gjjjle32.exe 4604 Gqdbiofi.exe 212 Gbenqg32.exe 4452 Gjlfbd32.exe 732 Gmkbnp32.exe 3412 Gqfooodg.exe 876 Gcekkjcj.exe 4504 Gjocgdkg.exe 2420 Gmmocpjk.exe 4200 Gqikdn32.exe 3124 Gcggpj32.exe 2232 Gjapmdid.exe 1636 Gmoliohh.exe 4932 Gpnhekgl.exe 1424 Gbldaffp.exe 4240 Gfhqbe32.exe 1148 Gmaioo32.exe 860 Gppekj32.exe 856 Hfjmgdlf.exe 624 Hihicplj.exe 3244 Hbanme32.exe 3088 Habnjm32.exe 4004 Hbckbepg.exe 3852 Hmioonpn.exe 208 Hccglh32.exe 1160 Hjmoibog.exe 2804 Haggelfd.exe 3564 Hbhdmd32.exe 2108 Hmmhjm32.exe 1368 Iffmccbi.exe 4180 Impepm32.exe 2460 Iakaql32.exe 1124 Icjmmg32.exe 5028 Ijdeiaio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eoifcnid.exe Emjjgbjp.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Chghdqbf.exe File opened for modification C:\Windows\SysWOW64\Dldpkoil.exe Ddmhja32.exe File created C:\Windows\SysWOW64\Akihmf32.dll Kagichjo.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Mjhmqf32.dll Himldi32.exe File created C:\Windows\SysWOW64\Kmegbjgn.exe Jfkoeppq.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mjeddggd.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pggbkagp.exe File created C:\Windows\SysWOW64\Egjpehcm.dll Occkojkm.exe File created C:\Windows\SysWOW64\Bdolhc32.exe Bemlmgnp.exe File opened for modification C:\Windows\SysWOW64\Gkaejf32.exe Gmoeoidl.exe File created C:\Windows\SysWOW64\Lgepdkpo.dll Npmagine.exe File created C:\Windows\SysWOW64\Dkkcge32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Ldaeka32.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Lingibiq.exe Lgokmgjm.exe File created C:\Windows\SysWOW64\Fkciihgg.exe Fhemmlhc.exe File created C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Kkbljp32.dll Pmannhhj.exe File created C:\Windows\SysWOW64\Iledokkp.dll Ildkgc32.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Anadoi32.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Ppgjkamf.dll Emjjgbjp.exe File created C:\Windows\SysWOW64\Gjihje32.dll Ddgkpp32.exe File opened for modification C:\Windows\SysWOW64\Bfhhoi32.exe Bcjlcn32.exe File created C:\Windows\SysWOW64\Emjjgbjp.exe Efpajh32.exe File created C:\Windows\SysWOW64\Adopjh32.dll Iemppiab.exe File created C:\Windows\SysWOW64\Eghpcp32.dll Mgimcebb.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bmemac32.exe File created C:\Windows\SysWOW64\Haggelfd.exe Hjmoibog.exe File opened for modification C:\Windows\SysWOW64\Abpcon32.exe Ajiknpjj.exe File created C:\Windows\SysWOW64\Bdhfhe32.exe Bajjli32.exe File created C:\Windows\SysWOW64\Bjmjdbam.dll Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Jplmmfmi.exe Jjpeepnb.exe File created C:\Windows\SysWOW64\Aafdghob.dll Pkaiqf32.exe File created C:\Windows\SysWOW64\Picpfp32.dll Clpgpp32.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Doeiljfn.exe Dhkapp32.exe File opened for modification C:\Windows\SysWOW64\Fkmchi32.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Fcmnpe32.exe Fkffog32.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Odkjng32.exe File created C:\Windows\SysWOW64\Akichh32.dll Beeoaapl.exe File created C:\Windows\SysWOW64\Ggpfjejo.dll Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Aclpap32.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Gcpapkgp.exe Fmficqpc.exe File created C:\Windows\SysWOW64\Ibagcc32.exe Iapjlk32.exe File created C:\Windows\SysWOW64\Ghkmacoj.dll Jehokgge.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Gjjjle32.exe Gcpapkgp.exe File opened for modification C:\Windows\SysWOW64\Bdhfhe32.exe Bajjli32.exe File opened for modification C:\Windows\SysWOW64\Jfcbjk32.exe Jcefno32.exe File created C:\Windows\SysWOW64\Ojleohnl.dll Kbfbkj32.exe File opened for modification C:\Windows\SysWOW64\Liimncmf.exe Lfkaag32.exe File created C:\Windows\SysWOW64\Gmaioo32.exe Gfhqbe32.exe File created C:\Windows\SysWOW64\Lnhmng32.exe Lilanioo.exe File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lilanioo.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mcnhmm32.exe File created C:\Windows\SysWOW64\Hdaeob32.dll Adapgfqj.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dodbbdbb.exe File created C:\Windows\SysWOW64\Fqkocpod.exe Fmocba32.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Pcccfh32.exe Paegjl32.exe File opened for modification C:\Windows\SysWOW64\Aanjpk32.exe Anpncp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13124 12844 WerFault.exe 679 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eekaebcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" Ldmlpbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbldglg.dll" Daaicfgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbckbepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbjlfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbfbkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll" Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll" Jcefno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blpnib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll" Mgagbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojalgcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajiknpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffgqqaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdfofakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qloebdig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" Fhjfhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeklag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiggphnk.dll" Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdeoemeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll" Kinemkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icgjmapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obangb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlnnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmegbjgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfnphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfkaag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3092 4532 76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe 81 PID 4532 wrote to memory of 3092 4532 76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe 81 PID 4532 wrote to memory of 3092 4532 76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe 81 PID 3092 wrote to memory of 3500 3092 Efgodj32.exe 82 PID 3092 wrote to memory of 3500 3092 Efgodj32.exe 82 PID 3092 wrote to memory of 3500 3092 Efgodj32.exe 82 PID 3500 wrote to memory of 3080 3500 Elagacbk.exe 83 PID 3500 wrote to memory of 3080 3500 Elagacbk.exe 83 PID 3500 wrote to memory of 3080 3500 Elagacbk.exe 83 PID 3080 wrote to memory of 64 3080 Eoocmoao.exe 84 PID 3080 wrote to memory of 64 3080 Eoocmoao.exe 84 PID 3080 wrote to memory of 64 3080 Eoocmoao.exe 84 PID 64 wrote to memory of 3364 64 Ebnoikqb.exe 85 PID 64 wrote to memory of 3364 64 Ebnoikqb.exe 85 PID 64 wrote to memory of 3364 64 Ebnoikqb.exe 85 PID 3364 wrote to memory of 4664 3364 Ejegjh32.exe 86 PID 3364 wrote to memory of 4664 3364 Ejegjh32.exe 86 PID 3364 wrote to memory of 4664 3364 Ejegjh32.exe 86 PID 4664 wrote to memory of 952 4664 Eoapbo32.exe 87 PID 4664 wrote to memory of 952 4664 Eoapbo32.exe 87 PID 4664 wrote to memory of 952 4664 Eoapbo32.exe 87 PID 952 wrote to memory of 3704 952 Ecmlcmhe.exe 88 PID 952 wrote to memory of 3704 952 Ecmlcmhe.exe 88 PID 952 wrote to memory of 3704 952 Ecmlcmhe.exe 88 PID 3704 wrote to memory of 3800 3704 Ejgdpg32.exe 89 PID 3704 wrote to memory of 3800 3704 Ejgdpg32.exe 89 PID 3704 wrote to memory of 3800 3704 Ejgdpg32.exe 89 PID 3800 wrote to memory of 2236 3800 Eqalmafo.exe 91 PID 3800 wrote to memory of 2236 3800 Eqalmafo.exe 91 PID 3800 wrote to memory of 2236 3800 Eqalmafo.exe 91 PID 2236 wrote to memory of 1940 2236 Ebbidj32.exe 92 PID 2236 wrote to memory of 1940 2236 Ebbidj32.exe 92 PID 2236 wrote to memory of 1940 2236 Ebbidj32.exe 92 PID 1940 wrote to memory of 432 1940 Ejjqeg32.exe 93 PID 1940 wrote to memory of 432 1940 Ejjqeg32.exe 93 PID 1940 wrote to memory of 432 1940 Ejjqeg32.exe 93 PID 432 wrote to memory of 1436 432 Eofinnkf.exe 95 PID 432 wrote to memory of 1436 432 Eofinnkf.exe 95 PID 432 wrote to memory of 1436 432 Eofinnkf.exe 95 PID 1436 wrote to memory of 3196 1436 Efpajh32.exe 96 PID 1436 wrote to memory of 3196 1436 Efpajh32.exe 96 PID 1436 wrote to memory of 3196 1436 Efpajh32.exe 96 PID 3196 wrote to memory of 4084 3196 Emjjgbjp.exe 97 PID 3196 wrote to memory of 4084 3196 Emjjgbjp.exe 97 PID 3196 wrote to memory of 4084 3196 Emjjgbjp.exe 97 PID 4084 wrote to memory of 3620 4084 Eoifcnid.exe 99 PID 4084 wrote to memory of 3620 4084 Eoifcnid.exe 99 PID 4084 wrote to memory of 3620 4084 Eoifcnid.exe 99 PID 3620 wrote to memory of 2744 3620 Ffbnph32.exe 100 PID 3620 wrote to memory of 2744 3620 Ffbnph32.exe 100 PID 3620 wrote to memory of 2744 3620 Ffbnph32.exe 100 PID 2744 wrote to memory of 4936 2744 Fjnjqfij.exe 101 PID 2744 wrote to memory of 4936 2744 Fjnjqfij.exe 101 PID 2744 wrote to memory of 4936 2744 Fjnjqfij.exe 101 PID 4936 wrote to memory of 3672 4936 Fmmfmbhn.exe 102 PID 4936 wrote to memory of 3672 4936 Fmmfmbhn.exe 102 PID 4936 wrote to memory of 3672 4936 Fmmfmbhn.exe 102 PID 3672 wrote to memory of 2632 3672 Ffekegon.exe 103 PID 3672 wrote to memory of 2632 3672 Ffekegon.exe 103 PID 3672 wrote to memory of 2632 3672 Ffekegon.exe 103 PID 2632 wrote to memory of 2592 2632 Fmocba32.exe 104 PID 2632 wrote to memory of 2592 2632 Fmocba32.exe 104 PID 2632 wrote to memory of 2592 2632 Fmocba32.exe 104 PID 2592 wrote to memory of 2768 2592 Fqkocpod.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe"C:\Users\Admin\AppData\Local\Temp\76b736970505a513119305f3413fa8f8b2740854dd714cd118aa4987e3051863.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe23⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe24⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe25⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe26⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe27⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe29⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe32⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe33⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe34⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe35⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe36⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe38⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe39⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe40⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe41⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe45⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe46⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe49⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe50⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe51⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe52⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe53⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe55⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe56⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe59⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe60⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe61⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe62⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe64⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe66⤵
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe67⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe68⤵PID:4588
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe70⤵PID:4636
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe71⤵PID:1544
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe72⤵PID:4028
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe73⤵PID:5024
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe74⤵PID:4564
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe75⤵PID:4560
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe76⤵
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe77⤵PID:3792
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe78⤵PID:4700
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:512 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe80⤵PID:4912
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe81⤵PID:4916
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe83⤵PID:3764
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe84⤵PID:824
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe85⤵PID:4716
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe87⤵
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe88⤵PID:3176
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe89⤵PID:1136
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe90⤵PID:2068
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe91⤵PID:4408
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe92⤵PID:4540
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe93⤵PID:4080
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe94⤵PID:3540
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe95⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe96⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe97⤵PID:5220
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe98⤵PID:5264
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe99⤵PID:5308
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe100⤵PID:5352
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe101⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe102⤵PID:5440
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe103⤵PID:5480
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe104⤵PID:5528
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe105⤵PID:5568
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe107⤵PID:5660
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe108⤵PID:5712
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe109⤵
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe110⤵PID:5796
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe111⤵PID:5840
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe112⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe114⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe115⤵PID:6016
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe116⤵PID:6060
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe117⤵PID:6100
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe118⤵PID:6140
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe119⤵PID:5156
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe120⤵PID:5216
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-