Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 20:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
-
Size
64KB
-
MD5
ae058bdc20a54aee64e2c036ec04d323
-
SHA1
5cb8bef0d72c8467cbc58f321bbd064107add5e4
-
SHA256
3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe
-
SHA512
ada1f6b0c8e8de9742f044f5bff01b9cffc05bb631291151c8100d226494f8f51d3a0b7ba48cf505e120bc38fbc8bff59f513d8c8715dc0a7e1d22652c0095c8
-
SSDEEP
1536:xYT6qMn+tR592ibQVZ5MlrozIpEbj/2LatXdZgQe:yM+7nUVZ50rpEbjEaXds
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkafo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddfdejn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcmpfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmfod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkkjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdgfelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cielhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpbpkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkomchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbemb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2456 Ebgacddo.exe 2040 Ejbfhfaj.exe 2284 Ealnephf.exe 2828 Fjdbnf32.exe 2808 Fejgko32.exe 2576 Ffkcbgek.exe 2608 Faagpp32.exe 1928 Ffnphf32.exe 3016 Fmhheqje.exe 2260 Fdapak32.exe 800 Fjlhneio.exe 1936 Flmefm32.exe 2744 Ffbicfoc.exe 620 Fiaeoang.exe 584 Gonnhhln.exe 2912 Gfefiemq.exe 1480 Ghfbqn32.exe 2484 Gbkgnfbd.exe 2348 Gieojq32.exe 1748 Gobgcg32.exe 1768 Gelppaof.exe 2444 Ghkllmoi.exe 1292 Gkihhhnm.exe 2392 Gacpdbej.exe 2428 Geolea32.exe 1740 Gkkemh32.exe 2892 Hgbebiao.exe 1692 Hpkjko32.exe 812 Hcifgjgc.exe 2640 Hpmgqnfl.exe 2792 Hggomh32.exe 2536 Hpocfncj.exe 2868 Hgilchkf.exe 2528 Hjhhocjj.exe 2996 Hpapln32.exe 2864 Hcplhi32.exe 2988 Hogmmjfo.exe 1520 Iaeiieeb.exe 1588 Ieqeidnl.exe 288 Ifcbodli.exe 344 Ihankokm.exe 1488 Inngcfid.exe 2016 Ikbgmj32.exe 1044 Inqcif32.exe 1844 Iqopea32.exe 1912 Ijgdngmf.exe 2108 Igkdgk32.exe 1332 Jjjacf32.exe 1820 Jnemdecl.exe 2296 Jqdipqbp.exe 316 Jofiln32.exe 2944 Jgnamk32.exe 1836 Jiondcpk.exe 1272 Jqfffqpm.exe 2148 Jcdbbloa.exe 2800 Jjojofgn.exe 1580 Jmmfkafa.exe 2548 Jcgogk32.exe 3048 Jfekcg32.exe 3008 Jkbcln32.exe 1496 Jonplmcb.exe 2588 Jfghif32.exe 2752 Jifdebic.exe 2100 Joplbl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 2456 Ebgacddo.exe 2456 Ebgacddo.exe 2040 Ejbfhfaj.exe 2040 Ejbfhfaj.exe 2284 Ealnephf.exe 2284 Ealnephf.exe 2828 Fjdbnf32.exe 2828 Fjdbnf32.exe 2808 Fejgko32.exe 2808 Fejgko32.exe 2576 Ffkcbgek.exe 2576 Ffkcbgek.exe 2608 Faagpp32.exe 2608 Faagpp32.exe 1928 Ffnphf32.exe 1928 Ffnphf32.exe 3016 Fmhheqje.exe 3016 Fmhheqje.exe 2260 Fdapak32.exe 2260 Fdapak32.exe 800 Fjlhneio.exe 800 Fjlhneio.exe 1936 Flmefm32.exe 1936 Flmefm32.exe 2744 Ffbicfoc.exe 2744 Ffbicfoc.exe 620 Fiaeoang.exe 620 Fiaeoang.exe 584 Gonnhhln.exe 584 Gonnhhln.exe 2912 Gfefiemq.exe 2912 Gfefiemq.exe 1480 Ghfbqn32.exe 1480 Ghfbqn32.exe 2484 Gbkgnfbd.exe 2484 Gbkgnfbd.exe 2348 Gieojq32.exe 2348 Gieojq32.exe 1748 Gobgcg32.exe 1748 Gobgcg32.exe 1768 Gelppaof.exe 1768 Gelppaof.exe 2444 Ghkllmoi.exe 2444 Ghkllmoi.exe 1292 Gkihhhnm.exe 1292 Gkihhhnm.exe 2392 Gacpdbej.exe 2392 Gacpdbej.exe 2428 Geolea32.exe 2428 Geolea32.exe 1740 Gkkemh32.exe 1740 Gkkemh32.exe 2892 Hgbebiao.exe 2892 Hgbebiao.exe 1692 Hpkjko32.exe 1692 Hpkjko32.exe 812 Hcifgjgc.exe 812 Hcifgjgc.exe 2640 Hpmgqnfl.exe 2640 Hpmgqnfl.exe 2792 Hggomh32.exe 2792 Hggomh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Hppfog32.exe Hmaick32.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdiogq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Process not Found File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Mdcpdp32.exe File opened for modification C:\Windows\SysWOW64\Efnfbl32.exe Ebcjamoh.exe File opened for modification C:\Windows\SysWOW64\Femeig32.exe Fqajihle.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Process not Found File created C:\Windows\SysWOW64\Fkkfgi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpopnejo.exe Process not Found File created C:\Windows\SysWOW64\Lmajfk32.dll Process not Found File created C:\Windows\SysWOW64\Dggajf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Jbnhng32.exe Joplbl32.exe File created C:\Windows\SysWOW64\Aakjdo32.exe Process not Found File created C:\Windows\SysWOW64\Eihjolae.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Process not Found File created C:\Windows\SysWOW64\Kbdjhe32.dll Bpqain32.exe File opened for modification C:\Windows\SysWOW64\Fhgnge32.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Kalipcmb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eimcjl32.exe Process not Found File created C:\Windows\SysWOW64\Mjddiflm.dll Hfpdkl32.exe File opened for modification C:\Windows\SysWOW64\Ioakoq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dlahng32.exe Djclbl32.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hojgfemq.exe Hpgfki32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Amcpie32.exe File created C:\Windows\SysWOW64\Peipigfb.dll Dllhhaep.exe File created C:\Windows\SysWOW64\Khohkamc.exe Process not Found File created C:\Windows\SysWOW64\Lmdkcl32.exe Lihobnap.exe File created C:\Windows\SysWOW64\Dmmpolof.exe Process not Found File created C:\Windows\SysWOW64\Mjkacaml.dll Mholen32.exe File created C:\Windows\SysWOW64\Mbellj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Klhgfq32.exe Process not Found File created C:\Windows\SysWOW64\Mgmahg32.exe Process not Found File created C:\Windows\SysWOW64\Hiablm32.dll Process not Found File created C:\Windows\SysWOW64\Kfkigdmm.dll Process not Found File created C:\Windows\SysWOW64\Loolpo32.dll Mdmmfa32.exe File created C:\Windows\SysWOW64\Ekelld32.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Jnffgd32.exe File opened for modification C:\Windows\SysWOW64\Lnjcomcf.exe Process not Found File created C:\Windows\SysWOW64\Gmemln32.dll Process not Found File created C:\Windows\SysWOW64\Omgfflgg.dll Process not Found File created C:\Windows\SysWOW64\Homdpk32.dll Jjmpbopd.exe File created C:\Windows\SysWOW64\Mngjeamd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jeclebja.exe Process not Found File created C:\Windows\SysWOW64\Bnebcm32.dll Process not Found File created C:\Windows\SysWOW64\Cafgle32.exe Cohkpj32.exe File opened for modification C:\Windows\SysWOW64\Dedlag32.exe Dcfpel32.exe File opened for modification C:\Windows\SysWOW64\Ndhlhg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Process not Found File created C:\Windows\SysWOW64\Bjpaop32.exe Process not Found File created C:\Windows\SysWOW64\Dokmejcg.dll Process not Found File created C:\Windows\SysWOW64\Gmgninie.exe Gikaio32.exe File created C:\Windows\SysWOW64\Kdpcikdi.exe Kbaglpee.exe File created C:\Windows\SysWOW64\Qlgnpgja.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lanaiahq.exe Knpemf32.exe File opened for modification C:\Windows\SysWOW64\Indnnfdn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjmaaddo.exe Fhneehek.exe File created C:\Windows\SysWOW64\Lmjnak32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 2640 9892 Process not Found 2159 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajinjff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadpgggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfomkg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmdim32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneegl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimjmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjlmca32.dll" Knmamp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldikdp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihnh32.dll" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maljaabb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqapifjb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbonei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnaak32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll" Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeghl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanlnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agljom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadacpgf.dll" Chcloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdjmcpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljibgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoebpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbackc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblifk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmjbf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoldn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acapig32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lbfdaigg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2456 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 28 PID 2124 wrote to memory of 2456 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 28 PID 2124 wrote to memory of 2456 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 28 PID 2124 wrote to memory of 2456 2124 3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe 28 PID 2456 wrote to memory of 2040 2456 Ebgacddo.exe 29 PID 2456 wrote to memory of 2040 2456 Ebgacddo.exe 29 PID 2456 wrote to memory of 2040 2456 Ebgacddo.exe 29 PID 2456 wrote to memory of 2040 2456 Ebgacddo.exe 29 PID 2040 wrote to memory of 2284 2040 Ejbfhfaj.exe 30 PID 2040 wrote to memory of 2284 2040 Ejbfhfaj.exe 30 PID 2040 wrote to memory of 2284 2040 Ejbfhfaj.exe 30 PID 2040 wrote to memory of 2284 2040 Ejbfhfaj.exe 30 PID 2284 wrote to memory of 2828 2284 Ealnephf.exe 31 PID 2284 wrote to memory of 2828 2284 Ealnephf.exe 31 PID 2284 wrote to memory of 2828 2284 Ealnephf.exe 31 PID 2284 wrote to memory of 2828 2284 Ealnephf.exe 31 PID 2828 wrote to memory of 2808 2828 Fjdbnf32.exe 32 PID 2828 wrote to memory of 2808 2828 Fjdbnf32.exe 32 PID 2828 wrote to memory of 2808 2828 Fjdbnf32.exe 32 PID 2828 wrote to memory of 2808 2828 Fjdbnf32.exe 32 PID 2808 wrote to memory of 2576 2808 Fejgko32.exe 33 PID 2808 wrote to memory of 2576 2808 Fejgko32.exe 33 PID 2808 wrote to memory of 2576 2808 Fejgko32.exe 33 PID 2808 wrote to memory of 2576 2808 Fejgko32.exe 33 PID 2576 wrote to memory of 2608 2576 Ffkcbgek.exe 34 PID 2576 wrote to memory of 2608 2576 Ffkcbgek.exe 34 PID 2576 wrote to memory of 2608 2576 Ffkcbgek.exe 34 PID 2576 wrote to memory of 2608 2576 Ffkcbgek.exe 34 PID 2608 wrote to memory of 1928 2608 Faagpp32.exe 35 PID 2608 wrote to memory of 1928 2608 Faagpp32.exe 35 PID 2608 wrote to memory of 1928 2608 Faagpp32.exe 35 PID 2608 wrote to memory of 1928 2608 Faagpp32.exe 35 PID 1928 wrote to memory of 3016 1928 Ffnphf32.exe 36 PID 1928 wrote to memory of 3016 1928 Ffnphf32.exe 36 PID 1928 wrote to memory of 3016 1928 Ffnphf32.exe 36 PID 1928 wrote to memory of 3016 1928 Ffnphf32.exe 36 PID 3016 wrote to memory of 2260 3016 Fmhheqje.exe 37 PID 3016 wrote to memory of 2260 3016 Fmhheqje.exe 37 PID 3016 wrote to memory of 2260 3016 Fmhheqje.exe 37 PID 3016 wrote to memory of 2260 3016 Fmhheqje.exe 37 PID 2260 wrote to memory of 800 2260 Fdapak32.exe 38 PID 2260 wrote to memory of 800 2260 Fdapak32.exe 38 PID 2260 wrote to memory of 800 2260 Fdapak32.exe 38 PID 2260 wrote to memory of 800 2260 Fdapak32.exe 38 PID 800 wrote to memory of 1936 800 Fjlhneio.exe 39 PID 800 wrote to memory of 1936 800 Fjlhneio.exe 39 PID 800 wrote to memory of 1936 800 Fjlhneio.exe 39 PID 800 wrote to memory of 1936 800 Fjlhneio.exe 39 PID 1936 wrote to memory of 2744 1936 Flmefm32.exe 40 PID 1936 wrote to memory of 2744 1936 Flmefm32.exe 40 PID 1936 wrote to memory of 2744 1936 Flmefm32.exe 40 PID 1936 wrote to memory of 2744 1936 Flmefm32.exe 40 PID 2744 wrote to memory of 620 2744 Ffbicfoc.exe 41 PID 2744 wrote to memory of 620 2744 Ffbicfoc.exe 41 PID 2744 wrote to memory of 620 2744 Ffbicfoc.exe 41 PID 2744 wrote to memory of 620 2744 Ffbicfoc.exe 41 PID 620 wrote to memory of 584 620 Fiaeoang.exe 42 PID 620 wrote to memory of 584 620 Fiaeoang.exe 42 PID 620 wrote to memory of 584 620 Fiaeoang.exe 42 PID 620 wrote to memory of 584 620 Fiaeoang.exe 42 PID 584 wrote to memory of 2912 584 Gonnhhln.exe 43 PID 584 wrote to memory of 2912 584 Gonnhhln.exe 43 PID 584 wrote to memory of 2912 584 Gonnhhln.exe 43 PID 584 wrote to memory of 2912 584 Gonnhhln.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe"C:\Users\Admin\AppData\Local\Temp\3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe33⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe34⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe35⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe36⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe37⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe39⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe40⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe41⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe42⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe43⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe44⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe45⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe46⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe47⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe48⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe49⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe51⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe52⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe53⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe54⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe56⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe58⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe59⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe60⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe61⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe62⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe63⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe64⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe66⤵PID:484
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe67⤵PID:748
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe69⤵PID:496
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe70⤵PID:1856
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe71⤵PID:556
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe72⤵PID:1644
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe73⤵PID:1672
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe74⤵PID:2332
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe75⤵PID:2736
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe77⤵PID:2604
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe78⤵PID:2768
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe79⤵PID:1728
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe80⤵PID:2516
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe81⤵PID:2620
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe82⤵PID:1412
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe85⤵PID:2072
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe86⤵PID:840
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe87⤵PID:780
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe88⤵PID:876
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe89⤵PID:2008
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe90⤵PID:2844
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe91⤵PID:2680
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe92⤵PID:2660
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe93⤵PID:2552
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe95⤵PID:2568
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe96⤵PID:1736
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe97⤵PID:1612
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe98⤵PID:2104
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe99⤵PID:1220
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe100⤵PID:1256
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe102⤵PID:304
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe104⤵PID:1800
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe106⤵PID:1540
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe107⤵PID:3040
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe108⤵PID:2896
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe109⤵PID:2276
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe110⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe111⤵PID:2416
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe112⤵PID:2776
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe113⤵PID:2076
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe114⤵PID:2020
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe115⤵PID:1512
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe116⤵PID:1784
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe117⤵PID:1720
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe118⤵PID:2888
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe119⤵PID:2564
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe120⤵PID:2064
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe121⤵PID:1360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-