Analysis
-
max time kernel
139s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe
-
Size
1.5MB
-
MD5
79f98b1e82a6bd31c85f48a68c7399c3
-
SHA1
a3aece341e5842841d97ae98b6917e1a27d5b1c8
-
SHA256
072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5
-
SHA512
8cfc3aeed3070c21f46a5c5ff32985094ca8232e98f7d805728fe63cb82fe3a84804f7f6a318eb60bda82ea1c157aaa014d294c443373eebcb2a3f08c7f54885
-
SSDEEP
24576:nx6Q2xZmk6Ux6Q2xlPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oW:UlmkIhbazR0vKLXZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndpajgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcoqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcakaipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haiccald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqilooij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe -
Executes dropped EXE 64 IoCs
pid Process 1952 Eilpeooq.exe 2844 Eeempocb.exe 2660 Fnbkddem.exe 2720 Fjlhneio.exe 2868 Gegfdb32.exe 2544 Geolea32.exe 2064 Hicodd32.exe 2880 Hckcmjep.exe 3036 Ihankokm.exe 1636 Imfqjbli.exe 2600 Igkdgk32.exe 2752 Jejhecaj.exe 1392 Kafbec32.exe 776 Kfgdhjmk.exe 760 Lhmjkaoc.exe 2924 Llkbap32.exe 920 Mbpnanch.exe 2628 Mpfkqb32.exe 448 Mgqcmlgl.exe 2000 Nhdlkdkg.exe 1968 Nehmdhja.exe 948 Nhfipcid.exe 2496 Nglfapnl.exe 556 Nocnbmoo.exe 2400 Nacgdhlp.exe 2316 Ojolhk32.exe 2172 Ojahnj32.exe 1540 Oqkqkdne.exe 1272 Ofjfhk32.exe 2332 Ohibdf32.exe 2732 Onhgbmfb.exe 2664 Pimkpfeh.exe 2824 Pkndaa32.exe 2652 Pbhmnkjf.exe 2344 Pfjbgnme.exe 1592 Pnajilng.exe 3028 Qcpofbjl.exe 1728 Qbcpbo32.exe 2516 Qimhoi32.exe 1900 Alnqqd32.exe 1320 Anojbobe.exe 672 Aamfnkai.exe 2092 Alegac32.exe 2912 Amfcikek.exe 1908 Aemkjiem.exe 1472 Aadloj32.exe 2484 Bioqclil.exe 2328 Bbhela32.exe 1904 Bdgafdfp.exe 1804 Bfenbpec.exe 1644 Bidjnkdg.exe 1648 Boqbfb32.exe 2320 Bocolb32.exe 2224 Biicik32.exe 2460 Blgpef32.exe 2636 Cadhnmnm.exe 2816 Cddaphkn.exe 2704 Cgcmlcja.exe 2832 Chbjffad.exe 2596 Ckafbbph.exe 2976 Cclkfdnc.exe 2260 Cjfccn32.exe 2416 Dndlim32.exe 2632 Dlgldibq.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 1952 Eilpeooq.exe 1952 Eilpeooq.exe 2844 Eeempocb.exe 2844 Eeempocb.exe 2660 Fnbkddem.exe 2660 Fnbkddem.exe 2720 Fjlhneio.exe 2720 Fjlhneio.exe 2868 Gegfdb32.exe 2868 Gegfdb32.exe 2544 Geolea32.exe 2544 Geolea32.exe 2064 Hicodd32.exe 2064 Hicodd32.exe 2880 Hckcmjep.exe 2880 Hckcmjep.exe 3036 Ihankokm.exe 3036 Ihankokm.exe 1636 Imfqjbli.exe 1636 Imfqjbli.exe 2600 Igkdgk32.exe 2600 Igkdgk32.exe 2752 Jejhecaj.exe 2752 Jejhecaj.exe 1392 Kafbec32.exe 1392 Kafbec32.exe 776 Kfgdhjmk.exe 776 Kfgdhjmk.exe 760 Lhmjkaoc.exe 760 Lhmjkaoc.exe 2924 Llkbap32.exe 2924 Llkbap32.exe 920 Mbpnanch.exe 920 Mbpnanch.exe 2628 Mpfkqb32.exe 2628 Mpfkqb32.exe 448 Mgqcmlgl.exe 448 Mgqcmlgl.exe 2000 Nhdlkdkg.exe 2000 Nhdlkdkg.exe 1968 Nehmdhja.exe 1968 Nehmdhja.exe 948 Nhfipcid.exe 948 Nhfipcid.exe 2496 Nglfapnl.exe 2496 Nglfapnl.exe 556 Nocnbmoo.exe 556 Nocnbmoo.exe 2400 Nacgdhlp.exe 2400 Nacgdhlp.exe 2316 Ojolhk32.exe 2316 Ojolhk32.exe 2172 Ojahnj32.exe 2172 Ojahnj32.exe 1540 Oqkqkdne.exe 1540 Oqkqkdne.exe 1272 Ofjfhk32.exe 1272 Ofjfhk32.exe 2332 Ohibdf32.exe 2332 Ohibdf32.exe 2732 Onhgbmfb.exe 2732 Onhgbmfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Doqplo32.dll Homclekn.exe File created C:\Windows\SysWOW64\Ohcaoajg.exe Odhfob32.exe File created C:\Windows\SysWOW64\Jcbemfmf.dll Pngphgbf.exe File created C:\Windows\SysWOW64\Becnhgmg.exe Bpfeppop.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Amfcikek.exe Alegac32.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Hmbpmapf.exe File created C:\Windows\SysWOW64\Akbipbbd.dll Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Aecaidjl.exe Qkkmqnck.exe File created C:\Windows\SysWOW64\Bpooed32.dll Biicik32.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kiqpop32.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Egoife32.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Amfcikek.exe File created C:\Windows\SysWOW64\Mbkbki32.dll Afgkfl32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Jifnmmhq.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Eicieohp.dll Iapebchh.exe File created C:\Windows\SysWOW64\Padajbnl.dll Kcakaipc.exe File created C:\Windows\SysWOW64\Mffimglk.exe Libicbma.exe File created C:\Windows\SysWOW64\Cjnolikh.dll Bjdplm32.exe File created C:\Windows\SysWOW64\Llkbap32.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Lhmjkaoc.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Nocnbmoo.exe File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe Dglpbbbg.exe File created C:\Windows\SysWOW64\Endhhp32.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Ghcoqh32.exe Fcefji32.exe File created C:\Windows\SysWOW64\Oagcgibo.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Papnde32.dll Kiqpop32.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Mmldme32.exe File created C:\Windows\SysWOW64\Oqkqkdne.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Labkdack.exe File created C:\Windows\SysWOW64\Lhnnjk32.dll Pqjfoa32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Eeempocb.exe File created C:\Windows\SysWOW64\Leimip32.exe Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Pnajilng.exe File created C:\Windows\SysWOW64\Ghcoqh32.exe Fcefji32.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Qcpofbjl.exe Pnajilng.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Jejhecaj.exe File created C:\Windows\SysWOW64\Dcadac32.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Iompkh32.exe File opened for modification C:\Windows\SysWOW64\Jmplcp32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Fljafg32.exe Flgeqgog.exe File opened for modification C:\Windows\SysWOW64\Hkcdafqb.exe Homclekn.exe File opened for modification C:\Windows\SysWOW64\Jnkpbcjg.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Qaqkcf32.dll Maedhd32.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Blobjaba.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Dlgldibq.exe File created C:\Windows\SysWOW64\Hkcdafqb.exe Homclekn.exe File opened for modification C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Kfbcbd32.exe Kbfhbeek.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mffimglk.exe File created C:\Windows\SysWOW64\Pdiadenf.dll Bpfeppop.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Biicik32.exe Bocolb32.exe File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Pmagdbci.exe Pqjfoa32.exe File created C:\Windows\SysWOW64\Jodjlm32.dll Bdmddc32.exe File opened for modification C:\Windows\SysWOW64\Mbpnanch.exe Llkbap32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 344 1652 WerFault.exe 223 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll" Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkhnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfhbeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onecbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dglpbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeogebm.dll" Hkfagfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcmpijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfbcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjkaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbhok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqnejn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkkmqnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlphhec.dll" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Abphal32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1952 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 28 PID 3056 wrote to memory of 1952 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 28 PID 3056 wrote to memory of 1952 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 28 PID 3056 wrote to memory of 1952 3056 072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe 28 PID 1952 wrote to memory of 2844 1952 Eilpeooq.exe 29 PID 1952 wrote to memory of 2844 1952 Eilpeooq.exe 29 PID 1952 wrote to memory of 2844 1952 Eilpeooq.exe 29 PID 1952 wrote to memory of 2844 1952 Eilpeooq.exe 29 PID 2844 wrote to memory of 2660 2844 Eeempocb.exe 30 PID 2844 wrote to memory of 2660 2844 Eeempocb.exe 30 PID 2844 wrote to memory of 2660 2844 Eeempocb.exe 30 PID 2844 wrote to memory of 2660 2844 Eeempocb.exe 30 PID 2660 wrote to memory of 2720 2660 Fnbkddem.exe 31 PID 2660 wrote to memory of 2720 2660 Fnbkddem.exe 31 PID 2660 wrote to memory of 2720 2660 Fnbkddem.exe 31 PID 2660 wrote to memory of 2720 2660 Fnbkddem.exe 31 PID 2720 wrote to memory of 2868 2720 Fjlhneio.exe 32 PID 2720 wrote to memory of 2868 2720 Fjlhneio.exe 32 PID 2720 wrote to memory of 2868 2720 Fjlhneio.exe 32 PID 2720 wrote to memory of 2868 2720 Fjlhneio.exe 32 PID 2868 wrote to memory of 2544 2868 Gegfdb32.exe 33 PID 2868 wrote to memory of 2544 2868 Gegfdb32.exe 33 PID 2868 wrote to memory of 2544 2868 Gegfdb32.exe 33 PID 2868 wrote to memory of 2544 2868 Gegfdb32.exe 33 PID 2544 wrote to memory of 2064 2544 Geolea32.exe 34 PID 2544 wrote to memory of 2064 2544 Geolea32.exe 34 PID 2544 wrote to memory of 2064 2544 Geolea32.exe 34 PID 2544 wrote to memory of 2064 2544 Geolea32.exe 34 PID 2064 wrote to memory of 2880 2064 Hicodd32.exe 35 PID 2064 wrote to memory of 2880 2064 Hicodd32.exe 35 PID 2064 wrote to memory of 2880 2064 Hicodd32.exe 35 PID 2064 wrote to memory of 2880 2064 Hicodd32.exe 35 PID 2880 wrote to memory of 3036 2880 Hckcmjep.exe 36 PID 2880 wrote to memory of 3036 2880 Hckcmjep.exe 36 PID 2880 wrote to memory of 3036 2880 Hckcmjep.exe 36 PID 2880 wrote to memory of 3036 2880 Hckcmjep.exe 36 PID 3036 wrote to memory of 1636 3036 Ihankokm.exe 37 PID 3036 wrote to memory of 1636 3036 Ihankokm.exe 37 PID 3036 wrote to memory of 1636 3036 Ihankokm.exe 37 PID 3036 wrote to memory of 1636 3036 Ihankokm.exe 37 PID 1636 wrote to memory of 2600 1636 Imfqjbli.exe 38 PID 1636 wrote to memory of 2600 1636 Imfqjbli.exe 38 PID 1636 wrote to memory of 2600 1636 Imfqjbli.exe 38 PID 1636 wrote to memory of 2600 1636 Imfqjbli.exe 38 PID 2600 wrote to memory of 2752 2600 Igkdgk32.exe 39 PID 2600 wrote to memory of 2752 2600 Igkdgk32.exe 39 PID 2600 wrote to memory of 2752 2600 Igkdgk32.exe 39 PID 2600 wrote to memory of 2752 2600 Igkdgk32.exe 39 PID 2752 wrote to memory of 1392 2752 Jejhecaj.exe 40 PID 2752 wrote to memory of 1392 2752 Jejhecaj.exe 40 PID 2752 wrote to memory of 1392 2752 Jejhecaj.exe 40 PID 2752 wrote to memory of 1392 2752 Jejhecaj.exe 40 PID 1392 wrote to memory of 776 1392 Kafbec32.exe 41 PID 1392 wrote to memory of 776 1392 Kafbec32.exe 41 PID 1392 wrote to memory of 776 1392 Kafbec32.exe 41 PID 1392 wrote to memory of 776 1392 Kafbec32.exe 41 PID 776 wrote to memory of 760 776 Kfgdhjmk.exe 42 PID 776 wrote to memory of 760 776 Kfgdhjmk.exe 42 PID 776 wrote to memory of 760 776 Kfgdhjmk.exe 42 PID 776 wrote to memory of 760 776 Kfgdhjmk.exe 42 PID 760 wrote to memory of 2924 760 Lhmjkaoc.exe 43 PID 760 wrote to memory of 2924 760 Lhmjkaoc.exe 43 PID 760 wrote to memory of 2924 760 Lhmjkaoc.exe 43 PID 760 wrote to memory of 2924 760 Lhmjkaoc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe"C:\Users\Admin\AppData\Local\Temp\072d68ff1be8e1db2132458a2b68632732ea72972aeee340a80596fe514996b5.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe34⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe40⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe46⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe47⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe49⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe50⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe51⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe59⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe62⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe63⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe66⤵PID:1680
-
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe67⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe69⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe70⤵PID:1924
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe72⤵PID:2212
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe74⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe75⤵PID:2308
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe76⤵PID:1788
-
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe77⤵PID:2228
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe78⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe80⤵PID:2540
-
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe81⤵PID:1948
-
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe83⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe85⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe86⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe87⤵PID:2960
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe91⤵PID:2428
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe92⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe93⤵PID:2936
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe95⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe98⤵PID:2984
-
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe99⤵PID:1496
-
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe102⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe106⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe107⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe108⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe109⤵PID:876
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe110⤵PID:1696
-
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe111⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe112⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe113⤵PID:1956
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe114⤵PID:1928
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe115⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe117⤵PID:1996
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe118⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:496 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe121⤵
- Modifies registry class
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-