Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 23:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
-
Size
456KB
-
MD5
566fcd538341902ddc5ff37fbe321536
-
SHA1
748006825c3c4b2b624f386fbe3c6f552e6cd677
-
SHA256
950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac
-
SHA512
aee8e07f023793e6b107992457171aee6d88616691daf2d0abd12543b5ed2244364d16850312e39da30daa589108dcddc3e856470f3f5a1d7def46f65c7863ea
-
SSDEEP
12288:M5Mt5YYwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:+MtzwFfDy/phgeczlqczZd7LFB3oFHop
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Okoomd32.exe 2532 Odgcfijj.exe 2512 Oghlgdgk.exe 1940 Oelmai32.exe 2500 Omgaek32.exe 2904 Ocajbekl.exe 1884 Pccfge32.exe 2568 Pjmodopf.exe 2128 Pmnhfjmg.exe 1604 Peiljl32.exe 1236 Pbmmcq32.exe 2164 Pigeqkai.exe 1976 Pijbfj32.exe 2244 Qdccfh32.exe 580 Qljkhe32.exe 1420 Ahakmf32.exe 1900 Ajbdna32.exe 3004 Apomfh32.exe 2376 Adjigg32.exe 404 Ajdadamj.exe 240 Abpfhcje.exe 568 Afkbib32.exe 1444 Apcfahio.exe 2600 Aoffmd32.exe 2948 Ahokfj32.exe 2060 Bbdocc32.exe 2968 Blmdlhmp.exe 2596 Bkodhe32.exe 2580 Bdhhqk32.exe 2604 Bhcdaibd.exe 2524 Bommnc32.exe 2468 Begeknan.exe 1700 Bghabf32.exe 2744 Bopicc32.exe 2752 Bhhnli32.exe 1504 Bkfjhd32.exe 1552 Baqbenep.exe 856 Bpcbqk32.exe 848 Cgmkmecg.exe 2032 Cljcelan.exe 1608 Ccdlbf32.exe 2188 Cfbhnaho.exe 2192 Cphlljge.exe 1132 Ccfhhffh.exe 1160 Cjpqdp32.exe 2104 Comimg32.exe 964 Cciemedf.exe 1668 Cbkeib32.exe 1640 Chemfl32.exe 2312 Ckdjbh32.exe 764 Copfbfjj.exe 2012 Cbnbobin.exe 2496 Clcflkic.exe 2700 Cobbhfhg.exe 2772 Dbpodagk.exe 2680 Ddokpmfo.exe 1740 Dgmglh32.exe 2636 Dodonf32.exe 1260 Dbbkja32.exe 1684 Dqelenlc.exe 2380 Dhmcfkme.exe 1600 Dkkpbgli.exe 2008 Djnpnc32.exe 808 Dqhhknjp.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 2712 Okoomd32.exe 2712 Okoomd32.exe 2532 Odgcfijj.exe 2532 Odgcfijj.exe 2512 Oghlgdgk.exe 2512 Oghlgdgk.exe 1940 Oelmai32.exe 1940 Oelmai32.exe 2500 Omgaek32.exe 2500 Omgaek32.exe 2904 Ocajbekl.exe 2904 Ocajbekl.exe 1884 Pccfge32.exe 1884 Pccfge32.exe 2568 Pjmodopf.exe 2568 Pjmodopf.exe 2128 Pmnhfjmg.exe 2128 Pmnhfjmg.exe 1604 Peiljl32.exe 1604 Peiljl32.exe 1236 Pbmmcq32.exe 1236 Pbmmcq32.exe 2164 Pigeqkai.exe 2164 Pigeqkai.exe 1976 Pijbfj32.exe 1976 Pijbfj32.exe 2244 Qdccfh32.exe 2244 Qdccfh32.exe 580 Qljkhe32.exe 580 Qljkhe32.exe 1420 Ahakmf32.exe 1420 Ahakmf32.exe 1900 Ajbdna32.exe 1900 Ajbdna32.exe 3004 Apomfh32.exe 3004 Apomfh32.exe 2376 Adjigg32.exe 2376 Adjigg32.exe 404 Ajdadamj.exe 404 Ajdadamj.exe 240 Abpfhcje.exe 240 Abpfhcje.exe 568 Afkbib32.exe 568 Afkbib32.exe 1444 Apcfahio.exe 1444 Apcfahio.exe 2600 Aoffmd32.exe 2600 Aoffmd32.exe 2948 Ahokfj32.exe 2948 Ahokfj32.exe 2060 Bbdocc32.exe 2060 Bbdocc32.exe 2968 Blmdlhmp.exe 2968 Blmdlhmp.exe 2596 Bkodhe32.exe 2596 Bkodhe32.exe 2580 Bdhhqk32.exe 2580 Bdhhqk32.exe 2604 Bhcdaibd.exe 2604 Bhcdaibd.exe 2524 Bommnc32.exe 2524 Bommnc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Glfhll32.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Imfqjbli.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Mgnfhlin.exe Mdpjlajk.exe File created C:\Windows\SysWOW64\Bhhnli32.exe Bopicc32.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Hgbebiao.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Kmmcjehm.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Pijbfj32.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Adpkee32.exe File created C:\Windows\SysWOW64\Ccdlbf32.exe Cljcelan.exe File created C:\Windows\SysWOW64\Niifne32.dll Cobbhfhg.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Ddokpmfo.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lliflp32.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Obojhlbq.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Mhofcjea.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Lilchoah.dll Bhcdaibd.exe File created C:\Windows\SysWOW64\Qoflni32.dll Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Ijqnib32.dll Lefdpe32.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Fkgecelp.dll Idfbkq32.exe File created C:\Windows\SysWOW64\Kblhgk32.exe Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Onhgbmfb.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Eccmffjf.exe File created C:\Windows\SysWOW64\Jngohf32.dll Apomfh32.exe File created C:\Windows\SysWOW64\Lkebie32.dll Bdhhqk32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Iggkllpe.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Igihbknb.exe File created C:\Windows\SysWOW64\Kjpnhh32.dll Pbmmcq32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kafbec32.exe File created C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File created C:\Windows\SysWOW64\Hgggfhdc.dll Omdneebf.exe File created C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Jobjlngg.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pmdjdh32.exe File opened for modification C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kahojc32.exe File created C:\Windows\SysWOW64\Aphdelhp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4988 5108 WerFault.exe 423 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dnoomqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmphi32.dll" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdaoinc.dll" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkncmmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bifgdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2712 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 28 PID 2476 wrote to memory of 2712 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 28 PID 2476 wrote to memory of 2712 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 28 PID 2476 wrote to memory of 2712 2476 950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe 28 PID 2712 wrote to memory of 2532 2712 Okoomd32.exe 29 PID 2712 wrote to memory of 2532 2712 Okoomd32.exe 29 PID 2712 wrote to memory of 2532 2712 Okoomd32.exe 29 PID 2712 wrote to memory of 2532 2712 Okoomd32.exe 29 PID 2532 wrote to memory of 2512 2532 Odgcfijj.exe 30 PID 2532 wrote to memory of 2512 2532 Odgcfijj.exe 30 PID 2532 wrote to memory of 2512 2532 Odgcfijj.exe 30 PID 2532 wrote to memory of 2512 2532 Odgcfijj.exe 30 PID 2512 wrote to memory of 1940 2512 Oghlgdgk.exe 31 PID 2512 wrote to memory of 1940 2512 Oghlgdgk.exe 31 PID 2512 wrote to memory of 1940 2512 Oghlgdgk.exe 31 PID 2512 wrote to memory of 1940 2512 Oghlgdgk.exe 31 PID 1940 wrote to memory of 2500 1940 Oelmai32.exe 32 PID 1940 wrote to memory of 2500 1940 Oelmai32.exe 32 PID 1940 wrote to memory of 2500 1940 Oelmai32.exe 32 PID 1940 wrote to memory of 2500 1940 Oelmai32.exe 32 PID 2500 wrote to memory of 2904 2500 Omgaek32.exe 33 PID 2500 wrote to memory of 2904 2500 Omgaek32.exe 33 PID 2500 wrote to memory of 2904 2500 Omgaek32.exe 33 PID 2500 wrote to memory of 2904 2500 Omgaek32.exe 33 PID 2904 wrote to memory of 1884 2904 Ocajbekl.exe 34 PID 2904 wrote to memory of 1884 2904 Ocajbekl.exe 34 PID 2904 wrote to memory of 1884 2904 Ocajbekl.exe 34 PID 2904 wrote to memory of 1884 2904 Ocajbekl.exe 34 PID 1884 wrote to memory of 2568 1884 Pccfge32.exe 35 PID 1884 wrote to memory of 2568 1884 Pccfge32.exe 35 PID 1884 wrote to memory of 2568 1884 Pccfge32.exe 35 PID 1884 wrote to memory of 2568 1884 Pccfge32.exe 35 PID 2568 wrote to memory of 2128 2568 Pjmodopf.exe 36 PID 2568 wrote to memory of 2128 2568 Pjmodopf.exe 36 PID 2568 wrote to memory of 2128 2568 Pjmodopf.exe 36 PID 2568 wrote to memory of 2128 2568 Pjmodopf.exe 36 PID 2128 wrote to memory of 1604 2128 Pmnhfjmg.exe 37 PID 2128 wrote to memory of 1604 2128 Pmnhfjmg.exe 37 PID 2128 wrote to memory of 1604 2128 Pmnhfjmg.exe 37 PID 2128 wrote to memory of 1604 2128 Pmnhfjmg.exe 37 PID 1604 wrote to memory of 1236 1604 Peiljl32.exe 38 PID 1604 wrote to memory of 1236 1604 Peiljl32.exe 38 PID 1604 wrote to memory of 1236 1604 Peiljl32.exe 38 PID 1604 wrote to memory of 1236 1604 Peiljl32.exe 38 PID 1236 wrote to memory of 2164 1236 Pbmmcq32.exe 39 PID 1236 wrote to memory of 2164 1236 Pbmmcq32.exe 39 PID 1236 wrote to memory of 2164 1236 Pbmmcq32.exe 39 PID 1236 wrote to memory of 2164 1236 Pbmmcq32.exe 39 PID 2164 wrote to memory of 1976 2164 Pigeqkai.exe 40 PID 2164 wrote to memory of 1976 2164 Pigeqkai.exe 40 PID 2164 wrote to memory of 1976 2164 Pigeqkai.exe 40 PID 2164 wrote to memory of 1976 2164 Pigeqkai.exe 40 PID 1976 wrote to memory of 2244 1976 Pijbfj32.exe 41 PID 1976 wrote to memory of 2244 1976 Pijbfj32.exe 41 PID 1976 wrote to memory of 2244 1976 Pijbfj32.exe 41 PID 1976 wrote to memory of 2244 1976 Pijbfj32.exe 41 PID 2244 wrote to memory of 580 2244 Qdccfh32.exe 42 PID 2244 wrote to memory of 580 2244 Qdccfh32.exe 42 PID 2244 wrote to memory of 580 2244 Qdccfh32.exe 42 PID 2244 wrote to memory of 580 2244 Qdccfh32.exe 42 PID 580 wrote to memory of 1420 580 Qljkhe32.exe 43 PID 580 wrote to memory of 1420 580 Qljkhe32.exe 43 PID 580 wrote to memory of 1420 580 Qljkhe32.exe 43 PID 580 wrote to memory of 1420 580 Qljkhe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe"C:\Users\Admin\AppData\Local\Temp\950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe33⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe36⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe37⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe42⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe43⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe44⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe47⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe51⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe53⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe55⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe59⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe61⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe62⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe65⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe66⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe68⤵PID:2836
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe69⤵PID:840
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe71⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe73⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe74⤵PID:1224
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe75⤵PID:1520
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe76⤵PID:1648
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe77⤵PID:2480
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe78⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe79⤵PID:2152
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe80⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe81⤵PID:2472
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe82⤵PID:2348
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe83⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe84⤵PID:2756
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe86⤵PID:1692
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe87⤵PID:2248
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe88⤵PID:2132
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe89⤵PID:1180
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe90⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe91⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe92⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe93⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe94⤵PID:760
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe96⤵PID:1348
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe97⤵PID:2020
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe98⤵PID:528
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe99⤵PID:2212
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe101⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe102⤵PID:1476
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe103⤵PID:1276
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe104⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe105⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe106⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe107⤵PID:2692
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe108⤵PID:2284
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe109⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe110⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe111⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe114⤵PID:652
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe116⤵PID:2360
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe117⤵PID:2180
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe118⤵PID:2916
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe119⤵PID:2544
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe120⤵PID:2704
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-