Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57c3c7d02d102f6f012f4f9fc25618d0.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
57c3c7d02d102f6f012f4f9fc25618d0.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
57c3c7d02d102f6f012f4f9fc25618d0.exe
-
Size
128KB
-
MD5
57c3c7d02d102f6f012f4f9fc25618d0
-
SHA1
af3019d21946c18941a96c0297003e539afbd7f0
-
SHA256
c429b837fe4eb2777556cfe18a99ee156d795d936ad70c674c1f836716a1bca3
-
SHA512
fdad69ece6b99f216b930d5b62a9514f10e3a4c4253caa8ea75c12b776c39116270b31be6715cfa4b2af5e06f4094750629f48337ef469f7e1ad3ae1e994c960
-
SSDEEP
3072:Nui1n3k6Z6blXNRDW/cpZrhS5DSCopsIm81+jq2832dp5Xp+7+10l:ci4lXNTZrhSZSCZj81+jq4peBl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocnlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkibf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjggal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfojdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnhjcog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddligq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeiodek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblajhje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmgelf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2548 Anobgl32.exe 2116 Adikdfna.exe 1428 Alpbecod.exe 2096 Aamknj32.exe 4360 Aehgnied.exe 3824 Ahgcjddh.exe 60 Aoalgn32.exe 2660 Aaohcj32.exe 3316 Alelqb32.exe 4076 Bochmn32.exe 3452 Baadiiif.exe 1348 Bdpaeehj.exe 2652 Blgifbil.exe 1816 Badanigc.exe 2884 Bdbnjdfg.exe 4252 Bohbhmfm.exe 4048 Bafndi32.exe 1368 Bhpfqcln.exe 2864 Bojomm32.exe 4664 Bdgged32.exe 3696 Bkaobnio.exe 2504 Bnoknihb.exe 2404 Bheplb32.exe 2260 Coohhlpe.exe 1448 Camddhoi.exe 3112 Clchbqoo.exe 5116 Cndeii32.exe 4888 Cfkmkf32.exe 1132 Ckhecmcf.exe 4228 Cnfaohbj.exe 4596 Cdpjlb32.exe 3748 Clgbmp32.exe 4324 Cbdjeg32.exe 872 Chnbbqpn.exe 2492 Cohkokgj.exe 4396 Cbfgkffn.exe 968 Cdecgbfa.exe 1744 Dkokcl32.exe 3260 Dbicpfdk.exe 3544 Dfdpad32.exe 5060 Dhclmp32.exe 2880 Dkahilkl.exe 4172 Dnpdegjp.exe 1584 Dfglfdkb.exe 4868 Dmadco32.exe 2740 Dooaoj32.exe 704 Dbnmke32.exe 2912 Ddligq32.exe 4356 Dmcain32.exe 4804 Doaneiop.exe 2904 Dflfac32.exe 2596 Dijbno32.exe 4272 Dkhnjk32.exe 4464 Dngjff32.exe 3092 Eiloco32.exe 3572 Ekkkoj32.exe 2012 Ebdcld32.exe 1280 Eecphp32.exe 460 Emjgim32.exe 3744 Enkdaepb.exe 2264 Efblbbqd.exe 1648 Eiahnnph.exe 4108 Ennqfenp.exe 3088 Eehicoel.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqlfhjig.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fniihmpf.exe File created C:\Windows\SysWOW64\Enkmfolf.exe Eklajcmc.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Efmnhl32.dll Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Chkobkod.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Eicedn32.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Khlklj32.exe File created C:\Windows\SysWOW64\Kldgkp32.dll Kpccmhdg.exe File created C:\Windows\SysWOW64\Fofdocoe.dll Dkhnjk32.exe File created C:\Windows\SysWOW64\Aijqqd32.dll Hffken32.exe File created C:\Windows\SysWOW64\Gacepg32.exe Gbpedjnb.exe File opened for modification C:\Windows\SysWOW64\Hlppno32.exe Hiacacpg.exe File created C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Pbhgoh32.exe File opened for modification C:\Windows\SysWOW64\Pbjddh32.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Chflphjh.dll Iefgbh32.exe File opened for modification C:\Windows\SysWOW64\Jofalmmp.exe Jlgepanl.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Npiiffqe.exe File created C:\Windows\SysWOW64\Gnepna32.exe Gpbpbecj.exe File created C:\Windows\SysWOW64\Kofmfi32.dll Oplfkeob.exe File created C:\Windows\SysWOW64\Lancko32.exe Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe Nqmojd32.exe File created C:\Windows\SysWOW64\Coohhlpe.exe Bheplb32.exe File created C:\Windows\SysWOW64\Cacckp32.exe Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Dhbebj32.exe File created C:\Windows\SysWOW64\Gnpphljo.exe Gpmomo32.exe File created C:\Windows\SysWOW64\Gldglf32.exe Gifkpknp.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Hpiecd32.exe File created C:\Windows\SysWOW64\Cfkmkf32.exe Cndeii32.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Eicedn32.exe File opened for modification C:\Windows\SysWOW64\Geohklaa.exe Gnepna32.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Mmfkhmdi.exe Lflbkcll.exe File created C:\Windows\SysWOW64\Naagioah.dll Nbnlaldg.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cogddd32.exe File created C:\Windows\SysWOW64\Akcjcnpe.dll Eqlfhjig.exe File opened for modification C:\Windows\SysWOW64\Gijmad32.exe Gacepg32.exe File created C:\Windows\SysWOW64\Ilnlom32.exe Ieccbbkn.exe File opened for modification C:\Windows\SysWOW64\Nbphglbe.exe Noblkqca.exe File opened for modification C:\Windows\SysWOW64\Fbdehlip.exe Fniihmpf.exe File opened for modification C:\Windows\SysWOW64\Koaagkcb.exe Klcekpdo.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Loighj32.exe File created C:\Windows\SysWOW64\Qedegh32.dll Ojfcdnjc.exe File created C:\Windows\SysWOW64\Apodoq32.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Halhfe32.exe File created C:\Windows\SysWOW64\Kpjbdk32.dll Dhgonidg.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Ekkkoj32.exe File created C:\Windows\SysWOW64\Hemdlj32.exe Hbohpn32.exe File created C:\Windows\SysWOW64\Eekgliip.dll Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Ieojgc32.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Clchbqoo.exe Camddhoi.exe File created C:\Windows\SysWOW64\Jbhfhgch.dll Kfnfjehl.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Ganldgib.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Ckhecmcf.exe File created C:\Windows\SysWOW64\Keiifian.dll Qfkqjmdg.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Ddnobj32.exe Dqbcbkab.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Panhbfep.exe File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Caageq32.exe Cocjiehd.exe File opened for modification C:\Windows\SysWOW64\Eqlfhjig.exe Enmjlojd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13212 13136 WerFault.exe 638 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqiibjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnaqk32.dll" Geldkfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll" Apmhiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghkjdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" Fneggdhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kamjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll" Gbnhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoaed32.dll" Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaioi32.dll" Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll" Iondqhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkokcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpcliao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Fkofga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll" Jlgepanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhjmdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnlme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Hfaajnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjkaabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll" Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfpdfnd.dll" Fdnhih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2548 2988 57c3c7d02d102f6f012f4f9fc25618d0.exe 88 PID 2988 wrote to memory of 2548 2988 57c3c7d02d102f6f012f4f9fc25618d0.exe 88 PID 2988 wrote to memory of 2548 2988 57c3c7d02d102f6f012f4f9fc25618d0.exe 88 PID 2548 wrote to memory of 2116 2548 Anobgl32.exe 89 PID 2548 wrote to memory of 2116 2548 Anobgl32.exe 89 PID 2548 wrote to memory of 2116 2548 Anobgl32.exe 89 PID 2116 wrote to memory of 1428 2116 Adikdfna.exe 90 PID 2116 wrote to memory of 1428 2116 Adikdfna.exe 90 PID 2116 wrote to memory of 1428 2116 Adikdfna.exe 90 PID 1428 wrote to memory of 2096 1428 Alpbecod.exe 91 PID 1428 wrote to memory of 2096 1428 Alpbecod.exe 91 PID 1428 wrote to memory of 2096 1428 Alpbecod.exe 91 PID 2096 wrote to memory of 4360 2096 Aamknj32.exe 92 PID 2096 wrote to memory of 4360 2096 Aamknj32.exe 92 PID 2096 wrote to memory of 4360 2096 Aamknj32.exe 92 PID 4360 wrote to memory of 3824 4360 Aehgnied.exe 93 PID 4360 wrote to memory of 3824 4360 Aehgnied.exe 93 PID 4360 wrote to memory of 3824 4360 Aehgnied.exe 93 PID 3824 wrote to memory of 60 3824 Ahgcjddh.exe 94 PID 3824 wrote to memory of 60 3824 Ahgcjddh.exe 94 PID 3824 wrote to memory of 60 3824 Ahgcjddh.exe 94 PID 60 wrote to memory of 2660 60 Aoalgn32.exe 95 PID 60 wrote to memory of 2660 60 Aoalgn32.exe 95 PID 60 wrote to memory of 2660 60 Aoalgn32.exe 95 PID 2660 wrote to memory of 3316 2660 Aaohcj32.exe 96 PID 2660 wrote to memory of 3316 2660 Aaohcj32.exe 96 PID 2660 wrote to memory of 3316 2660 Aaohcj32.exe 96 PID 3316 wrote to memory of 4076 3316 Alelqb32.exe 97 PID 3316 wrote to memory of 4076 3316 Alelqb32.exe 97 PID 3316 wrote to memory of 4076 3316 Alelqb32.exe 97 PID 4076 wrote to memory of 3452 4076 Bochmn32.exe 98 PID 4076 wrote to memory of 3452 4076 Bochmn32.exe 98 PID 4076 wrote to memory of 3452 4076 Bochmn32.exe 98 PID 3452 wrote to memory of 1348 3452 Baadiiif.exe 99 PID 3452 wrote to memory of 1348 3452 Baadiiif.exe 99 PID 3452 wrote to memory of 1348 3452 Baadiiif.exe 99 PID 1348 wrote to memory of 2652 1348 Bdpaeehj.exe 100 PID 1348 wrote to memory of 2652 1348 Bdpaeehj.exe 100 PID 1348 wrote to memory of 2652 1348 Bdpaeehj.exe 100 PID 2652 wrote to memory of 1816 2652 Blgifbil.exe 102 PID 2652 wrote to memory of 1816 2652 Blgifbil.exe 102 PID 2652 wrote to memory of 1816 2652 Blgifbil.exe 102 PID 1816 wrote to memory of 2884 1816 Badanigc.exe 103 PID 1816 wrote to memory of 2884 1816 Badanigc.exe 103 PID 1816 wrote to memory of 2884 1816 Badanigc.exe 103 PID 2884 wrote to memory of 4252 2884 Bdbnjdfg.exe 104 PID 2884 wrote to memory of 4252 2884 Bdbnjdfg.exe 104 PID 2884 wrote to memory of 4252 2884 Bdbnjdfg.exe 104 PID 4252 wrote to memory of 4048 4252 Bohbhmfm.exe 106 PID 4252 wrote to memory of 4048 4252 Bohbhmfm.exe 106 PID 4252 wrote to memory of 4048 4252 Bohbhmfm.exe 106 PID 4048 wrote to memory of 1368 4048 Bafndi32.exe 107 PID 4048 wrote to memory of 1368 4048 Bafndi32.exe 107 PID 4048 wrote to memory of 1368 4048 Bafndi32.exe 107 PID 1368 wrote to memory of 2864 1368 Bhpfqcln.exe 108 PID 1368 wrote to memory of 2864 1368 Bhpfqcln.exe 108 PID 1368 wrote to memory of 2864 1368 Bhpfqcln.exe 108 PID 2864 wrote to memory of 4664 2864 Bojomm32.exe 109 PID 2864 wrote to memory of 4664 2864 Bojomm32.exe 109 PID 2864 wrote to memory of 4664 2864 Bojomm32.exe 109 PID 4664 wrote to memory of 3696 4664 Bdgged32.exe 110 PID 4664 wrote to memory of 3696 4664 Bdgged32.exe 110 PID 4664 wrote to memory of 3696 4664 Bdgged32.exe 110 PID 3696 wrote to memory of 2504 3696 Bkaobnio.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c3c7d02d102f6f012f4f9fc25618d0.exe"C:\Users\Admin\AppData\Local\Temp\57c3c7d02d102f6f012f4f9fc25618d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe23⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe25⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe27⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe31⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe33⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe34⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe35⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe36⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe37⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe40⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe41⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe42⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe43⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe44⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe45⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe47⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe50⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe52⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe53⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe55⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe56⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe58⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe59⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe60⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe62⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe63⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe65⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe66⤵
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe67⤵PID:4640
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe68⤵PID:4624
-
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe69⤵PID:4828
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe70⤵PID:720
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe71⤵PID:4460
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe72⤵PID:4844
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe73⤵PID:3436
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe74⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe75⤵PID:452
-
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe76⤵PID:3828
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe77⤵PID:4940
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe78⤵
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe79⤵PID:4064
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe81⤵PID:3872
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe82⤵PID:4444
-
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe83⤵PID:5164
-
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe84⤵PID:5232
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe86⤵PID:5320
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe87⤵PID:5360
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe88⤵PID:5404
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe89⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe90⤵PID:5492
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe91⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe92⤵PID:5580
-
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe93⤵PID:5624
-
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe94⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe96⤵PID:5756
-
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe97⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe98⤵PID:5844
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe99⤵PID:5888
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe100⤵PID:5924
-
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe101⤵PID:5976
-
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe102⤵PID:6020
-
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe103⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe104⤵PID:6108
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe106⤵PID:5224
-
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe107⤵PID:5316
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe108⤵PID:5368
-
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe109⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe110⤵PID:5516
-
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe111⤵PID:5572
-
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe112⤵PID:5656
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe113⤵PID:5764
-
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe115⤵PID:5972
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe116⤵PID:6040
-
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe117⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe119⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe120⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe121⤵PID:5784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-