Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 01:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe
-
Size
79KB
-
MD5
0afa98c3778ae568ce3e1613f07ed5a1
-
SHA1
58ec0953b3106b8beff7553172d9902b7a0031a6
-
SHA256
b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761
-
SHA512
7b680529d3da98e66c3adc7cb0fca373ed0bbb152e6fe4793dc74f34489436fe3f917c574ee7d1a73429c0f8e7033293075238430c88525835db5895a9b23f63
-
SSDEEP
1536:2uidHxgwf1TqHOQ9FFvNBhrBoHTzVKebiyc/+yxT4TUEDiFkSIgiItKq9v6DK:2uSH1RqHOQ9FFvNBhrmh9biycWyV4UEm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefpnhlc.exe -
Executes dropped EXE 64 IoCs
pid Process 2848 Egdilkbf.exe 2600 Ebinic32.exe 2584 Flabbihl.exe 2616 Faokjpfd.exe 2624 Fcmgfkeg.exe 2528 Fnbkddem.exe 1236 Fpdhklkl.exe 2640 Ffnphf32.exe 1544 Filldb32.exe 316 Fdapak32.exe 2152 Ffpmnf32.exe 636 Fmjejphb.exe 352 Fbgmbg32.exe 2036 Fiaeoang.exe 2932 Globlmmj.exe 1884 Gonnhhln.exe 1112 Gegfdb32.exe 2776 Ghfbqn32.exe 2432 Gopkmhjk.exe 1532 Gbkgnfbd.exe 984 Gangic32.exe 1268 Ghkllmoi.exe 1660 Gacpdbej.exe 1936 Geolea32.exe 1360 Gkkemh32.exe 2548 Gmjaic32.exe 3024 Hknach32.exe 2736 Hcifgjgc.exe 2484 Hkpnhgge.exe 2992 Hdhbam32.exe 2996 Hejoiedd.exe 1232 Hobcak32.exe 2516 Hcnpbi32.exe 2756 Hgilchkf.exe 768 Hcplhi32.exe 2192 Hogmmjfo.exe 2344 Icbimi32.exe 2032 Ioijbj32.exe 2028 Idfbkq32.exe 1684 Iokfhi32.exe 2804 Iajcde32.exe 1396 Ihdkao32.exe 1960 Inqcif32.exe 3068 Iblpjdpk.exe 2892 Idklfpon.exe 1880 Igihbknb.exe 820 Ijgdngmf.exe 1984 Imfqjbli.exe 1508 Iqalka32.exe 2688 Icpigm32.exe 2864 Ifnechbj.exe 2744 Jnemdecl.exe 2840 Jqdipqbp.exe 2476 Jofiln32.exe 112 Jfqahgpg.exe 848 Jiondcpk.exe 2172 Jqfffqpm.exe 2176 Jcdbbloa.exe 2184 Jbgbni32.exe 536 Jjojofgn.exe 1860 Jmmfkafa.exe 2024 Jcgogk32.exe 580 Jfekcg32.exe 1728 Jehkodcm.exe -
Loads dropped DLL 64 IoCs
pid Process 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 2848 Egdilkbf.exe 2848 Egdilkbf.exe 2600 Ebinic32.exe 2600 Ebinic32.exe 2584 Flabbihl.exe 2584 Flabbihl.exe 2616 Faokjpfd.exe 2616 Faokjpfd.exe 2624 Fcmgfkeg.exe 2624 Fcmgfkeg.exe 2528 Fnbkddem.exe 2528 Fnbkddem.exe 1236 Fpdhklkl.exe 1236 Fpdhklkl.exe 2640 Ffnphf32.exe 2640 Ffnphf32.exe 1544 Filldb32.exe 1544 Filldb32.exe 316 Fdapak32.exe 316 Fdapak32.exe 2152 Ffpmnf32.exe 2152 Ffpmnf32.exe 636 Fmjejphb.exe 636 Fmjejphb.exe 352 Fbgmbg32.exe 352 Fbgmbg32.exe 2036 Fiaeoang.exe 2036 Fiaeoang.exe 2932 Globlmmj.exe 2932 Globlmmj.exe 1884 Gonnhhln.exe 1884 Gonnhhln.exe 1112 Gegfdb32.exe 1112 Gegfdb32.exe 2776 Ghfbqn32.exe 2776 Ghfbqn32.exe 2432 Gopkmhjk.exe 2432 Gopkmhjk.exe 1532 Gbkgnfbd.exe 1532 Gbkgnfbd.exe 984 Gangic32.exe 984 Gangic32.exe 1268 Ghkllmoi.exe 1268 Ghkllmoi.exe 1660 Gacpdbej.exe 1660 Gacpdbej.exe 1936 Geolea32.exe 1936 Geolea32.exe 1360 Gkkemh32.exe 1360 Gkkemh32.exe 2548 Gmjaic32.exe 2548 Gmjaic32.exe 3024 Hknach32.exe 3024 Hknach32.exe 2736 Hcifgjgc.exe 2736 Hcifgjgc.exe 2484 Hkpnhgge.exe 2484 Hkpnhgge.exe 2992 Hdhbam32.exe 2992 Hdhbam32.exe 2996 Hejoiedd.exe 2996 Hejoiedd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Hdihmjpf.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Ijgdngmf.exe Igihbknb.exe File created C:\Windows\SysWOW64\Pedleg32.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Ldhnfd32.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Ngpolo32.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Apimacnn.exe File created C:\Windows\SysWOW64\Gjchig32.dll Ajejgp32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Hobcak32.exe Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Igihbknb.exe Idklfpon.exe File created C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Cfnlkbne.dll Lecgje32.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Jfekcg32.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kkgmgmfd.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Ejkima32.exe File created C:\Windows\SysWOW64\Jcdbbloa.exe Jqfffqpm.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kfegbj32.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gopkmhjk.exe File created C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Jcdbbloa.exe Jqfffqpm.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Ldfgebbe.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Cghggc32.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe File created C:\Windows\SysWOW64\Jkhgfq32.dll Dggcffhg.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File created C:\Windows\SysWOW64\Konojnki.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Ocnfbo32.exe Omdneebf.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bbjbaa32.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Chpmpg32.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Ihdkao32.exe Iajcde32.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Nkeelohh.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ogeigofa.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Ebinic32.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Facklcaq.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Objbcm32.dll Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ihdkao32.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Fiaeoang.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3144 3868 WerFault.exe 328 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pgplkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdnkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqhiplaj.dll" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dccagcgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmlpbdc.dll" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll" Ohibdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldflna32.dll" Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjojofgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2848 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 28 PID 2980 wrote to memory of 2848 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 28 PID 2980 wrote to memory of 2848 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 28 PID 2980 wrote to memory of 2848 2980 b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe 28 PID 2848 wrote to memory of 2600 2848 Egdilkbf.exe 29 PID 2848 wrote to memory of 2600 2848 Egdilkbf.exe 29 PID 2848 wrote to memory of 2600 2848 Egdilkbf.exe 29 PID 2848 wrote to memory of 2600 2848 Egdilkbf.exe 29 PID 2600 wrote to memory of 2584 2600 Ebinic32.exe 30 PID 2600 wrote to memory of 2584 2600 Ebinic32.exe 30 PID 2600 wrote to memory of 2584 2600 Ebinic32.exe 30 PID 2600 wrote to memory of 2584 2600 Ebinic32.exe 30 PID 2584 wrote to memory of 2616 2584 Flabbihl.exe 31 PID 2584 wrote to memory of 2616 2584 Flabbihl.exe 31 PID 2584 wrote to memory of 2616 2584 Flabbihl.exe 31 PID 2584 wrote to memory of 2616 2584 Flabbihl.exe 31 PID 2616 wrote to memory of 2624 2616 Faokjpfd.exe 32 PID 2616 wrote to memory of 2624 2616 Faokjpfd.exe 32 PID 2616 wrote to memory of 2624 2616 Faokjpfd.exe 32 PID 2616 wrote to memory of 2624 2616 Faokjpfd.exe 32 PID 2624 wrote to memory of 2528 2624 Fcmgfkeg.exe 33 PID 2624 wrote to memory of 2528 2624 Fcmgfkeg.exe 33 PID 2624 wrote to memory of 2528 2624 Fcmgfkeg.exe 33 PID 2624 wrote to memory of 2528 2624 Fcmgfkeg.exe 33 PID 2528 wrote to memory of 1236 2528 Fnbkddem.exe 34 PID 2528 wrote to memory of 1236 2528 Fnbkddem.exe 34 PID 2528 wrote to memory of 1236 2528 Fnbkddem.exe 34 PID 2528 wrote to memory of 1236 2528 Fnbkddem.exe 34 PID 1236 wrote to memory of 2640 1236 Fpdhklkl.exe 35 PID 1236 wrote to memory of 2640 1236 Fpdhklkl.exe 35 PID 1236 wrote to memory of 2640 1236 Fpdhklkl.exe 35 PID 1236 wrote to memory of 2640 1236 Fpdhklkl.exe 35 PID 2640 wrote to memory of 1544 2640 Ffnphf32.exe 36 PID 2640 wrote to memory of 1544 2640 Ffnphf32.exe 36 PID 2640 wrote to memory of 1544 2640 Ffnphf32.exe 36 PID 2640 wrote to memory of 1544 2640 Ffnphf32.exe 36 PID 1544 wrote to memory of 316 1544 Filldb32.exe 37 PID 1544 wrote to memory of 316 1544 Filldb32.exe 37 PID 1544 wrote to memory of 316 1544 Filldb32.exe 37 PID 1544 wrote to memory of 316 1544 Filldb32.exe 37 PID 316 wrote to memory of 2152 316 Fdapak32.exe 38 PID 316 wrote to memory of 2152 316 Fdapak32.exe 38 PID 316 wrote to memory of 2152 316 Fdapak32.exe 38 PID 316 wrote to memory of 2152 316 Fdapak32.exe 38 PID 2152 wrote to memory of 636 2152 Ffpmnf32.exe 39 PID 2152 wrote to memory of 636 2152 Ffpmnf32.exe 39 PID 2152 wrote to memory of 636 2152 Ffpmnf32.exe 39 PID 2152 wrote to memory of 636 2152 Ffpmnf32.exe 39 PID 636 wrote to memory of 352 636 Fmjejphb.exe 40 PID 636 wrote to memory of 352 636 Fmjejphb.exe 40 PID 636 wrote to memory of 352 636 Fmjejphb.exe 40 PID 636 wrote to memory of 352 636 Fmjejphb.exe 40 PID 352 wrote to memory of 2036 352 Fbgmbg32.exe 41 PID 352 wrote to memory of 2036 352 Fbgmbg32.exe 41 PID 352 wrote to memory of 2036 352 Fbgmbg32.exe 41 PID 352 wrote to memory of 2036 352 Fbgmbg32.exe 41 PID 2036 wrote to memory of 2932 2036 Fiaeoang.exe 42 PID 2036 wrote to memory of 2932 2036 Fiaeoang.exe 42 PID 2036 wrote to memory of 2932 2036 Fiaeoang.exe 42 PID 2036 wrote to memory of 2932 2036 Fiaeoang.exe 42 PID 2932 wrote to memory of 1884 2932 Globlmmj.exe 43 PID 2932 wrote to memory of 1884 2932 Globlmmj.exe 43 PID 2932 wrote to memory of 1884 2932 Globlmmj.exe 43 PID 2932 wrote to memory of 1884 2932 Globlmmj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe"C:\Users\Admin\AppData\Local\Temp\b4c7a3f255ec71e221623cb9988e556cb735d83c54e1c1b4e8cb277dab597761.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe37⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe40⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe41⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe44⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe48⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe50⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe55⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe56⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe66⤵PID:2872
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe67⤵PID:796
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe69⤵PID:936
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe73⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe78⤵PID:780
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe79⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe80⤵PID:2956
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe82⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe84⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe85⤵PID:2596
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe86⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe88⤵PID:2468
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe89⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe92⤵PID:1308
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe94⤵PID:2412
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe95⤵PID:3016
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe96⤵PID:952
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe97⤵PID:1680
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe99⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe100⤵PID:2860
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe101⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe107⤵PID:2224
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe108⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe109⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe110⤵PID:344
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe111⤵PID:1276
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe112⤵PID:2660
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe113⤵PID:2532
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe114⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe115⤵PID:2968
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe118⤵PID:1328
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe119⤵PID:816
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe121⤵PID:1940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-