Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 20:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe
-
Size
76KB
-
MD5
13c5489dc81b5b892757f676b2a2c7f5
-
SHA1
14d2c9d07bfec38b4c41e1514d3d1249cbfaabf0
-
SHA256
3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674
-
SHA512
5e1e4994b073552a89f8475a98c97329f0ba256f0566e68197fb0ae4c70a802101a900ef6e647bd7b2b4b3bb55673dcca9318ac13c859fc7724bcb0d20917635
-
SSDEEP
1536:Ky2flHPQ/xgO6M8T/vIocrP5dKGEmnrhkaHioQV+/eCeyvCQ:utTOw/uXyaHrk+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhqdkde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkmnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihbjfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imeggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikekmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfeimng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheimogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limmokib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdejaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnalagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limmokib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhjdbcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imkdqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Fadkpe32.exe 2620 Fliomnfp.exe 2548 Fafheedg.exe 2504 Fdddaqck.exe 2588 Flllcndm.exe 2820 Fedplc32.exe 1244 Ggemclpl.exe 2140 Gomedi32.exe 1632 Gpnalagm.exe 1716 Gheimogo.exe 1652 Gmabeeef.exe 2132 Gppnaaej.exe 848 Ggjfnk32.exe 2604 Gihbjfkj.exe 2376 Gdnghpkq.exe 324 Geocph32.exe 1548 Gliklahk.exe 328 Gohhhmgo.exe 748 Geapeg32.exe 852 Gimlefge.exe 1328 Gojdnm32.exe 1296 Hahqjh32.exe 776 Hlnega32.exe 3004 Hkqecnkq.exe 2212 Hheelbjj.exe 1908 Hlpamq32.exe 2948 Hoonilag.exe 2760 Hgjbmoob.exe 2748 Hoakolod.exe 2608 Hdncgbnl.exe 2472 Hglocnmp.exe 2300 Hnfgphdl.exe 1576 Hqddldcp.exe 860 Hjmhdi32.exe 1032 Imkdqe32.exe 2192 Iqgqacam.exe 1568 Inkakhpg.exe 2044 Iqimgc32.exe 2020 Ijaapifk.exe 3044 Ioojhpdb.exe 2728 Icjfhn32.exe 2772 Iigoqe32.exe 652 Imbkadcl.exe 312 Ikekmq32.exe 2784 Iclcnnji.exe 2108 Ifkojiim.exe 820 Iiikfehq.exe 920 Imeggc32.exe 2280 Ikggbpgd.exe 1672 Infdolgh.exe 2556 Ibapoj32.exe 2752 Jeplkf32.exe 2596 Jilhldfn.exe 2468 Joepio32.exe 2536 Jnhqdkde.exe 1968 Jagmpg32.exe 1336 Jinead32.exe 2344 Jgqemakf.exe 1488 Jjoailji.exe 2164 Jbfijjkl.exe 1220 Jaiiff32.exe 1912 Jcgfbb32.exe 2112 Jkonco32.exe 596 Jnmjok32.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 2700 Fadkpe32.exe 2700 Fadkpe32.exe 2620 Fliomnfp.exe 2620 Fliomnfp.exe 2548 Fafheedg.exe 2548 Fafheedg.exe 2504 Fdddaqck.exe 2504 Fdddaqck.exe 2588 Flllcndm.exe 2588 Flllcndm.exe 2820 Fedplc32.exe 2820 Fedplc32.exe 1244 Ggemclpl.exe 1244 Ggemclpl.exe 2140 Gomedi32.exe 2140 Gomedi32.exe 1632 Gpnalagm.exe 1632 Gpnalagm.exe 1716 Gheimogo.exe 1716 Gheimogo.exe 1652 Gmabeeef.exe 1652 Gmabeeef.exe 2132 Gppnaaej.exe 2132 Gppnaaej.exe 848 Ggjfnk32.exe 848 Ggjfnk32.exe 2604 Gihbjfkj.exe 2604 Gihbjfkj.exe 2376 Gdnghpkq.exe 2376 Gdnghpkq.exe 324 Geocph32.exe 324 Geocph32.exe 1548 Gliklahk.exe 1548 Gliklahk.exe 328 Gohhhmgo.exe 328 Gohhhmgo.exe 748 Geapeg32.exe 748 Geapeg32.exe 852 Gimlefge.exe 852 Gimlefge.exe 1328 Gojdnm32.exe 1328 Gojdnm32.exe 1296 Hahqjh32.exe 1296 Hahqjh32.exe 776 Hlnega32.exe 776 Hlnega32.exe 3004 Hkqecnkq.exe 3004 Hkqecnkq.exe 2212 Hheelbjj.exe 2212 Hheelbjj.exe 1908 Hlpamq32.exe 1908 Hlpamq32.exe 2948 Hoonilag.exe 2948 Hoonilag.exe 2760 Hgjbmoob.exe 2760 Hgjbmoob.exe 2748 Hoakolod.exe 2748 Hoakolod.exe 2608 Hdncgbnl.exe 2608 Hdncgbnl.exe 2472 Hglocnmp.exe 2472 Hglocnmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kbkodl32.exe Klqfhbbe.exe File opened for modification C:\Windows\SysWOW64\Nkaocp32.exe Ndgggf32.exe File created C:\Windows\SysWOW64\Onmkio32.exe Okoomd32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Igghmf32.dll Hdncgbnl.exe File opened for modification C:\Windows\SysWOW64\Icjfhn32.exe Ioojhpdb.exe File created C:\Windows\SysWOW64\Mhjpaf32.exe Mekdekin.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bgknheej.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Lkiklhim.dll Mpjoqhah.exe File created C:\Windows\SysWOW64\Kedlancd.dll Omloag32.exe File created C:\Windows\SysWOW64\Opbnpqjl.dll Odjpkihg.exe File created C:\Windows\SysWOW64\Okchhc32.exe Oiellh32.exe File created C:\Windows\SysWOW64\Ojieip32.exe Ogjimd32.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Jflhaaje.dll Mcodno32.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Mqghmgpl.dll Iiikfehq.exe File created C:\Windows\SysWOW64\Jqckbobk.dll Lipjejgp.exe File created C:\Windows\SysWOW64\Peegic32.dll Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Nocemcbj.exe Nleiqhcg.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Emeopn32.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Jbfijjkl.exe Jjoailji.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Llccmb32.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Kphimanc.exe Kmimafop.exe File created C:\Windows\SysWOW64\Gooqhm32.dll Okoomd32.exe File created C:\Windows\SysWOW64\Bnbjopoi.exe Bkdmcdoe.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Mepnpj32.exe Mnieom32.exe File created C:\Windows\SysWOW64\Lqamandk.dll Aplpai32.exe File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Imhjppim.dll Ccdlbf32.exe File created C:\Windows\SysWOW64\Pkjapnke.dll Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Hqddldcp.exe Hnfgphdl.exe File opened for modification C:\Windows\SysWOW64\Kpcpbb32.exe Kappfeln.exe File created C:\Windows\SysWOW64\Mlcple32.exe Meigpkka.exe File opened for modification C:\Windows\SysWOW64\Cphlljge.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Lpjbad32.exe Lipjejgp.exe File opened for modification C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Aplpai32.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Hlnega32.exe Hahqjh32.exe File created C:\Windows\SysWOW64\Acjgoa32.dll Lgoacojo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4132 5096 WerFault.exe 427 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajfmcbo.dll" Infdolgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgilchkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioojhpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiabffn.dll" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfggf32.dll" Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfofpak.dll" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqfjpp.dll" Jinead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdejaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejpdgffb.dll" Jnmjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkonco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homnpp32.dll" Hlpamq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kikdkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lganiohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnghpkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcpbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mlelaeqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanopipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebpkce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioojhpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehifjpg.dll" Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeloed32.dll" Hahqjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqddldcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmhdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infdolgh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2700 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 28 PID 1976 wrote to memory of 2700 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 28 PID 1976 wrote to memory of 2700 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 28 PID 1976 wrote to memory of 2700 1976 3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe 28 PID 2700 wrote to memory of 2620 2700 Fadkpe32.exe 29 PID 2700 wrote to memory of 2620 2700 Fadkpe32.exe 29 PID 2700 wrote to memory of 2620 2700 Fadkpe32.exe 29 PID 2700 wrote to memory of 2620 2700 Fadkpe32.exe 29 PID 2620 wrote to memory of 2548 2620 Fliomnfp.exe 30 PID 2620 wrote to memory of 2548 2620 Fliomnfp.exe 30 PID 2620 wrote to memory of 2548 2620 Fliomnfp.exe 30 PID 2620 wrote to memory of 2548 2620 Fliomnfp.exe 30 PID 2548 wrote to memory of 2504 2548 Fafheedg.exe 31 PID 2548 wrote to memory of 2504 2548 Fafheedg.exe 31 PID 2548 wrote to memory of 2504 2548 Fafheedg.exe 31 PID 2548 wrote to memory of 2504 2548 Fafheedg.exe 31 PID 2504 wrote to memory of 2588 2504 Fdddaqck.exe 32 PID 2504 wrote to memory of 2588 2504 Fdddaqck.exe 32 PID 2504 wrote to memory of 2588 2504 Fdddaqck.exe 32 PID 2504 wrote to memory of 2588 2504 Fdddaqck.exe 32 PID 2588 wrote to memory of 2820 2588 Flllcndm.exe 33 PID 2588 wrote to memory of 2820 2588 Flllcndm.exe 33 PID 2588 wrote to memory of 2820 2588 Flllcndm.exe 33 PID 2588 wrote to memory of 2820 2588 Flllcndm.exe 33 PID 2820 wrote to memory of 1244 2820 Fedplc32.exe 34 PID 2820 wrote to memory of 1244 2820 Fedplc32.exe 34 PID 2820 wrote to memory of 1244 2820 Fedplc32.exe 34 PID 2820 wrote to memory of 1244 2820 Fedplc32.exe 34 PID 1244 wrote to memory of 2140 1244 Ggemclpl.exe 35 PID 1244 wrote to memory of 2140 1244 Ggemclpl.exe 35 PID 1244 wrote to memory of 2140 1244 Ggemclpl.exe 35 PID 1244 wrote to memory of 2140 1244 Ggemclpl.exe 35 PID 2140 wrote to memory of 1632 2140 Gomedi32.exe 36 PID 2140 wrote to memory of 1632 2140 Gomedi32.exe 36 PID 2140 wrote to memory of 1632 2140 Gomedi32.exe 36 PID 2140 wrote to memory of 1632 2140 Gomedi32.exe 36 PID 1632 wrote to memory of 1716 1632 Gpnalagm.exe 37 PID 1632 wrote to memory of 1716 1632 Gpnalagm.exe 37 PID 1632 wrote to memory of 1716 1632 Gpnalagm.exe 37 PID 1632 wrote to memory of 1716 1632 Gpnalagm.exe 37 PID 1716 wrote to memory of 1652 1716 Gheimogo.exe 38 PID 1716 wrote to memory of 1652 1716 Gheimogo.exe 38 PID 1716 wrote to memory of 1652 1716 Gheimogo.exe 38 PID 1716 wrote to memory of 1652 1716 Gheimogo.exe 38 PID 1652 wrote to memory of 2132 1652 Gmabeeef.exe 39 PID 1652 wrote to memory of 2132 1652 Gmabeeef.exe 39 PID 1652 wrote to memory of 2132 1652 Gmabeeef.exe 39 PID 1652 wrote to memory of 2132 1652 Gmabeeef.exe 39 PID 2132 wrote to memory of 848 2132 Gppnaaej.exe 40 PID 2132 wrote to memory of 848 2132 Gppnaaej.exe 40 PID 2132 wrote to memory of 848 2132 Gppnaaej.exe 40 PID 2132 wrote to memory of 848 2132 Gppnaaej.exe 40 PID 848 wrote to memory of 2604 848 Ggjfnk32.exe 41 PID 848 wrote to memory of 2604 848 Ggjfnk32.exe 41 PID 848 wrote to memory of 2604 848 Ggjfnk32.exe 41 PID 848 wrote to memory of 2604 848 Ggjfnk32.exe 41 PID 2604 wrote to memory of 2376 2604 Gihbjfkj.exe 42 PID 2604 wrote to memory of 2376 2604 Gihbjfkj.exe 42 PID 2604 wrote to memory of 2376 2604 Gihbjfkj.exe 42 PID 2604 wrote to memory of 2376 2604 Gihbjfkj.exe 42 PID 2376 wrote to memory of 324 2376 Gdnghpkq.exe 43 PID 2376 wrote to memory of 324 2376 Gdnghpkq.exe 43 PID 2376 wrote to memory of 324 2376 Gdnghpkq.exe 43 PID 2376 wrote to memory of 324 2376 Gdnghpkq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe"C:\Users\Admin\AppData\Local\Temp\3fb38c9bb571a1e857d2fd8004ab5e79e0800c6edb14b9d94addb1f157216674.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Fadkpe32.exeC:\Windows\system32\Fadkpe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Fdddaqck.exeC:\Windows\system32\Fdddaqck.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Ggemclpl.exeC:\Windows\system32\Ggemclpl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Gomedi32.exeC:\Windows\system32\Gomedi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Gpnalagm.exeC:\Windows\system32\Gpnalagm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Gppnaaej.exeC:\Windows\system32\Gppnaaej.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Gihbjfkj.exeC:\Windows\system32\Gihbjfkj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Geapeg32.exeC:\Windows\system32\Geapeg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe37⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe38⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe39⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe42⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe43⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe44⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe47⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe54⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe57⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe59⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe61⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe63⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe66⤵PID:2056
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe68⤵PID:3024
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe69⤵PID:2220
-
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe70⤵PID:2100
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe71⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe72⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe73⤵PID:2440
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe74⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe75⤵PID:1196
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe76⤵PID:300
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe77⤵PID:2172
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe78⤵PID:2040
-
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe80⤵PID:2128
-
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe82⤵PID:656
-
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe84⤵PID:1544
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe85⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe86⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe87⤵PID:2888
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe88⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe89⤵PID:2528
-
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe90⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe91⤵PID:1044
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:500 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe93⤵PID:2400
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe94⤵PID:1692
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe95⤵PID:3028
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe96⤵PID:1812
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe97⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe99⤵PID:892
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe100⤵PID:2908
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe101⤵PID:1688
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe102⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe103⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe104⤵PID:2296
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe106⤵PID:1256
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe108⤵PID:1028
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe109⤵PID:1616
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe110⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe111⤵PID:796
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe113⤵PID:3068
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe114⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe115⤵PID:2688
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe116⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe118⤵PID:2016
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe120⤵PID:2928
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe121⤵PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-