Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07/07/2024, 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe
-
Size
96KB
-
MD5
d30deec0840a804f200131b019043cd9
-
SHA1
208ada3490b52b5b06158cee4b660b6344097b79
-
SHA256
476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c
-
SHA512
df78c682124bb460faad92118dd620e3ba4f15003d5fbaf133e6d484eb085e4d2ecac0180fdb1ebd5110e5daedac977972e90367246b3bb25f78c1bc511616d2
-
SSDEEP
1536:OmVeSZIUohXF3e9P4vfXefef92UUtzW6oPvfohsPTpAPgnDNBrcN4i6tBYuR3PlD:OmowPh4nXefef92XW6oPv1TpAPgxed6l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhfgcgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhgoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plhaeofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojhfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolbcaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjephakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmheol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppmcmah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iboghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddoopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npneeocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqakim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfamko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbannb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkngkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofofolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkbaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihilqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deonff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcendc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odiklh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkepnalk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgedepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icponb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfkmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpnag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkiobge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knaqcabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfnaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokcom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgibdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedcembk.exe -
Executes dropped EXE 64 IoCs
pid Process 1844 Fihfnp32.exe 2188 Fkhbgbkc.exe 2600 Feachqgb.exe 2752 Glpepj32.exe 2636 Gaojnq32.exe 2912 Gaagcpdl.exe 2560 Hqgddm32.exe 1632 Hjcaha32.exe 2740 Iikkon32.exe 2860 Injqmdki.exe 1520 Iegeonpc.exe 1976 Jjfkmdlg.exe 2244 Jabponba.exe 1196 Jpjifjdg.exe 2132 Jlqjkk32.exe 1720 Kdnkdmec.exe 888 Kfodfh32.exe 1848 Lcmklh32.exe 1732 Lhiddoph.exe 1316 Liipnb32.exe 2384 Lohelidp.exe 1036 Mainndaq.exe 2112 Mjfphf32.exe 2424 Nohaklfk.exe 2328 Nkobpmlo.exe 1960 Nomkfk32.exe 1604 Nnahgh32.exe 3044 Ngjlpmnn.exe 2044 Okhefl32.exe 3008 Olchjp32.exe 2620 Plhaeofp.exe 2532 Phaoppja.exe 2504 Pnmdbi32.exe 1916 Phehko32.exe 2728 Qmenhe32.exe 2832 Aljjjb32.exe 2936 Aaipghcn.exe 800 Bdobdc32.exe 1584 Bllcnega.exe 1072 Bchhqo32.exe 2172 Bplijcle.exe 2136 Cdnncfoe.exe 1760 Cngcll32.exe 2708 Cofofolh.exe 2916 Chocodch.exe 1152 Cchdpbog.exe 2300 Cjbmll32.exe 2296 Dcjaeamd.exe 1764 Dmcfngde.exe 1772 Dmebcgbb.exe 1012 Dilchhgg.exe 1388 Dkmljcdh.exe 3040 Deeqch32.exe 2644 Epkepakn.exe 2800 Ejdfqogm.exe 2516 Eaqkcimg.exe 2772 Epfhde32.exe 2568 Ephdjeol.exe 896 Floeof32.exe 1464 Ficehj32.exe 476 Felcbk32.exe 1220 Fogdap32.exe 3012 Gkmefaan.exe 3004 Gdfiofhn.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 1844 Fihfnp32.exe 1844 Fihfnp32.exe 2188 Fkhbgbkc.exe 2188 Fkhbgbkc.exe 2600 Feachqgb.exe 2600 Feachqgb.exe 2752 Glpepj32.exe 2752 Glpepj32.exe 2636 Gaojnq32.exe 2636 Gaojnq32.exe 2912 Gaagcpdl.exe 2912 Gaagcpdl.exe 2560 Hqgddm32.exe 2560 Hqgddm32.exe 1632 Hjcaha32.exe 1632 Hjcaha32.exe 2740 Iikkon32.exe 2740 Iikkon32.exe 2860 Injqmdki.exe 2860 Injqmdki.exe 1520 Iegeonpc.exe 1520 Iegeonpc.exe 1976 Jjfkmdlg.exe 1976 Jjfkmdlg.exe 2244 Jabponba.exe 2244 Jabponba.exe 1196 Jpjifjdg.exe 1196 Jpjifjdg.exe 2132 Jlqjkk32.exe 2132 Jlqjkk32.exe 1720 Kdnkdmec.exe 1720 Kdnkdmec.exe 888 Kfodfh32.exe 888 Kfodfh32.exe 1848 Lcmklh32.exe 1848 Lcmklh32.exe 1732 Lhiddoph.exe 1732 Lhiddoph.exe 1316 Liipnb32.exe 1316 Liipnb32.exe 2384 Lohelidp.exe 2384 Lohelidp.exe 1036 Mainndaq.exe 1036 Mainndaq.exe 2112 Mjfphf32.exe 2112 Mjfphf32.exe 2424 Nohaklfk.exe 2424 Nohaklfk.exe 2328 Nkobpmlo.exe 2328 Nkobpmlo.exe 1960 Nomkfk32.exe 1960 Nomkfk32.exe 1604 Nnahgh32.exe 1604 Nnahgh32.exe 3044 Ngjlpmnn.exe 3044 Ngjlpmnn.exe 2044 Okhefl32.exe 2044 Okhefl32.exe 3008 Olchjp32.exe 3008 Olchjp32.exe 2620 Plhaeofp.exe 2620 Plhaeofp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Beogaenl.exe Bhkghqpb.exe File opened for modification C:\Windows\SysWOW64\Eiilge32.exe Epnkip32.exe File created C:\Windows\SysWOW64\Jiagedmf.dll Mpnngi32.exe File created C:\Windows\SysWOW64\Aclcmbmo.dll Bcoffd32.exe File opened for modification C:\Windows\SysWOW64\Gqidme32.exe Gdbchd32.exe File created C:\Windows\SysWOW64\Acaoflhe.dll Ijhkembk.exe File created C:\Windows\SysWOW64\Akomon32.dll Eiilge32.exe File created C:\Windows\SysWOW64\Bblkmipo.dll Mmcpjfcj.exe File created C:\Windows\SysWOW64\Cfjjhnge.dll Qgiibp32.exe File opened for modification C:\Windows\SysWOW64\Oheieo32.exe Odgqoa32.exe File created C:\Windows\SysWOW64\Mklgei32.dll Bqambacb.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Lednal32.exe File created C:\Windows\SysWOW64\Noingpnc.dll Dkmljcdh.exe File opened for modification C:\Windows\SysWOW64\Pbpoebgc.exe Pigklmqc.exe File created C:\Windows\SysWOW64\Aicfgn32.exe Abinjdad.exe File created C:\Windows\SysWOW64\Pdfdkehc.exe Pkmobp32.exe File opened for modification C:\Windows\SysWOW64\Icjmpd32.exe Hbkpfa32.exe File created C:\Windows\SysWOW64\Eocfmh32.exe Efkbdbai.exe File created C:\Windows\SysWOW64\Bmoaoikj.exe Bmldji32.exe File created C:\Windows\SysWOW64\Oohlaj32.exe Oikcicfl.exe File opened for modification C:\Windows\SysWOW64\Kjbclamj.exe Jnlbgq32.exe File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gdcfoq32.exe File created C:\Windows\SysWOW64\Nmogpj32.exe Nahfkigd.exe File opened for modification C:\Windows\SysWOW64\Oingii32.exe Oacbdg32.exe File opened for modification C:\Windows\SysWOW64\Fnelmb32.exe Ffjghppi.exe File created C:\Windows\SysWOW64\Eannjf32.dll Cfoellgb.exe File created C:\Windows\SysWOW64\Lcmopepp.exe Lfingaaf.exe File created C:\Windows\SysWOW64\Boghbgla.dll Naionh32.exe File opened for modification C:\Windows\SysWOW64\Chocodch.exe Cofofolh.exe File created C:\Windows\SysWOW64\Ifbkgj32.exe Iadbqlmh.exe File created C:\Windows\SysWOW64\Oheieo32.exe Odgqoa32.exe File opened for modification C:\Windows\SysWOW64\Iecohl32.exe Iaegbmlq.exe File created C:\Windows\SysWOW64\Gqgcjbmi.dll Kdjenkgh.exe File created C:\Windows\SysWOW64\Mbgela32.exe Mdcdcmai.exe File created C:\Windows\SysWOW64\Hjmcibej.dll Ijenpn32.exe File opened for modification C:\Windows\SysWOW64\Cchdpbog.exe Chocodch.exe File created C:\Windows\SysWOW64\Doijcjde.exe Dljngoea.exe File created C:\Windows\SysWOW64\Ehgaknbp.exe Enmqjq32.exe File created C:\Windows\SysWOW64\Lgiakjld.exe Ljeabf32.exe File opened for modification C:\Windows\SysWOW64\Eigpmjqg.exe Eoalpaaa.exe File created C:\Windows\SysWOW64\Lednal32.exe Lojeda32.exe File created C:\Windows\SysWOW64\Aedkomok.dll Ephdjeol.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Dhehfk32.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Iijbnkne.exe File created C:\Windows\SysWOW64\Qpniokan.exe Pnnmeh32.exe File opened for modification C:\Windows\SysWOW64\Dkgldm32.exe Dboglhna.exe File created C:\Windows\SysWOW64\Ijimli32.exe Ilemce32.exe File opened for modification C:\Windows\SysWOW64\Bbfnchfb.exe Bmjekahk.exe File opened for modification C:\Windows\SysWOW64\Chhpgn32.exe Bopknhjd.exe File created C:\Windows\SysWOW64\Jejffpah.dll Hbghdj32.exe File opened for modification C:\Windows\SysWOW64\Joekimld.exe Jhhfgcgj.exe File opened for modification C:\Windows\SysWOW64\Eleliepj.exe Eigpmjqg.exe File opened for modification C:\Windows\SysWOW64\Hmkiobge.exe Hadhjaaa.exe File created C:\Windows\SysWOW64\Dcihik32.dll Oacbdg32.exe File created C:\Windows\SysWOW64\Dhekodik.exe Dbhbfmkd.exe File opened for modification C:\Windows\SysWOW64\Oqlfhjch.exe Ohengmcf.exe File opened for modification C:\Windows\SysWOW64\Ffpkob32.exe Edpoeoea.exe File created C:\Windows\SysWOW64\Bnekcm32.exe Bcoffd32.exe File opened for modification C:\Windows\SysWOW64\Eioaillo.exe Dpflqfeo.exe File created C:\Windows\SysWOW64\Ognoodja.dll Qkbkfh32.exe File opened for modification C:\Windows\SysWOW64\Opqdcgib.exe Nfhpjaba.exe File created C:\Windows\SysWOW64\Ebakdbbk.dll Oipcnieb.exe File created C:\Windows\SysWOW64\Pdbabndd.dll Leaallcb.exe File opened for modification C:\Windows\SysWOW64\Opmhqc32.exe Ogddhmdl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3884 4056 WerFault.exe 768 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooeolkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihhifm.dll" Acjfpokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldcapk.dll" Epkepakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipojic32.dll" Bjlkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkadoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljlgo32.dll" Cnogmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnecld.dll" Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hngngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgofm32.dll" Hgfooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agqfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcqfahom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llfcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbcaome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll" Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenpoif.dll" Bnekcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olchjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Hnkffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgeabi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegeonpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll" Qfikod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjljij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggkipci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipfpcm.dll" Fmddgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abaaoodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaacmbq.dll" Lkngkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmmanif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmqjah.dll" Lgbibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enqfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajbdm32.dll" Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlpkniq.dll" Mfakbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daplmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpnjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmgahia.dll" Hcqcoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgaknbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkidj32.dll" Jfbinf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofefqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfbbabc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1844 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 30 PID 1688 wrote to memory of 1844 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 30 PID 1688 wrote to memory of 1844 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 30 PID 1688 wrote to memory of 1844 1688 476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe 30 PID 1844 wrote to memory of 2188 1844 Fihfnp32.exe 31 PID 1844 wrote to memory of 2188 1844 Fihfnp32.exe 31 PID 1844 wrote to memory of 2188 1844 Fihfnp32.exe 31 PID 1844 wrote to memory of 2188 1844 Fihfnp32.exe 31 PID 2188 wrote to memory of 2600 2188 Fkhbgbkc.exe 32 PID 2188 wrote to memory of 2600 2188 Fkhbgbkc.exe 32 PID 2188 wrote to memory of 2600 2188 Fkhbgbkc.exe 32 PID 2188 wrote to memory of 2600 2188 Fkhbgbkc.exe 32 PID 2600 wrote to memory of 2752 2600 Feachqgb.exe 33 PID 2600 wrote to memory of 2752 2600 Feachqgb.exe 33 PID 2600 wrote to memory of 2752 2600 Feachqgb.exe 33 PID 2600 wrote to memory of 2752 2600 Feachqgb.exe 33 PID 2752 wrote to memory of 2636 2752 Glpepj32.exe 34 PID 2752 wrote to memory of 2636 2752 Glpepj32.exe 34 PID 2752 wrote to memory of 2636 2752 Glpepj32.exe 34 PID 2752 wrote to memory of 2636 2752 Glpepj32.exe 34 PID 2636 wrote to memory of 2912 2636 Gaojnq32.exe 35 PID 2636 wrote to memory of 2912 2636 Gaojnq32.exe 35 PID 2636 wrote to memory of 2912 2636 Gaojnq32.exe 35 PID 2636 wrote to memory of 2912 2636 Gaojnq32.exe 35 PID 2912 wrote to memory of 2560 2912 Gaagcpdl.exe 36 PID 2912 wrote to memory of 2560 2912 Gaagcpdl.exe 36 PID 2912 wrote to memory of 2560 2912 Gaagcpdl.exe 36 PID 2912 wrote to memory of 2560 2912 Gaagcpdl.exe 36 PID 2560 wrote to memory of 1632 2560 Hqgddm32.exe 37 PID 2560 wrote to memory of 1632 2560 Hqgddm32.exe 37 PID 2560 wrote to memory of 1632 2560 Hqgddm32.exe 37 PID 2560 wrote to memory of 1632 2560 Hqgddm32.exe 37 PID 1632 wrote to memory of 2740 1632 Hjcaha32.exe 38 PID 1632 wrote to memory of 2740 1632 Hjcaha32.exe 38 PID 1632 wrote to memory of 2740 1632 Hjcaha32.exe 38 PID 1632 wrote to memory of 2740 1632 Hjcaha32.exe 38 PID 2740 wrote to memory of 2860 2740 Iikkon32.exe 39 PID 2740 wrote to memory of 2860 2740 Iikkon32.exe 39 PID 2740 wrote to memory of 2860 2740 Iikkon32.exe 39 PID 2740 wrote to memory of 2860 2740 Iikkon32.exe 39 PID 2860 wrote to memory of 1520 2860 Injqmdki.exe 40 PID 2860 wrote to memory of 1520 2860 Injqmdki.exe 40 PID 2860 wrote to memory of 1520 2860 Injqmdki.exe 40 PID 2860 wrote to memory of 1520 2860 Injqmdki.exe 40 PID 1520 wrote to memory of 1976 1520 Iegeonpc.exe 41 PID 1520 wrote to memory of 1976 1520 Iegeonpc.exe 41 PID 1520 wrote to memory of 1976 1520 Iegeonpc.exe 41 PID 1520 wrote to memory of 1976 1520 Iegeonpc.exe 41 PID 1976 wrote to memory of 2244 1976 Jjfkmdlg.exe 42 PID 1976 wrote to memory of 2244 1976 Jjfkmdlg.exe 42 PID 1976 wrote to memory of 2244 1976 Jjfkmdlg.exe 42 PID 1976 wrote to memory of 2244 1976 Jjfkmdlg.exe 42 PID 2244 wrote to memory of 1196 2244 Jabponba.exe 43 PID 2244 wrote to memory of 1196 2244 Jabponba.exe 43 PID 2244 wrote to memory of 1196 2244 Jabponba.exe 43 PID 2244 wrote to memory of 1196 2244 Jabponba.exe 43 PID 1196 wrote to memory of 2132 1196 Jpjifjdg.exe 44 PID 1196 wrote to memory of 2132 1196 Jpjifjdg.exe 44 PID 1196 wrote to memory of 2132 1196 Jpjifjdg.exe 44 PID 1196 wrote to memory of 2132 1196 Jpjifjdg.exe 44 PID 2132 wrote to memory of 1720 2132 Jlqjkk32.exe 45 PID 2132 wrote to memory of 1720 2132 Jlqjkk32.exe 45 PID 2132 wrote to memory of 1720 2132 Jlqjkk32.exe 45 PID 2132 wrote to memory of 1720 2132 Jlqjkk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe"C:\Users\Admin\AppData\Local\Temp\476f0b258730c8c042374fc0ada050aec441e12ee8b84891d4b0c40e8e02999c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Glpepj32.exeC:\Windows\system32\Glpepj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Injqmdki.exeC:\Windows\system32\Injqmdki.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe33⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe34⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe35⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe36⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe37⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe39⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe41⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe42⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe47⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe48⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe49⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe50⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe51⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe52⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe56⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe58⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe60⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe61⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe62⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe63⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe64⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe65⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe66⤵PID:1836
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe67⤵PID:1612
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe68⤵PID:1560
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe69⤵PID:860
-
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe71⤵PID:1508
-
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe72⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe73⤵PID:2176
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe74⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe75⤵PID:2432
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe76⤵PID:2624
-
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe77⤵PID:2192
-
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe78⤵PID:2668
-
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe79⤵PID:2524
-
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe80⤵PID:2680
-
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe81⤵PID:1624
-
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe82⤵PID:1644
-
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe83⤵PID:2272
-
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe84⤵PID:1768
-
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe85⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe86⤵PID:564
-
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe87⤵PID:2416
-
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe89⤵PID:2984
-
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe90⤵PID:1660
-
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe91⤵PID:2720
-
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe92⤵PID:2092
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe94⤵PID:760
-
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe95⤵PID:1852
-
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe97⤵PID:2204
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe98⤵PID:2484
-
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe99⤵PID:824
-
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe100⤵PID:2084
-
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe101⤵PID:2228
-
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe102⤵PID:2020
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe104⤵PID:1480
-
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe105⤵PID:2548
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe106⤵PID:2072
-
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe109⤵PID:3024
-
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe110⤵PID:2236
-
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe112⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe113⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe114⤵PID:2168
-
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe115⤵PID:2380
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe116⤵PID:492
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe118⤵PID:2716
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe119⤵PID:3036
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe120⤵PID:2512
-
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe121⤵PID:664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-