Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 04:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe
-
Size
64KB
-
MD5
8ca2a791f8b2fde994ca685d8cce45fc
-
SHA1
5982e8073587d75f5e52141b29b1527f6f0fa9a5
-
SHA256
d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e
-
SHA512
a05298e6295f7bd6b85026c13f697c7a5d325e12ea39bb268d7feefd471d467c7c78fdb7a9cfcdc7e572e113ba1c7f5d6e69bd706f98cc6fa426d7e867c9afb6
-
SSDEEP
768:RGMaIj2R/pmQzOA5GL3iEZ+IcZpCLgAXf87Tk8MA5/PlpCjDuFNw/1H5r2U6XJ1e:RGTmmOokiOcDdNPy/KYN29XUwXfzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injndk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmdgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giipab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpdaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2208 Cmjdaqgi.exe 1744 Cbgmigeq.exe 2276 Clpabm32.exe 2828 Cbiiog32.exe 2580 Chfbgn32.exe 2988 Clbnhmjo.exe 2912 Dejbqb32.exe 1980 Dhiomn32.exe 584 Dbncjf32.exe 2880 Ddpobo32.exe 1872 Dlfgcl32.exe 2348 Dmhdkdlg.exe 2972 Dhmhhmlm.exe 2992 Dmjqpdje.exe 2084 Dddimn32.exe 2108 Dgbeiiqe.exe 2344 Dahifbpk.exe 1820 Ddfebnoo.exe 1796 Dgeaoinb.exe 2128 Dkqnoh32.exe 496 Elajgpmj.exe 1604 Edibhmml.exe 2212 Eggndi32.exe 2324 Eiekpd32.exe 2100 Eppcmncq.exe 1600 Ecnoijbd.exe 884 Ehkhaqpk.exe 2480 Eeohkeoe.exe 2752 Ehmdgp32.exe 2784 Eogmcjef.exe 2916 Eddeladm.exe 2640 Elkmmodo.exe 2688 Eaheeecg.exe 1388 Edfbaabj.exe 2012 Folfoj32.exe 2016 Fpmbfbgo.exe 2868 Fdiogq32.exe 1068 Fkbgckgd.exe 2264 Fkbgckgd.exe 2068 Fpoolael.exe 2288 Fdkklp32.exe 1240 Flfpabkp.exe 2460 Fgldnkkf.exe 1308 Flhmfbim.exe 812 Fgnadkic.exe 912 Fhomkcoa.exe 876 Fmkilb32.exe 2476 Fqfemqod.exe 1576 Goiehm32.exe 568 Gbhbdi32.exe 2808 Gjojef32.exe 2772 Gmmfaa32.exe 3016 Golbnm32.exe 2636 Gbjojh32.exe 2672 Gfejjgli.exe 1660 Gmpcgace.exe 1404 Gkbcbn32.exe 2392 Gonocmbi.exe 2836 Gnaooi32.exe 768 Gfhgpg32.exe 2456 Gdkgkcpq.exe 2136 Gifclb32.exe 2600 Ggicgopd.exe 1536 Gkephn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 2208 Cmjdaqgi.exe 2208 Cmjdaqgi.exe 1744 Cbgmigeq.exe 1744 Cbgmigeq.exe 2276 Clpabm32.exe 2276 Clpabm32.exe 2828 Cbiiog32.exe 2828 Cbiiog32.exe 2580 Chfbgn32.exe 2580 Chfbgn32.exe 2988 Clbnhmjo.exe 2988 Clbnhmjo.exe 2912 Dejbqb32.exe 2912 Dejbqb32.exe 1980 Dhiomn32.exe 1980 Dhiomn32.exe 584 Dbncjf32.exe 584 Dbncjf32.exe 2880 Ddpobo32.exe 2880 Ddpobo32.exe 1872 Dlfgcl32.exe 1872 Dlfgcl32.exe 2348 Dmhdkdlg.exe 2348 Dmhdkdlg.exe 2972 Dhmhhmlm.exe 2972 Dhmhhmlm.exe 2992 Dmjqpdje.exe 2992 Dmjqpdje.exe 2084 Dddimn32.exe 2084 Dddimn32.exe 2108 Dgbeiiqe.exe 2108 Dgbeiiqe.exe 2344 Dahifbpk.exe 2344 Dahifbpk.exe 1820 Ddfebnoo.exe 1820 Ddfebnoo.exe 1796 Dgeaoinb.exe 1796 Dgeaoinb.exe 2128 Dkqnoh32.exe 2128 Dkqnoh32.exe 496 Elajgpmj.exe 496 Elajgpmj.exe 1604 Edibhmml.exe 1604 Edibhmml.exe 2212 Eggndi32.exe 2212 Eggndi32.exe 2324 Eiekpd32.exe 2324 Eiekpd32.exe 2100 Eppcmncq.exe 2100 Eppcmncq.exe 1600 Ecnoijbd.exe 1600 Ecnoijbd.exe 884 Ehkhaqpk.exe 884 Ehkhaqpk.exe 2480 Eeohkeoe.exe 2480 Eeohkeoe.exe 2752 Ehmdgp32.exe 2752 Ehmdgp32.exe 2784 Eogmcjef.exe 2784 Eogmcjef.exe 2916 Eddeladm.exe 2916 Eddeladm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnfqccna.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Oaghki32.exe Omklkkpl.exe File created C:\Windows\SysWOW64\Fkdhkd32.dll Paiaplin.exe File created C:\Windows\SysWOW64\Oinhifdq.dll Bfioia32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Eppcmncq.exe Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Klngkfge.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bniajoic.exe File created C:\Windows\SysWOW64\Gnfnae32.dll Mqbbagjo.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nbhhdnlh.exe File created C:\Windows\SysWOW64\Kongke32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Ojefmknj.dll Pepcelel.exe File created C:\Windows\SysWOW64\Ekdehk32.dll Fdiogq32.exe File created C:\Windows\SysWOW64\Gjojef32.exe Gbhbdi32.exe File created C:\Windows\SysWOW64\Gdkgkcpq.exe Gfhgpg32.exe File created C:\Windows\SysWOW64\Cgknkqan.dll Ldpbpgoh.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Nlefhcnc.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Cenljmgq.exe File opened for modification C:\Windows\SysWOW64\Clpabm32.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Hahnac32.exe Hnjbeh32.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lboiol32.exe File created C:\Windows\SysWOW64\Olpilg32.exe Omnipjni.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Phcilf32.exe File created C:\Windows\SysWOW64\Eaheeecg.exe Elkmmodo.exe File opened for modification C:\Windows\SysWOW64\Gifclb32.exe Gdkgkcpq.exe File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Cmjdaqgi.exe d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe File created C:\Windows\SysWOW64\Ckhnnjob.dll Iflmjihl.exe File created C:\Windows\SysWOW64\Ljlmgnqj.dll Llgjaeoj.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mgjnhaco.exe File created C:\Windows\SysWOW64\Pdlmgo32.dll Mikjpiim.exe File opened for modification C:\Windows\SysWOW64\Injndk32.exe Illbhp32.exe File created C:\Windows\SysWOW64\Alecllfh.dll Bgcbhd32.exe File created C:\Windows\SysWOW64\Abillbab.dll Dbncjf32.exe File created C:\Windows\SysWOW64\Egjfigdn.dll Fgldnkkf.exe File created C:\Windows\SysWOW64\Pkfope32.dll Ieajkfmd.exe File created C:\Windows\SysWOW64\Knbbpakg.dll Kpicle32.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Mpgobc32.exe Mmicfh32.exe File created C:\Windows\SysWOW64\Lmdlck32.dll Bqeqqk32.exe File created C:\Windows\SysWOW64\Dbncjf32.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Iihiphln.exe File created C:\Windows\SysWOW64\Kpicle32.exe Klngkfge.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Obmnna32.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Adnpkjde.exe Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Iofjqboi.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Doempm32.dll Klbdgb32.exe File created C:\Windows\SysWOW64\Mjhjdm32.exe Mgjnhaco.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Dahapj32.dll Pojecajj.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Hqfaldbo.exe File opened for modification C:\Windows\SysWOW64\Iefcfe32.exe Imokehhl.exe File created C:\Windows\SysWOW64\Djmlem32.dll Lldmleam.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mfokinhf.exe File created C:\Windows\SysWOW64\Kqcjjk32.dll Ppnnai32.exe File created C:\Windows\SysWOW64\Kfmmfimm.dll Fkbgckgd.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Kdpfadlm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4496 4364 WerFault.exe 391 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgnola.dll" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Odgamdef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elajgpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdgqq32.dll" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Lkjjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnoijbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaghki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnnbf32.dll" Flfpabkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefdckem.dll" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Agolnbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhchoj.dll" Giipab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klngkfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcegq32.dll" Gonocmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedjkeaj.dll" Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooabmbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdlggg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhmfbim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlkmc32.dll" d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" Phcilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebeem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elajgpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddoqj32.dll" Mmicfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdokkbh.dll" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" Nlefhcnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2208 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 30 PID 2708 wrote to memory of 2208 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 30 PID 2708 wrote to memory of 2208 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 30 PID 2708 wrote to memory of 2208 2708 d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe 30 PID 2208 wrote to memory of 1744 2208 Cmjdaqgi.exe 31 PID 2208 wrote to memory of 1744 2208 Cmjdaqgi.exe 31 PID 2208 wrote to memory of 1744 2208 Cmjdaqgi.exe 31 PID 2208 wrote to memory of 1744 2208 Cmjdaqgi.exe 31 PID 1744 wrote to memory of 2276 1744 Cbgmigeq.exe 32 PID 1744 wrote to memory of 2276 1744 Cbgmigeq.exe 32 PID 1744 wrote to memory of 2276 1744 Cbgmigeq.exe 32 PID 1744 wrote to memory of 2276 1744 Cbgmigeq.exe 32 PID 2276 wrote to memory of 2828 2276 Clpabm32.exe 33 PID 2276 wrote to memory of 2828 2276 Clpabm32.exe 33 PID 2276 wrote to memory of 2828 2276 Clpabm32.exe 33 PID 2276 wrote to memory of 2828 2276 Clpabm32.exe 33 PID 2828 wrote to memory of 2580 2828 Cbiiog32.exe 34 PID 2828 wrote to memory of 2580 2828 Cbiiog32.exe 34 PID 2828 wrote to memory of 2580 2828 Cbiiog32.exe 34 PID 2828 wrote to memory of 2580 2828 Cbiiog32.exe 34 PID 2580 wrote to memory of 2988 2580 Chfbgn32.exe 35 PID 2580 wrote to memory of 2988 2580 Chfbgn32.exe 35 PID 2580 wrote to memory of 2988 2580 Chfbgn32.exe 35 PID 2580 wrote to memory of 2988 2580 Chfbgn32.exe 35 PID 2988 wrote to memory of 2912 2988 Clbnhmjo.exe 36 PID 2988 wrote to memory of 2912 2988 Clbnhmjo.exe 36 PID 2988 wrote to memory of 2912 2988 Clbnhmjo.exe 36 PID 2988 wrote to memory of 2912 2988 Clbnhmjo.exe 36 PID 2912 wrote to memory of 1980 2912 Dejbqb32.exe 37 PID 2912 wrote to memory of 1980 2912 Dejbqb32.exe 37 PID 2912 wrote to memory of 1980 2912 Dejbqb32.exe 37 PID 2912 wrote to memory of 1980 2912 Dejbqb32.exe 37 PID 1980 wrote to memory of 584 1980 Dhiomn32.exe 38 PID 1980 wrote to memory of 584 1980 Dhiomn32.exe 38 PID 1980 wrote to memory of 584 1980 Dhiomn32.exe 38 PID 1980 wrote to memory of 584 1980 Dhiomn32.exe 38 PID 584 wrote to memory of 2880 584 Dbncjf32.exe 39 PID 584 wrote to memory of 2880 584 Dbncjf32.exe 39 PID 584 wrote to memory of 2880 584 Dbncjf32.exe 39 PID 584 wrote to memory of 2880 584 Dbncjf32.exe 39 PID 2880 wrote to memory of 1872 2880 Ddpobo32.exe 40 PID 2880 wrote to memory of 1872 2880 Ddpobo32.exe 40 PID 2880 wrote to memory of 1872 2880 Ddpobo32.exe 40 PID 2880 wrote to memory of 1872 2880 Ddpobo32.exe 40 PID 1872 wrote to memory of 2348 1872 Dlfgcl32.exe 41 PID 1872 wrote to memory of 2348 1872 Dlfgcl32.exe 41 PID 1872 wrote to memory of 2348 1872 Dlfgcl32.exe 41 PID 1872 wrote to memory of 2348 1872 Dlfgcl32.exe 41 PID 2348 wrote to memory of 2972 2348 Dmhdkdlg.exe 42 PID 2348 wrote to memory of 2972 2348 Dmhdkdlg.exe 42 PID 2348 wrote to memory of 2972 2348 Dmhdkdlg.exe 42 PID 2348 wrote to memory of 2972 2348 Dmhdkdlg.exe 42 PID 2972 wrote to memory of 2992 2972 Dhmhhmlm.exe 43 PID 2972 wrote to memory of 2992 2972 Dhmhhmlm.exe 43 PID 2972 wrote to memory of 2992 2972 Dhmhhmlm.exe 43 PID 2972 wrote to memory of 2992 2972 Dhmhhmlm.exe 43 PID 2992 wrote to memory of 2084 2992 Dmjqpdje.exe 44 PID 2992 wrote to memory of 2084 2992 Dmjqpdje.exe 44 PID 2992 wrote to memory of 2084 2992 Dmjqpdje.exe 44 PID 2992 wrote to memory of 2084 2992 Dmjqpdje.exe 44 PID 2084 wrote to memory of 2108 2084 Dddimn32.exe 45 PID 2084 wrote to memory of 2108 2084 Dddimn32.exe 45 PID 2084 wrote to memory of 2108 2084 Dddimn32.exe 45 PID 2084 wrote to memory of 2108 2084 Dddimn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe"C:\Users\Admin\AppData\Local\Temp\d5ec82beb85363ad63e04b450681e6c941da94893196dcb5a233ed841c46283e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe34⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe35⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe36⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe39⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe41⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe42⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe48⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe49⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe52⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe53⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe54⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe56⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe57⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe63⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe64⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe66⤵PID:1544
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe67⤵PID:1332
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe68⤵PID:2056
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe70⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe71⤵PID:1060
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe72⤵PID:2656
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe74⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1064 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe76⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe77⤵PID:2148
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe79⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe81⤵PID:688
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe83⤵PID:1592
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe86⤵PID:2364
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe87⤵PID:2676
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe88⤵PID:2696
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe90⤵PID:2860
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe91⤵PID:1164
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe92⤵PID:2176
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe93⤵PID:2192
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe94⤵PID:1140
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe96⤵PID:1084
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe97⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe98⤵PID:1728
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe99⤵PID:1596
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe100⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe101⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe102⤵PID:2376
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe103⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe104⤵PID:1788
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe105⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe107⤵PID:2140
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe108⤵PID:644
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe109⤵PID:1772
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe110⤵PID:2532
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe111⤵
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe113⤵PID:2768
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe114⤵PID:2608
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe116⤵PID:1664
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe117⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe118⤵PID:1560
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe119⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe120⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe121⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-