Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
-
Size
89KB
-
MD5
789bcb361da0b77d436586949b658b4d
-
SHA1
909e8d7f48abd328801e4ce7f538acb8458ba285
-
SHA256
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba
-
SHA512
9b70295d7bd85d09a9af580f58f966efa373d69223387fe8e37c7cf30252ee757286aaccec5eada7a53ea533adb019854f3c33f31f5bb13553e471428a12361f
-
SSDEEP
1536:jqKUmaZkVfIrWQLvilUNX7JFDMQ7CcXlExkg8F:MuVfIHzilq7L7CcXlakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqglkmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmphaaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdkcnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopfpgip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koaagkcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hammhcij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikkfqmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Affikdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpfjma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adjjeieh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokehc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghojbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajlhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmhand32.exe -
Executes dropped EXE 64 IoCs
pid Process 2164 Diffglam.exe 532 Dpckjfgg.exe 3332 Eplnpeol.exe 2488 Empoiimf.exe 1076 Ealkjh32.exe 1496 Ehfcfb32.exe 4288 Embkoi32.exe 3824 Efkphnbd.exe 472 Efmmmn32.exe 1904 Fhmigagd.exe 2600 Fdcjlb32.exe 5032 Fknbil32.exe 3164 Fhabbp32.exe 3100 Fajgkfio.exe 3064 Fhdohp32.exe 2704 Fhflnpoi.exe 2168 Gpaqbbld.exe 2088 Gijekg32.exe 2908 Ghkeio32.exe 2660 Gpfjma32.exe 1504 Ginnfgop.exe 2740 Ggbook32.exe 3252 Gdfoio32.exe 4912 Hnodaecc.exe 3000 Hhdhon32.exe 4884 Hammhcij.exe 3540 Hjhalefe.exe 2780 Hpbiip32.exe 1208 Haafcb32.exe 2432 Hhknpmma.exe 1804 Idbodn32.exe 1048 Injcmc32.exe 1600 Ihphkl32.exe 4020 Inmpcc32.exe 2528 Iqklon32.exe 1344 Ikqqlgem.exe 3536 Iakiia32.exe 2504 Ikcmbfcj.exe 372 Ibmeoq32.exe 3512 Ikejgf32.exe 1068 Jdnoplhh.exe 3764 Jkhgmf32.exe 1456 Jgogbgei.exe 4444 Jqglkmlj.exe 3028 Jklphekp.exe 2140 Jgcamf32.exe 2232 Jjamia32.exe 4304 Jdgafjpn.exe 3940 Jjdjoane.exe 2508 Kqnbkl32.exe 828 Kkcfid32.exe 3580 Kqpoakco.exe 3096 Kkfcndce.exe 2108 Kqbkfkal.exe 1528 Kjkpoq32.exe 4368 Kgopidgf.exe 4240 Kgamnded.exe 1936 Knkekn32.exe 2860 Lkofdbkj.exe 4600 Lbinam32.exe 3448 Lgffic32.exe 2104 Lejgch32.exe 4592 Lldopb32.exe 2776 Lelchgne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjdjoane.exe Jdgafjpn.exe File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Jpnakk32.exe File opened for modification C:\Windows\SysWOW64\Fhabbp32.exe Fknbil32.exe File opened for modification C:\Windows\SysWOW64\Aaldccip.exe Ahdpjn32.exe File created C:\Windows\SysWOW64\Lomjicei.exe Lhcali32.exe File created C:\Windows\SysWOW64\Bhhiemoj.exe Amcehdod.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Eplgeokq.exe Efccmidp.exe File created C:\Windows\SysWOW64\Keldkigj.dll Oejbfmpg.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Gdaociml.exe Gikkfqmf.exe File created C:\Windows\SysWOW64\Bhlkdj32.dll Popbpqjh.exe File opened for modification C:\Windows\SysWOW64\Bpkdjofm.exe Boihcf32.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Fnalmh32.exe Fkcpql32.exe File created C:\Windows\SysWOW64\Kpdahg32.dll Hhdhon32.exe File created C:\Windows\SysWOW64\Pcobaedj.exe Pkhjph32.exe File opened for modification C:\Windows\SysWOW64\Efkphnbd.exe Embkoi32.exe File opened for modification C:\Windows\SysWOW64\Fpkibf32.exe Fmmmfj32.exe File opened for modification C:\Windows\SysWOW64\Gifkpknp.exe Gnqfcbnj.exe File created C:\Windows\SysWOW64\Dbocfo32.exe Ddkbmj32.exe File opened for modification C:\Windows\SysWOW64\Hnphoj32.exe Hlblcn32.exe File created C:\Windows\SysWOW64\Efkphnbd.exe Embkoi32.exe File created C:\Windows\SysWOW64\Cdbcfp32.dll Jcgnbaeo.exe File created C:\Windows\SysWOW64\Pejkmk32.exe Popbpqjh.exe File opened for modification C:\Windows\SysWOW64\Imkbnf32.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Bbikhdcm.dll Paeelgnj.exe File created C:\Windows\SysWOW64\Eaceghcg.exe Egnajocq.exe File created C:\Windows\SysWOW64\Majjng32.exe Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Fbfcmhpg.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Lpmbai32.dll Aonoao32.exe File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe Fiodpl32.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Adgmoigj.exe File created C:\Windows\SysWOW64\Ipecicga.dll Bbdpad32.exe File created C:\Windows\SysWOW64\Dfmioc32.dll Eidlnd32.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Okkdic32.exe File created C:\Windows\SysWOW64\Dheibpje.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cammjakm.exe File opened for modification C:\Windows\SysWOW64\Hajkqfoe.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Kjkpoq32.exe Kqbkfkal.exe File opened for modification C:\Windows\SysWOW64\Bhamkipi.exe Bbgeno32.exe File opened for modification C:\Windows\SysWOW64\Ohmhmh32.exe Oacoqnci.exe File created C:\Windows\SysWOW64\Nfnamjhk.exe Ncpeaoih.exe File created C:\Windows\SysWOW64\Ggebqoki.dll Fhmigagd.exe File opened for modification C:\Windows\SysWOW64\Jhgiim32.exe Iehmmb32.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gpmomo32.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jocnlg32.exe File created C:\Windows\SysWOW64\Klkkgm32.dll Ikcmbfcj.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Koaagkcb.exe Klcekpdo.exe File opened for modification C:\Windows\SysWOW64\Ncchae32.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dafppp32.exe File created C:\Windows\SysWOW64\Lhnoigkk.dll Opbean32.exe File created C:\Windows\SysWOW64\Abcgjg32.exe Qikbaaml.exe File opened for modification C:\Windows\SysWOW64\Fknbil32.exe Fdcjlb32.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Glipgf32.exe File opened for modification C:\Windows\SysWOW64\Pbhgoh32.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Kkpbin32.exe Jlobkg32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Jekqmhia.exe Joahqn32.exe File created C:\Windows\SysWOW64\Emkbpmep.dll Nfqnbjfi.exe File created C:\Windows\SysWOW64\Bgelgi32.exe Bpkdjofm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6436 11960 WerFault.exe 844 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dijbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll" Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlcgfff.dll" Ojgjndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acokhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflbhhom.dll" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oifeab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" Nknobkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfbcke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhahnbj.dll" Glgjlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljibbol.dll" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neclenfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlgckkf.dll" Oafcqcea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piijno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acccdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inmpcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqpoakco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmjaa32.dll" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll" Dpkmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camfoh32.dll" Lbpdblmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ginnfgop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmjemflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncchae32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2164 2664 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 83 PID 2664 wrote to memory of 2164 2664 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 83 PID 2664 wrote to memory of 2164 2664 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 83 PID 2164 wrote to memory of 532 2164 Diffglam.exe 85 PID 2164 wrote to memory of 532 2164 Diffglam.exe 85 PID 2164 wrote to memory of 532 2164 Diffglam.exe 85 PID 532 wrote to memory of 3332 532 Dpckjfgg.exe 86 PID 532 wrote to memory of 3332 532 Dpckjfgg.exe 86 PID 532 wrote to memory of 3332 532 Dpckjfgg.exe 86 PID 3332 wrote to memory of 2488 3332 Eplnpeol.exe 87 PID 3332 wrote to memory of 2488 3332 Eplnpeol.exe 87 PID 3332 wrote to memory of 2488 3332 Eplnpeol.exe 87 PID 2488 wrote to memory of 1076 2488 Empoiimf.exe 88 PID 2488 wrote to memory of 1076 2488 Empoiimf.exe 88 PID 2488 wrote to memory of 1076 2488 Empoiimf.exe 88 PID 1076 wrote to memory of 1496 1076 Ealkjh32.exe 89 PID 1076 wrote to memory of 1496 1076 Ealkjh32.exe 89 PID 1076 wrote to memory of 1496 1076 Ealkjh32.exe 89 PID 1496 wrote to memory of 4288 1496 Ehfcfb32.exe 90 PID 1496 wrote to memory of 4288 1496 Ehfcfb32.exe 90 PID 1496 wrote to memory of 4288 1496 Ehfcfb32.exe 90 PID 4288 wrote to memory of 3824 4288 Embkoi32.exe 91 PID 4288 wrote to memory of 3824 4288 Embkoi32.exe 91 PID 4288 wrote to memory of 3824 4288 Embkoi32.exe 91 PID 3824 wrote to memory of 472 3824 Efkphnbd.exe 93 PID 3824 wrote to memory of 472 3824 Efkphnbd.exe 93 PID 3824 wrote to memory of 472 3824 Efkphnbd.exe 93 PID 472 wrote to memory of 1904 472 Efmmmn32.exe 94 PID 472 wrote to memory of 1904 472 Efmmmn32.exe 94 PID 472 wrote to memory of 1904 472 Efmmmn32.exe 94 PID 1904 wrote to memory of 2600 1904 Fhmigagd.exe 95 PID 1904 wrote to memory of 2600 1904 Fhmigagd.exe 95 PID 1904 wrote to memory of 2600 1904 Fhmigagd.exe 95 PID 2600 wrote to memory of 5032 2600 Fdcjlb32.exe 96 PID 2600 wrote to memory of 5032 2600 Fdcjlb32.exe 96 PID 2600 wrote to memory of 5032 2600 Fdcjlb32.exe 96 PID 5032 wrote to memory of 3164 5032 Fknbil32.exe 97 PID 5032 wrote to memory of 3164 5032 Fknbil32.exe 97 PID 5032 wrote to memory of 3164 5032 Fknbil32.exe 97 PID 3164 wrote to memory of 3100 3164 Fhabbp32.exe 98 PID 3164 wrote to memory of 3100 3164 Fhabbp32.exe 98 PID 3164 wrote to memory of 3100 3164 Fhabbp32.exe 98 PID 3100 wrote to memory of 3064 3100 Fajgkfio.exe 99 PID 3100 wrote to memory of 3064 3100 Fajgkfio.exe 99 PID 3100 wrote to memory of 3064 3100 Fajgkfio.exe 99 PID 3064 wrote to memory of 2704 3064 Fhdohp32.exe 100 PID 3064 wrote to memory of 2704 3064 Fhdohp32.exe 100 PID 3064 wrote to memory of 2704 3064 Fhdohp32.exe 100 PID 2704 wrote to memory of 2168 2704 Fhflnpoi.exe 101 PID 2704 wrote to memory of 2168 2704 Fhflnpoi.exe 101 PID 2704 wrote to memory of 2168 2704 Fhflnpoi.exe 101 PID 2168 wrote to memory of 2088 2168 Gpaqbbld.exe 102 PID 2168 wrote to memory of 2088 2168 Gpaqbbld.exe 102 PID 2168 wrote to memory of 2088 2168 Gpaqbbld.exe 102 PID 2088 wrote to memory of 2908 2088 Gijekg32.exe 103 PID 2088 wrote to memory of 2908 2088 Gijekg32.exe 103 PID 2088 wrote to memory of 2908 2088 Gijekg32.exe 103 PID 2908 wrote to memory of 2660 2908 Ghkeio32.exe 104 PID 2908 wrote to memory of 2660 2908 Ghkeio32.exe 104 PID 2908 wrote to memory of 2660 2908 Ghkeio32.exe 104 PID 2660 wrote to memory of 1504 2660 Gpfjma32.exe 105 PID 2660 wrote to memory of 1504 2660 Gpfjma32.exe 105 PID 2660 wrote to memory of 1504 2660 Gpfjma32.exe 105 PID 1504 wrote to memory of 2740 1504 Ginnfgop.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe"C:\Users\Admin\AppData\Local\Temp\d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe23⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe25⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe28⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe29⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe30⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe31⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe32⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe34⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe36⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe37⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe38⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe41⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe42⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe43⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe44⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe46⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe47⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe48⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe50⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe51⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe52⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe54⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe56⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe57⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe58⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe60⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe61⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe62⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe64⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe65⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe66⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe67⤵PID:4192
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe68⤵PID:2956
-
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe69⤵PID:2136
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe70⤵PID:5096
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe71⤵
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe72⤵PID:3848
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe73⤵PID:4740
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe74⤵PID:1808
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe76⤵PID:4988
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe77⤵PID:5036
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe78⤵PID:2328
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe79⤵
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe80⤵PID:1988
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe81⤵PID:1628
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe82⤵PID:4564
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe83⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe84⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe85⤵PID:1392
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3496 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe88⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe89⤵PID:4360
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe90⤵PID:4144
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe91⤵PID:4924
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe92⤵PID:5136
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe93⤵PID:5180
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe94⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe95⤵PID:5268
-
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe96⤵PID:5308
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe97⤵PID:5356
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe98⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe99⤵PID:5444
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe100⤵PID:5488
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe101⤵PID:5532
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe102⤵PID:5576
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe103⤵PID:5620
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe104⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe105⤵PID:5708
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe106⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe107⤵PID:5796
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe108⤵PID:5844
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe109⤵PID:5884
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe110⤵PID:5932
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe111⤵PID:5976
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe113⤵PID:6064
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe114⤵PID:6108
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe115⤵PID:5128
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe116⤵PID:5176
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe117⤵PID:5260
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe118⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe119⤵PID:5384
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe120⤵PID:5452
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe121⤵PID:5520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-