Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
-
Size
256KB
-
MD5
e50ab27d5c9f59bf8b51a9563c6d9689
-
SHA1
c8f7a7ef492fbc3dc71ab3b74ed3bfbf22e463d5
-
SHA256
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c
-
SHA512
f04ca0b278a3e1519f8fab71336306649b8c62aef7b69a884bedff45bc1661f23a1a76d72abcb12f0bd78ea17d7f255bfc02f06b0788fe77cff2ba8df815ae6c
-
SSDEEP
6144:bEx2g7+tHNIsPaEMSTYaT15f7o+STYaT15fAK8yL:bEx2g7+tyyTYapJoTYapz8yL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhejkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadkej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacpffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabkom32.exe -
Executes dropped EXE 64 IoCs
pid Process 2412 Dhiomn32.exe 2896 Daacecfc.exe 600 Dkigoimd.exe 2800 Ddblgn32.exe 2848 Dogpdg32.exe 864 Dddimn32.exe 2656 Dmmmfc32.exe 2348 Dgeaoinb.exe 2100 Epmfgo32.exe 2564 Eiekpd32.exe 1492 Ecnoijbd.exe 2080 Elfcbo32.exe 2220 Eacljf32.exe 2436 Eklqcl32.exe 1624 Eddeladm.exe 3024 Eaheeecg.exe 536 Fajbke32.exe 860 Fhdjgoha.exe 964 Fggkcl32.exe 1872 Fnacpffh.exe 2260 Fcnkhmdp.exe 596 Fkecij32.exe 652 Flfpabkp.exe 1552 Fdmhbplb.exe 2424 Ffodjh32.exe 2744 Fnflke32.exe 2884 Fogibnha.exe 2724 Fjlmpfhg.exe 2680 Gceailog.exe 1816 Gmmfaa32.exe 2940 Gbjojh32.exe 2028 Gdhkfd32.exe 1460 Gkbcbn32.exe 2928 Gnaooi32.exe 2152 Gfhgpg32.exe 3048 Gdkgkcpq.exe 1304 Gkephn32.exe 1084 Gbohehoj.exe 448 Gqahqd32.exe 1992 Giipab32.exe 1688 Gkglnm32.exe 2156 Gneijien.exe 1604 Gqdefddb.exe 2264 Gepafc32.exe 2420 Hkiicmdh.exe 1948 Hjlioj32.exe 2388 Hmkeke32.exe 2496 Hebnlb32.exe 2824 Hgpjhn32.exe 2780 Hfcjdkpg.exe 2148 Hnjbeh32.exe 1508 Hahnac32.exe 1660 Hcgjmo32.exe 2912 Hgbfnngi.exe 2676 Hfegij32.exe 1724 Hidcef32.exe 588 Hpnkbpdd.exe 2204 Hcigco32.exe 408 Hblgnkdh.exe 716 Hifpke32.exe 1876 Hldlga32.exe 1536 Hcldhnkk.exe 1856 Hboddk32.exe 2276 Hemqpf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 2412 Dhiomn32.exe 2412 Dhiomn32.exe 2896 Daacecfc.exe 2896 Daacecfc.exe 600 Dkigoimd.exe 600 Dkigoimd.exe 2800 Ddblgn32.exe 2800 Ddblgn32.exe 2848 Dogpdg32.exe 2848 Dogpdg32.exe 864 Dddimn32.exe 864 Dddimn32.exe 2656 Dmmmfc32.exe 2656 Dmmmfc32.exe 2348 Dgeaoinb.exe 2348 Dgeaoinb.exe 2100 Epmfgo32.exe 2100 Epmfgo32.exe 2564 Eiekpd32.exe 2564 Eiekpd32.exe 1492 Ecnoijbd.exe 1492 Ecnoijbd.exe 2080 Elfcbo32.exe 2080 Elfcbo32.exe 2220 Eacljf32.exe 2220 Eacljf32.exe 2436 Eklqcl32.exe 2436 Eklqcl32.exe 1624 Eddeladm.exe 1624 Eddeladm.exe 3024 Eaheeecg.exe 3024 Eaheeecg.exe 536 Fajbke32.exe 536 Fajbke32.exe 860 Fhdjgoha.exe 860 Fhdjgoha.exe 964 Fggkcl32.exe 964 Fggkcl32.exe 1872 Fnacpffh.exe 1872 Fnacpffh.exe 2260 Fcnkhmdp.exe 2260 Fcnkhmdp.exe 596 Fkecij32.exe 596 Fkecij32.exe 652 Flfpabkp.exe 652 Flfpabkp.exe 1552 Fdmhbplb.exe 1552 Fdmhbplb.exe 2424 Ffodjh32.exe 2424 Ffodjh32.exe 2744 Fnflke32.exe 2744 Fnflke32.exe 2884 Fogibnha.exe 2884 Fogibnha.exe 2724 Fjlmpfhg.exe 2724 Fjlmpfhg.exe 2680 Gceailog.exe 2680 Gceailog.exe 1816 Gmmfaa32.exe 1816 Gmmfaa32.exe 2940 Gbjojh32.exe 2940 Gbjojh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gbjojh32.exe Gmmfaa32.exe File opened for modification C:\Windows\SysWOW64\Hahnac32.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Mqbbagjo.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Nlboaceh.dll Ohncbdbd.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Kongke32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Piicpk32.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ieomef32.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mqklqhpg.exe File created C:\Windows\SysWOW64\Dmmmfc32.exe Dddimn32.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Fhdjgoha.exe Fajbke32.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cbdiia32.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qlgkki32.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Nfdddm32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Onfoin32.exe Nfoghakb.exe File created C:\Windows\SysWOW64\Omklkkpl.exe Ojmpooah.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nbhhdnlh.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hcldhnkk.exe File created C:\Windows\SysWOW64\Iqpflded.dll Ldpbpgoh.exe File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Gfblih32.dll Ooabmbbe.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Aaimopli.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hfcjdkpg.exe File created C:\Windows\SysWOW64\Iakgefqe.exe Ijqoilii.exe File opened for modification C:\Windows\SysWOW64\Jaoqqflp.exe Iihiphln.exe File created C:\Windows\SysWOW64\Dqaegjop.dll Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Dkigoimd.exe Daacecfc.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hidcef32.exe File created C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Lkjjma32.exe Llgjaeoj.exe File created C:\Windows\SysWOW64\Mmbmeifk.exe Mjcaimgg.exe File created C:\Windows\SysWOW64\Piicpk32.exe Oabkom32.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Gdhkfd32.exe Gbjojh32.exe File opened for modification C:\Windows\SysWOW64\Kkgahoel.exe Kglehp32.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Opglafab.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Bccmmf32.exe Bdqlajbb.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Jbjpom32.exe Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Hifpke32.exe Hblgnkdh.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Jehlkhig.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Lkgngb32.exe Lhiakf32.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mfokinhf.exe File created C:\Windows\SysWOW64\Qlgkki32.exe Qiioon32.exe File opened for modification C:\Windows\SysWOW64\Qpbglhjq.exe Qlgkki32.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Kleajenp.dll Ijqoilii.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4592 4560 WerFault.exe 336 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgccebd.dll" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefcohi.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddimn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipnmn32.dll" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenkqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeef32.dll" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Ccjoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahoec32.dll" b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojojafnk.dll" Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Lfkeokjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Nnoiio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lillifio.dll" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiicmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdhad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgeel32.dll" Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbdcgjh.dll" Nlcibc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2412 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 30 PID 2400 wrote to memory of 2412 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 30 PID 2400 wrote to memory of 2412 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 30 PID 2400 wrote to memory of 2412 2400 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 30 PID 2412 wrote to memory of 2896 2412 Dhiomn32.exe 31 PID 2412 wrote to memory of 2896 2412 Dhiomn32.exe 31 PID 2412 wrote to memory of 2896 2412 Dhiomn32.exe 31 PID 2412 wrote to memory of 2896 2412 Dhiomn32.exe 31 PID 2896 wrote to memory of 600 2896 Daacecfc.exe 32 PID 2896 wrote to memory of 600 2896 Daacecfc.exe 32 PID 2896 wrote to memory of 600 2896 Daacecfc.exe 32 PID 2896 wrote to memory of 600 2896 Daacecfc.exe 32 PID 600 wrote to memory of 2800 600 Dkigoimd.exe 33 PID 600 wrote to memory of 2800 600 Dkigoimd.exe 33 PID 600 wrote to memory of 2800 600 Dkigoimd.exe 33 PID 600 wrote to memory of 2800 600 Dkigoimd.exe 33 PID 2800 wrote to memory of 2848 2800 Ddblgn32.exe 34 PID 2800 wrote to memory of 2848 2800 Ddblgn32.exe 34 PID 2800 wrote to memory of 2848 2800 Ddblgn32.exe 34 PID 2800 wrote to memory of 2848 2800 Ddblgn32.exe 34 PID 2848 wrote to memory of 864 2848 Dogpdg32.exe 35 PID 2848 wrote to memory of 864 2848 Dogpdg32.exe 35 PID 2848 wrote to memory of 864 2848 Dogpdg32.exe 35 PID 2848 wrote to memory of 864 2848 Dogpdg32.exe 35 PID 864 wrote to memory of 2656 864 Dddimn32.exe 36 PID 864 wrote to memory of 2656 864 Dddimn32.exe 36 PID 864 wrote to memory of 2656 864 Dddimn32.exe 36 PID 864 wrote to memory of 2656 864 Dddimn32.exe 36 PID 2656 wrote to memory of 2348 2656 Dmmmfc32.exe 37 PID 2656 wrote to memory of 2348 2656 Dmmmfc32.exe 37 PID 2656 wrote to memory of 2348 2656 Dmmmfc32.exe 37 PID 2656 wrote to memory of 2348 2656 Dmmmfc32.exe 37 PID 2348 wrote to memory of 2100 2348 Dgeaoinb.exe 38 PID 2348 wrote to memory of 2100 2348 Dgeaoinb.exe 38 PID 2348 wrote to memory of 2100 2348 Dgeaoinb.exe 38 PID 2348 wrote to memory of 2100 2348 Dgeaoinb.exe 38 PID 2100 wrote to memory of 2564 2100 Epmfgo32.exe 39 PID 2100 wrote to memory of 2564 2100 Epmfgo32.exe 39 PID 2100 wrote to memory of 2564 2100 Epmfgo32.exe 39 PID 2100 wrote to memory of 2564 2100 Epmfgo32.exe 39 PID 2564 wrote to memory of 1492 2564 Eiekpd32.exe 40 PID 2564 wrote to memory of 1492 2564 Eiekpd32.exe 40 PID 2564 wrote to memory of 1492 2564 Eiekpd32.exe 40 PID 2564 wrote to memory of 1492 2564 Eiekpd32.exe 40 PID 1492 wrote to memory of 2080 1492 Ecnoijbd.exe 41 PID 1492 wrote to memory of 2080 1492 Ecnoijbd.exe 41 PID 1492 wrote to memory of 2080 1492 Ecnoijbd.exe 41 PID 1492 wrote to memory of 2080 1492 Ecnoijbd.exe 41 PID 2080 wrote to memory of 2220 2080 Elfcbo32.exe 42 PID 2080 wrote to memory of 2220 2080 Elfcbo32.exe 42 PID 2080 wrote to memory of 2220 2080 Elfcbo32.exe 42 PID 2080 wrote to memory of 2220 2080 Elfcbo32.exe 42 PID 2220 wrote to memory of 2436 2220 Eacljf32.exe 43 PID 2220 wrote to memory of 2436 2220 Eacljf32.exe 43 PID 2220 wrote to memory of 2436 2220 Eacljf32.exe 43 PID 2220 wrote to memory of 2436 2220 Eacljf32.exe 43 PID 2436 wrote to memory of 1624 2436 Eklqcl32.exe 44 PID 2436 wrote to memory of 1624 2436 Eklqcl32.exe 44 PID 2436 wrote to memory of 1624 2436 Eklqcl32.exe 44 PID 2436 wrote to memory of 1624 2436 Eklqcl32.exe 44 PID 1624 wrote to memory of 3024 1624 Eddeladm.exe 45 PID 1624 wrote to memory of 3024 1624 Eddeladm.exe 45 PID 1624 wrote to memory of 3024 1624 Eddeladm.exe 45 PID 1624 wrote to memory of 3024 1624 Eddeladm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe"C:\Users\Admin\AppData\Local\Temp\b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe33⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe34⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe37⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe38⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe39⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe40⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe42⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe43⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe45⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe47⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe49⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe50⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe53⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe54⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe59⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe61⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe62⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe64⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe66⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe67⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe68⤵PID:388
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe69⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe70⤵PID:2144
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe71⤵PID:2672
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe72⤵PID:1696
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe73⤵PID:2788
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe74⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe75⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe77⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe79⤵PID:2324
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe80⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe81⤵PID:1924
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe82⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe83⤵PID:1936
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe85⤵PID:2684
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe86⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe88⤵PID:2964
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe89⤵PID:1756
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe90⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe91⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe92⤵PID:948
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe93⤵PID:2040
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe96⤵PID:280
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe97⤵PID:1520
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe98⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe99⤵PID:2060
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe100⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe101⤵PID:2828
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe102⤵PID:2008
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe104⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe105⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe107⤵PID:2464
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe108⤵PID:1796
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe109⤵PID:2888
-
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe110⤵PID:2648
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe112⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe113⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe114⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe115⤵PID:656
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe117⤵
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1256 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe120⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-