Analysis
-
max time kernel
92s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe
-
Size
57KB
-
MD5
55f69495fb54bb2b87a10dbe4e1d62b6
-
SHA1
40d33f9d41b2ba787798a33c5fdd039ae2b621c2
-
SHA256
ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0
-
SHA512
9217c386240532f8f82536ff93f9ca660e58dd5979008de37141b2c5ef48b875f30199fcfbcd46270afb8efb37947f42c801769cd1fa304ffa3ec98ef06ccca1
-
SSDEEP
768:JoIfYvE6DCJC9UbFbfHcoDYAhOj9J91k3LNCKjGq5L5bPb4sH/F/1H5qXdnhg:mul6P9UbZ80Y1390RCqTb4iH+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhand32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkknmgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfjeobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganldgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkconn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmofj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpdcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlnbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdhbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbenoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe -
Executes dropped EXE 64 IoCs
pid Process 964 Oiihahme.exe 4560 Oepifi32.exe 676 Opemca32.exe 2240 Ojnblg32.exe 1752 Ophjiaql.exe 5092 Pedbahod.exe 3332 Ppjgoaoj.exe 2996 Pgdokkfg.exe 1932 Phelcc32.exe 3220 Pckppl32.exe 2992 Ppopjp32.exe 4424 Pflibgil.exe 4848 Pgkelj32.exe 408 Pofjpl32.exe 2728 Qfpbmfdf.exe 5020 Qhonib32.exe 2532 Qgpogili.exe 3840 Qlmgopjq.exe 3320 Agbkmijg.exe 3932 Aqkpeopg.exe 2180 Agdhbi32.exe 3132 Amaqjp32.exe 4452 Afjeceml.exe 4396 Aqoiqn32.exe 4532 Agiamhdo.exe 4608 Amfjeobf.exe 5028 Aglnbhal.exe 3040 Amhfkopc.exe 1360 Bcbohigp.exe 4516 Bqfoamfj.exe 3004 Bcelmhen.exe 3604 Boklbi32.exe 4296 Bjaqpbkh.exe 688 Bidqko32.exe 3788 Bciehh32.exe 4108 Bjcmebie.exe 3564 Bqmeal32.exe 1004 Bjfjka32.exe 2104 Cmdfgm32.exe 1780 Ccnncgmc.exe 1316 Cjhfpa32.exe 2232 Cmfclm32.exe 3008 Ccqkigkp.exe 2668 Cimcan32.exe 400 Cpglnhad.exe 864 Cfadkb32.exe 4344 Cpihcgoa.exe 2624 Cjomap32.exe 4604 Ccgajfeh.exe 1928 Cffmfadl.exe 1668 Dmpfbk32.exe 4308 Dgejpd32.exe 3048 Diffglam.exe 4460 Dmdonkgc.exe 2508 Dfmcfp32.exe 3380 Dfoplpla.exe 1244 Dpgeee32.exe 2760 Djmibn32.exe 3768 Eagaoh32.exe 5044 Efdjgo32.exe 4304 Eplnpeol.exe 1208 Ehcfaboo.exe 4704 Eidbij32.exe 764 Edjgfcec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jeapcq32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Pfojdh32.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jnmijq32.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bebjdgmj.exe File opened for modification C:\Windows\SysWOW64\Iikmbh32.exe Ifmqfm32.exe File created C:\Windows\SysWOW64\Pjphcf32.dll Ocdnln32.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qgpogili.exe File opened for modification C:\Windows\SysWOW64\Pedlgbkh.exe Pkogiikb.exe File opened for modification C:\Windows\SysWOW64\Pchlpfjb.exe Phbhcmjl.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bojomm32.exe File created C:\Windows\SysWOW64\Oikmnf32.dll Fjmkoeqi.exe File created C:\Windows\SysWOW64\Hlambk32.exe Hkpqkcpd.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Idhmabfb.dll Jqiipljg.exe File created C:\Windows\SysWOW64\Bcinna32.exe Bhcjqinf.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Eicedn32.exe File opened for modification C:\Windows\SysWOW64\Fndpmndl.exe Fgjhpcmo.exe File opened for modification C:\Windows\SysWOW64\Lnjnqh32.exe Lgqfdnah.exe File opened for modification C:\Windows\SysWOW64\Alelqb32.exe Aekddhcb.exe File created C:\Windows\SysWOW64\Lhjlnlii.dll Pkogiikb.exe File created C:\Windows\SysWOW64\Fbajbi32.exe Emdajb32.exe File created C:\Windows\SysWOW64\Meepdp32.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Jacodldj.dll Ljbnfleo.exe File created C:\Windows\SysWOW64\Ionqbdem.dll Qlmgopjq.exe File created C:\Windows\SysWOW64\Nklbmllg.exe Nijeec32.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Acfhad32.exe File created C:\Windows\SysWOW64\Fbihneaj.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Nlcalieg.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Aqoiqn32.exe File created C:\Windows\SysWOW64\Ccemjbpf.dll Gahcmd32.exe File opened for modification C:\Windows\SysWOW64\Ejdocm32.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Gmpbnakj.dll Giqkkf32.exe File created C:\Windows\SysWOW64\Mlihmi32.dll Mkmkkjko.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Hienlpel.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Bjcmebie.exe Bciehh32.exe File opened for modification C:\Windows\SysWOW64\Giecfejd.exe Ganldgib.exe File opened for modification C:\Windows\SysWOW64\Omegjomb.exe Oldjcg32.exe File created C:\Windows\SysWOW64\Ombnni32.dll Lfbped32.exe File created C:\Windows\SysWOW64\Gdaociml.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Kcpahpmd.exe Knchpiom.exe File created C:\Windows\SysWOW64\Lgccinoe.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Joahqn32.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Okjpkd32.dll Fniihmpf.exe File created C:\Windows\SysWOW64\Hiplgm32.dll Hbgkei32.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Dmfeidbe.exe File created C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe File created C:\Windows\SysWOW64\Glaecb32.dll Gbfldf32.exe File created C:\Windows\SysWOW64\Emcnmpcj.dll Glipgf32.exe File opened for modification C:\Windows\SysWOW64\Gmimai32.exe Gfodeohd.exe File created C:\Windows\SysWOW64\Dahceqce.dll Ganldgib.exe File created C:\Windows\SysWOW64\Achnlqjp.dll Akhcfe32.exe File created C:\Windows\SysWOW64\Gpnmbl32.exe Fideeaco.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Afeknhab.dll Hidgai32.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Nlphbnoe.exe File created C:\Windows\SysWOW64\Gejlkojm.dll Bjicdmmd.exe File created C:\Windows\SysWOW64\Hbceobam.dll Nccokk32.exe File opened for modification C:\Windows\SysWOW64\Cfpffeaj.exe Cofnik32.exe File created C:\Windows\SysWOW64\Efdjgo32.exe Eagaoh32.exe File opened for modification C:\Windows\SysWOW64\Gfkbde32.exe Gpqjglii.exe File created C:\Windows\SysWOW64\Hjhgac32.dll Pekbga32.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Enkmfolf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13184 6016 WerFault.exe 832 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdpiacg.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkaf32.dll" Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekojppef.dll" Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbalagn.dll" Iddljmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papdfone.dll" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplbfcmi.dll" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Nlcalieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aboncdme.dll" Hhknpmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higjaoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fngcmcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedccfqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgnjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipmbjgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbai32.dll" Aehgnied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll" Ggmmlamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocckb32.dll" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcejfha.dll" Faenpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlphbnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll" Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll" Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpggamqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlkko32.dll" Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll" Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicdfa32.dll" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcplmmbl.dll" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemic32.dll" Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fallih32.dll" Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghpel32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmkjd32.dll" Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioodcbn.dll" Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll" Pmlfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egohdegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll" Keifdpif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 964 2840 ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe 83 PID 2840 wrote to memory of 964 2840 ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe 83 PID 2840 wrote to memory of 964 2840 ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe 83 PID 964 wrote to memory of 4560 964 Oiihahme.exe 84 PID 964 wrote to memory of 4560 964 Oiihahme.exe 84 PID 964 wrote to memory of 4560 964 Oiihahme.exe 84 PID 4560 wrote to memory of 676 4560 Oepifi32.exe 86 PID 4560 wrote to memory of 676 4560 Oepifi32.exe 86 PID 4560 wrote to memory of 676 4560 Oepifi32.exe 86 PID 676 wrote to memory of 2240 676 Opemca32.exe 87 PID 676 wrote to memory of 2240 676 Opemca32.exe 87 PID 676 wrote to memory of 2240 676 Opemca32.exe 87 PID 2240 wrote to memory of 1752 2240 Ojnblg32.exe 88 PID 2240 wrote to memory of 1752 2240 Ojnblg32.exe 88 PID 2240 wrote to memory of 1752 2240 Ojnblg32.exe 88 PID 1752 wrote to memory of 5092 1752 Ophjiaql.exe 89 PID 1752 wrote to memory of 5092 1752 Ophjiaql.exe 89 PID 1752 wrote to memory of 5092 1752 Ophjiaql.exe 89 PID 5092 wrote to memory of 3332 5092 Pedbahod.exe 90 PID 5092 wrote to memory of 3332 5092 Pedbahod.exe 90 PID 5092 wrote to memory of 3332 5092 Pedbahod.exe 90 PID 3332 wrote to memory of 2996 3332 Ppjgoaoj.exe 91 PID 3332 wrote to memory of 2996 3332 Ppjgoaoj.exe 91 PID 3332 wrote to memory of 2996 3332 Ppjgoaoj.exe 91 PID 2996 wrote to memory of 1932 2996 Pgdokkfg.exe 92 PID 2996 wrote to memory of 1932 2996 Pgdokkfg.exe 92 PID 2996 wrote to memory of 1932 2996 Pgdokkfg.exe 92 PID 1932 wrote to memory of 3220 1932 Phelcc32.exe 93 PID 1932 wrote to memory of 3220 1932 Phelcc32.exe 93 PID 1932 wrote to memory of 3220 1932 Phelcc32.exe 93 PID 3220 wrote to memory of 2992 3220 Pckppl32.exe 94 PID 3220 wrote to memory of 2992 3220 Pckppl32.exe 94 PID 3220 wrote to memory of 2992 3220 Pckppl32.exe 94 PID 2992 wrote to memory of 4424 2992 Ppopjp32.exe 95 PID 2992 wrote to memory of 4424 2992 Ppopjp32.exe 95 PID 2992 wrote to memory of 4424 2992 Ppopjp32.exe 95 PID 4424 wrote to memory of 4848 4424 Pflibgil.exe 96 PID 4424 wrote to memory of 4848 4424 Pflibgil.exe 96 PID 4424 wrote to memory of 4848 4424 Pflibgil.exe 96 PID 4848 wrote to memory of 408 4848 Pgkelj32.exe 97 PID 4848 wrote to memory of 408 4848 Pgkelj32.exe 97 PID 4848 wrote to memory of 408 4848 Pgkelj32.exe 97 PID 408 wrote to memory of 2728 408 Pofjpl32.exe 98 PID 408 wrote to memory of 2728 408 Pofjpl32.exe 98 PID 408 wrote to memory of 2728 408 Pofjpl32.exe 98 PID 2728 wrote to memory of 5020 2728 Qfpbmfdf.exe 99 PID 2728 wrote to memory of 5020 2728 Qfpbmfdf.exe 99 PID 2728 wrote to memory of 5020 2728 Qfpbmfdf.exe 99 PID 5020 wrote to memory of 2532 5020 Qhonib32.exe 100 PID 5020 wrote to memory of 2532 5020 Qhonib32.exe 100 PID 5020 wrote to memory of 2532 5020 Qhonib32.exe 100 PID 2532 wrote to memory of 3840 2532 Qgpogili.exe 101 PID 2532 wrote to memory of 3840 2532 Qgpogili.exe 101 PID 2532 wrote to memory of 3840 2532 Qgpogili.exe 101 PID 3840 wrote to memory of 3320 3840 Qlmgopjq.exe 102 PID 3840 wrote to memory of 3320 3840 Qlmgopjq.exe 102 PID 3840 wrote to memory of 3320 3840 Qlmgopjq.exe 102 PID 3320 wrote to memory of 3932 3320 Agbkmijg.exe 103 PID 3320 wrote to memory of 3932 3320 Agbkmijg.exe 103 PID 3320 wrote to memory of 3932 3320 Agbkmijg.exe 103 PID 3932 wrote to memory of 2180 3932 Aqkpeopg.exe 104 PID 3932 wrote to memory of 2180 3932 Aqkpeopg.exe 104 PID 3932 wrote to memory of 2180 3932 Aqkpeopg.exe 104 PID 2180 wrote to memory of 3132 2180 Agdhbi32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe"C:\Users\Admin\AppData\Local\Temp\ce7a30a71d3d0dc6e9169444755f6346f90b48f2c63651ecfb0cb5a30241d0a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe23⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe24⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe26⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe28⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe29⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe30⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe31⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe32⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe33⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe34⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe35⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe37⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe38⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe39⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe41⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe42⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe45⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe47⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe48⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe49⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe50⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe52⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe54⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe55⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe56⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe57⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe58⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe59⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe61⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe63⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe64⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe66⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe67⤵PID:4712
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe68⤵PID:1304
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe70⤵PID:4916
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe71⤵PID:3908
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe72⤵PID:3364
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe73⤵PID:4464
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe74⤵PID:2124
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe75⤵
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe76⤵PID:3888
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe77⤵PID:2804
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe78⤵PID:4352
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe80⤵PID:1540
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe81⤵PID:4572
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe82⤵PID:2564
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe83⤵PID:2768
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe84⤵PID:1484
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe85⤵PID:3436
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe86⤵PID:1676
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe87⤵PID:2448
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe88⤵PID:4676
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe89⤵PID:4592
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4508 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe91⤵PID:1544
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe92⤵
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe93⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe94⤵PID:3184
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe95⤵PID:2732
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe96⤵PID:2000
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe97⤵PID:3028
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe98⤵PID:3812
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe99⤵PID:1152
-
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe100⤵PID:4940
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe101⤵PID:1496
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe102⤵
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe103⤵
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe104⤵
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe105⤵PID:4680
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe106⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4832 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe108⤵PID:4564
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe109⤵PID:844
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe110⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe111⤵PID:5184
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe113⤵PID:5264
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe114⤵PID:5312
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe115⤵PID:5356
-
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe117⤵PID:5448
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe118⤵PID:5488
-
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe121⤵PID:5620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-