Analysis
-
max time kernel
142s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 05:55 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe
-
Size
187KB
-
MD5
d3bb55280803fefda866ee56cf9f8448
-
SHA1
5253b68df3f69ec3c7190084a42ee2ce99e16d38
-
SHA256
dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a
-
SHA512
7e842ce77d4ada5c9f453e732bb9b93a56c3ec3124772bd53ac5cd064597546613588aa734952a77490f016ce4e1dc4839e5c895619eb92cad24e64d65d6e12c
-
SSDEEP
3072:os4HSNKz0pPO5i/i4UGVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:T/KzNYOGV+tbFOLM77OLLt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjojphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfggicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agolpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbehgabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plheil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihqilnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pobeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haejcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbppqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gknhjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihcdkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdlpkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmoaoikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkfic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcdkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fleihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akbelbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afecna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgbolhoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imndmnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iagchmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjbobnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgmlmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbqfcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koejqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddoopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoonqmqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odfjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbkffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjajno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmholgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklaepbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchpjddc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlegic32.exe -
Executes dropped EXE 64 IoCs
pid Process 2128 Pibgfjdh.exe 2836 Qkelme32.exe 2772 Ajjinaco.exe 2672 Anjojphb.exe 2904 Afecna32.exe 1920 Ajcldpkd.exe 2188 Bmdefk32.exe 2388 Bhpclica.exe 1712 Bakdjn32.exe 2952 Cmdaeo32.exe 1364 Cpejfjha.exe 3028 Ccecheeb.exe 1564 Cpidai32.exe 2192 Dkeahf32.exe 2488 Dkhnmfle.exe 1784 Dhlogjko.exe 2520 Dkmghe32.exe 272 Eqnillbb.exe 1544 Efkbdbai.exe 1804 Ekjgbi32.exe 832 Ffpkob32.exe 2596 Fkldgi32.exe 2612 Fkoqmhii.exe 2572 Fclbgj32.exe 1808 Fmdfppkb.exe 1624 Gindjqnc.exe 1912 Gbfhcf32.exe 2744 Gpjilj32.exe 2876 Glaiak32.exe 2948 Gbmoceol.exe 2196 Hdeall32.exe 2248 Hbknmicj.exe 1052 Iekgod32.exe 1828 Ihlpqonl.exe 1512 Idcqep32.exe 1608 Ihqilnig.exe 772 Ihcfan32.exe 1100 Jpnkep32.exe 524 Jndhddaf.exe 2364 Jgmlmj32.exe 2092 Jkobgm32.exe 1240 Kdgfpbaf.exe 1572 Komjmk32.exe 940 Kghoan32.exe 1768 Kdlpkb32.exe 936 Knddcg32.exe 1764 Kmjaddii.exe 2260 Kgoebmip.exe 2416 Lqgjkbop.exe 1300 Ljpnch32.exe 2768 Lffohikd.exe 2884 Lkcgapjl.exe 2840 Lfilnh32.exe 2676 Lpapgnpb.exe 2700 Lgmekpmn.exe 2432 Laeidfdn.exe 2272 Mjmnmk32.exe 608 Mlmjgnaa.exe 2944 Mchokq32.exe 1620 Mnncii32.exe 572 Mfihml32.exe 432 Mpalfabn.exe 1936 Mjgqcj32.exe 1988 Nfmahkhh.exe -
Loads dropped DLL 64 IoCs
pid Process 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 2128 Pibgfjdh.exe 2128 Pibgfjdh.exe 2836 Qkelme32.exe 2836 Qkelme32.exe 2772 Ajjinaco.exe 2772 Ajjinaco.exe 2672 Anjojphb.exe 2672 Anjojphb.exe 2904 Afecna32.exe 2904 Afecna32.exe 1920 Ajcldpkd.exe 1920 Ajcldpkd.exe 2188 Bmdefk32.exe 2188 Bmdefk32.exe 2388 Bhpclica.exe 2388 Bhpclica.exe 1712 Bakdjn32.exe 1712 Bakdjn32.exe 2952 Cmdaeo32.exe 2952 Cmdaeo32.exe 1364 Cpejfjha.exe 1364 Cpejfjha.exe 3028 Ccecheeb.exe 3028 Ccecheeb.exe 1564 Cpidai32.exe 1564 Cpidai32.exe 2192 Dkeahf32.exe 2192 Dkeahf32.exe 2488 Dkhnmfle.exe 2488 Dkhnmfle.exe 1784 Dhlogjko.exe 1784 Dhlogjko.exe 2520 Dkmghe32.exe 2520 Dkmghe32.exe 272 Eqnillbb.exe 272 Eqnillbb.exe 1544 Efkbdbai.exe 1544 Efkbdbai.exe 1804 Ekjgbi32.exe 1804 Ekjgbi32.exe 832 Ffpkob32.exe 832 Ffpkob32.exe 2596 Fkldgi32.exe 2596 Fkldgi32.exe 2612 Fkoqmhii.exe 2612 Fkoqmhii.exe 2572 Fclbgj32.exe 2572 Fclbgj32.exe 1808 Fmdfppkb.exe 1808 Fmdfppkb.exe 1624 Gindjqnc.exe 1624 Gindjqnc.exe 1912 Gbfhcf32.exe 1912 Gbfhcf32.exe 2744 Gpjilj32.exe 2744 Gpjilj32.exe 2876 Glaiak32.exe 2876 Glaiak32.exe 2948 Gbmoceol.exe 2948 Gbmoceol.exe 2196 Hdeall32.exe 2196 Hdeall32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpcbhlki.exe Khhndi32.exe File created C:\Windows\SysWOW64\Kpeonkig.exe Kgmkef32.exe File opened for modification C:\Windows\SysWOW64\Mnpbgbdd.exe Mdhnnl32.exe File created C:\Windows\SysWOW64\Ofnppgbh.exe Onbkle32.exe File created C:\Windows\SysWOW64\Qcdgffab.dll Cfjdfg32.exe File created C:\Windows\SysWOW64\Jnjjcbiq.exe Jeofnpke.exe File created C:\Windows\SysWOW64\Kahciaog.exe Jgbolhoa.exe File created C:\Windows\SysWOW64\Cfpofi32.dll Pcagkmaj.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lkffohon.exe File created C:\Windows\SysWOW64\Bdkpid32.dll Mdhnnl32.exe File created C:\Windows\SysWOW64\Beboid32.dll Bkdbab32.exe File created C:\Windows\SysWOW64\Lnopmegg.exe Ldfldpqf.exe File created C:\Windows\SysWOW64\Jfiekc32.exe Jmpqbnmp.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Cafbmdbh.exe File created C:\Windows\SysWOW64\Bpkphm32.dll Ljpnch32.exe File created C:\Windows\SysWOW64\Gimmpj32.exe Gngiba32.exe File created C:\Windows\SysWOW64\Omefae32.dll Mpalfabn.exe File created C:\Windows\SysWOW64\Pbppqf32.exe Pihlhagn.exe File created C:\Windows\SysWOW64\Kgpobfea.dll Lghgocek.exe File opened for modification C:\Windows\SysWOW64\Ihcfan32.exe Ihqilnig.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Laeidfdn.exe File created C:\Windows\SysWOW64\Cgjbbnaj.dll Dogbolep.exe File created C:\Windows\SysWOW64\Bklaepbn.exe Bebiifka.exe File created C:\Windows\SysWOW64\Ckkika32.dll Eqnillbb.exe File opened for modification C:\Windows\SysWOW64\Cdapjglj.exe Clfkfeno.exe File opened for modification C:\Windows\SysWOW64\Kfobmc32.exe Koejqi32.exe File created C:\Windows\SysWOW64\Cnacbj32.exe Cancif32.exe File created C:\Windows\SysWOW64\Oobiclmh.exe Nmbmii32.exe File created C:\Windows\SysWOW64\Hndedfkh.dll Kkqhbf32.exe File created C:\Windows\SysWOW64\Iapcle32.dll Jeofnpke.exe File created C:\Windows\SysWOW64\Cancif32.exe Ccjbobnf.exe File created C:\Windows\SysWOW64\Jjagnhnk.dll Mhopcl32.exe File created C:\Windows\SysWOW64\Magbbcbk.dll Qkelme32.exe File created C:\Windows\SysWOW64\Aempha32.dll Cmdaeo32.exe File opened for modification C:\Windows\SysWOW64\Dglkba32.exe Dihkimag.exe File created C:\Windows\SysWOW64\Gednek32.exe Gimmpj32.exe File created C:\Windows\SysWOW64\Baiingae.exe Bklaepbn.exe File created C:\Windows\SysWOW64\Goejaohk.dll Gmnlog32.exe File created C:\Windows\SysWOW64\Dpmlcpdm.exe Djqcki32.exe File created C:\Windows\SysWOW64\Fefhnhpc.dll Fmholgpj.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Ikpmge32.dll Bnekcm32.exe File opened for modification C:\Windows\SysWOW64\Fejjah32.exe Ficilgai.exe File created C:\Windows\SysWOW64\Boajohpm.dll Deahcneh.exe File created C:\Windows\SysWOW64\Hhaiooop.dll Plheil32.exe File opened for modification C:\Windows\SysWOW64\Ajjeld32.exe Ancdgcab.exe File opened for modification C:\Windows\SysWOW64\Bgnaekil.exe Bqciha32.exe File created C:\Windows\SysWOW64\Gggadc32.dll Jdbhcfjd.exe File created C:\Windows\SysWOW64\Ajjinaco.exe Qkelme32.exe File created C:\Windows\SysWOW64\Dhlogjko.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Edkahbmo.exe Ekblplgo.exe File created C:\Windows\SysWOW64\Agldbd32.dll Gacgli32.exe File opened for modification C:\Windows\SysWOW64\Lghgocek.exe Lnobfn32.exe File created C:\Windows\SysWOW64\Idpmejag.exe Idnppjcj.exe File created C:\Windows\SysWOW64\Qielqc32.dll Ebghkjjc.exe File created C:\Windows\SysWOW64\Fbloba32.exe Fjajno32.exe File created C:\Windows\SysWOW64\Kkljfj32.exe Kfobmc32.exe File opened for modification C:\Windows\SysWOW64\Eipjmk32.exe Dadehh32.exe File created C:\Windows\SysWOW64\Fmcbka32.dll Fohbqpki.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Ibpjaagi.exe File created C:\Windows\SysWOW64\Nlmiojla.exe Necqbp32.exe File created C:\Windows\SysWOW64\Nmbmii32.exe Nalldh32.exe File created C:\Windows\SysWOW64\Kagbmg32.dll Aialjgbh.exe File created C:\Windows\SysWOW64\Maeljf32.dll Edkahbmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4736 4732 WerFault.exe 455 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmdfppkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hamgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdobjgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpgomne.dll" Alknnodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkoqmhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnimjoak.dll" Obcgaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnicncli.dll" Hoegoqng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkqiadeq.dll" Fqheei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hchpjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohcpqfg.dll" Jdplmflg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjkmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdejenb.dll" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpnob32.dll" Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kppmpmal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnacbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nilpmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcnl32.dll" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encbem32.dll" Gbmoceol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekblplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Pihlhagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccileljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpbhphie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekmbk32.dll" Opcejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdapjglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edenjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faconabh.dll" Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmjolll.dll" Nmbmii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhkpcdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgghgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnoadiak.dll" Pkcfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhemaec.dll" Eenabkfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cafamgkk.dll" Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkhk32.dll" Hqpjndio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpimnjhm.dll" Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqonejfa.dll" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbdo32.dll" Lpapgnpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gggclfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plildb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccecheeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilblkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfbckagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pieobaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcfmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fopole32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecegc32.dll" Gfbfln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll" Pgogla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqoaim32.dll" Gimmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbkffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdapjglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgihjl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2128 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 30 PID 1952 wrote to memory of 2128 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 30 PID 1952 wrote to memory of 2128 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 30 PID 1952 wrote to memory of 2128 1952 dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe 30 PID 2128 wrote to memory of 2836 2128 Pibgfjdh.exe 31 PID 2128 wrote to memory of 2836 2128 Pibgfjdh.exe 31 PID 2128 wrote to memory of 2836 2128 Pibgfjdh.exe 31 PID 2128 wrote to memory of 2836 2128 Pibgfjdh.exe 31 PID 2836 wrote to memory of 2772 2836 Qkelme32.exe 32 PID 2836 wrote to memory of 2772 2836 Qkelme32.exe 32 PID 2836 wrote to memory of 2772 2836 Qkelme32.exe 32 PID 2836 wrote to memory of 2772 2836 Qkelme32.exe 32 PID 2772 wrote to memory of 2672 2772 Ajjinaco.exe 33 PID 2772 wrote to memory of 2672 2772 Ajjinaco.exe 33 PID 2772 wrote to memory of 2672 2772 Ajjinaco.exe 33 PID 2772 wrote to memory of 2672 2772 Ajjinaco.exe 33 PID 2672 wrote to memory of 2904 2672 Anjojphb.exe 34 PID 2672 wrote to memory of 2904 2672 Anjojphb.exe 34 PID 2672 wrote to memory of 2904 2672 Anjojphb.exe 34 PID 2672 wrote to memory of 2904 2672 Anjojphb.exe 34 PID 2904 wrote to memory of 1920 2904 Afecna32.exe 35 PID 2904 wrote to memory of 1920 2904 Afecna32.exe 35 PID 2904 wrote to memory of 1920 2904 Afecna32.exe 35 PID 2904 wrote to memory of 1920 2904 Afecna32.exe 35 PID 1920 wrote to memory of 2188 1920 Ajcldpkd.exe 36 PID 1920 wrote to memory of 2188 1920 Ajcldpkd.exe 36 PID 1920 wrote to memory of 2188 1920 Ajcldpkd.exe 36 PID 1920 wrote to memory of 2188 1920 Ajcldpkd.exe 36 PID 2188 wrote to memory of 2388 2188 Bmdefk32.exe 37 PID 2188 wrote to memory of 2388 2188 Bmdefk32.exe 37 PID 2188 wrote to memory of 2388 2188 Bmdefk32.exe 37 PID 2188 wrote to memory of 2388 2188 Bmdefk32.exe 37 PID 2388 wrote to memory of 1712 2388 Bhpclica.exe 38 PID 2388 wrote to memory of 1712 2388 Bhpclica.exe 38 PID 2388 wrote to memory of 1712 2388 Bhpclica.exe 38 PID 2388 wrote to memory of 1712 2388 Bhpclica.exe 38 PID 1712 wrote to memory of 2952 1712 Bakdjn32.exe 39 PID 1712 wrote to memory of 2952 1712 Bakdjn32.exe 39 PID 1712 wrote to memory of 2952 1712 Bakdjn32.exe 39 PID 1712 wrote to memory of 2952 1712 Bakdjn32.exe 39 PID 2952 wrote to memory of 1364 2952 Cmdaeo32.exe 40 PID 2952 wrote to memory of 1364 2952 Cmdaeo32.exe 40 PID 2952 wrote to memory of 1364 2952 Cmdaeo32.exe 40 PID 2952 wrote to memory of 1364 2952 Cmdaeo32.exe 40 PID 1364 wrote to memory of 3028 1364 Cpejfjha.exe 41 PID 1364 wrote to memory of 3028 1364 Cpejfjha.exe 41 PID 1364 wrote to memory of 3028 1364 Cpejfjha.exe 41 PID 1364 wrote to memory of 3028 1364 Cpejfjha.exe 41 PID 3028 wrote to memory of 1564 3028 Ccecheeb.exe 42 PID 3028 wrote to memory of 1564 3028 Ccecheeb.exe 42 PID 3028 wrote to memory of 1564 3028 Ccecheeb.exe 42 PID 3028 wrote to memory of 1564 3028 Ccecheeb.exe 42 PID 1564 wrote to memory of 2192 1564 Cpidai32.exe 43 PID 1564 wrote to memory of 2192 1564 Cpidai32.exe 43 PID 1564 wrote to memory of 2192 1564 Cpidai32.exe 43 PID 1564 wrote to memory of 2192 1564 Cpidai32.exe 43 PID 2192 wrote to memory of 2488 2192 Dkeahf32.exe 44 PID 2192 wrote to memory of 2488 2192 Dkeahf32.exe 44 PID 2192 wrote to memory of 2488 2192 Dkeahf32.exe 44 PID 2192 wrote to memory of 2488 2192 Dkeahf32.exe 44 PID 2488 wrote to memory of 1784 2488 Dkhnmfle.exe 45 PID 2488 wrote to memory of 1784 2488 Dkhnmfle.exe 45 PID 2488 wrote to memory of 1784 2488 Dkhnmfle.exe 45 PID 2488 wrote to memory of 1784 2488 Dkhnmfle.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe"C:\Users\Admin\AppData\Local\Temp\dee94b3d8b7decaf6a67a88cf03868563ae53848064de9ce25ce9fdb6fe5284a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Qkelme32.exeC:\Windows\system32\Qkelme32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Dkhnmfle.exeC:\Windows\system32\Dkhnmfle.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Fkoqmhii.exeC:\Windows\system32\Fkoqmhii.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe33⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe34⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe35⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe36⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe40⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe42⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe43⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe44⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe45⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe47⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe52⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe58⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe59⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe60⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe61⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe64⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe65⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe66⤵PID:2216
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe67⤵PID:1832
-
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe68⤵PID:2408
-
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe69⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe71⤵PID:1584
-
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe72⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe73⤵PID:2740
-
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe74⤵PID:2620
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe75⤵PID:972
-
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe76⤵PID:636
-
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe77⤵
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe79⤵PID:2152
-
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe81⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe82⤵PID:2600
-
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe83⤵PID:752
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe84⤵PID:2444
-
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe85⤵PID:1028
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe86⤵PID:876
-
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe87⤵PID:1588
-
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe88⤵PID:2316
-
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe89⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe90⤵PID:1604
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Bkdbab32.exeC:\Windows\system32\Bkdbab32.exe92⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe93⤵PID:2872
-
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe94⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe96⤵PID:3036
-
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe97⤵PID:604
-
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe100⤵PID:1704
-
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe101⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Cdapjglj.exeC:\Windows\system32\Cdapjglj.exe102⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe104⤵PID:2812
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe107⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe108⤵PID:2156
-
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe109⤵PID:2228
-
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe110⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe111⤵PID:1680
-
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe112⤵PID:1980
-
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe113⤵PID:1580
-
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe114⤵PID:2856
-
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe115⤵PID:2808
-
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe116⤵PID:2208
-
C:\Windows\SysWOW64\Flkmokoa.exeC:\Windows\system32\Flkmokoa.exe117⤵PID:840
-
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe118⤵PID:2936
-
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe119⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-