Analysis
-
max time kernel
54s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe
-
Size
117KB
-
MD5
cd01f24005098385d408e4d25fcda24c
-
SHA1
0257b48604c32d2c8eae1d139c6179592400e9d4
-
SHA256
34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398
-
SHA512
15966677a5d1ca09ed446fddf6a364b7542b90cda04c5e0644895dd100d5aad8d6f0c98d159c7b3a72a157b526c07bd3d60ddbabec8ed21cb4b48c85f7f1fdaf
-
SSDEEP
3072:SUDhj1KizpsqSYaq4lKSLmsdbuFFfUrQlM:Sk3aqwL9CTfMQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikaqppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eijffhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfppfcmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcihdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlqgob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gofajcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpmkdpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnppgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cneiki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocfch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlnaghp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdijo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdlbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmlmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faikbkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhcokmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqemlbqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkgqpjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemfghek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpblne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eipjmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlahqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lolbjahp.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Dlqgob32.exe 2584 Doocln32.exe 2780 Dbmlal32.exe 2756 Dgoakpjn.exe 2792 Ehonebqq.exe 2796 Eipjmk32.exe 2684 Elqcnfdp.exe 3064 Epnldd32.exe 1912 Eekdmk32.exe 1104 Fadagl32.exe 1112 Fnkblm32.exe 3040 Faikbkhj.exe 956 Fkapkq32.exe 2440 Gofajcog.exe 852 Gjkfglom.exe 884 Gmloigln.exe 1680 Gmnlog32.exe 804 Gfgpgmql.exe 520 Helmiiec.exe 1020 Hgmfjdbe.exe 1616 Heqfdh32.exe 2500 Hiblmldn.exe 1884 Hchpjddc.exe 3024 Imcaijia.exe 3036 Ienfml32.exe 2912 Ihooog32.exe 1564 Ibdclp32.exe 2772 Jhchjgoh.exe 2872 Jmpqbnmp.exe 2640 Jmejmm32.exe 2668 Jepoao32.exe 2636 Joicje32.exe 2704 Kbflqccl.exe 2720 Kommediq.exe 1720 Khhndi32.exe 1696 Kngcbpjc.exe 1152 Ljbmbpkb.exe 880 Lfingaaf.exe 1180 Lkhcdhmk.exe 2320 Mkkpjg32.exe 2416 Mjpmkdpp.exe 1928 Mcknjidn.exe 2544 Mqoocmcg.exe 2208 Mjgclcjh.exe 1752 Nfppfcmj.exe 3020 Npieoi32.exe 1596 Neemgp32.exe 1932 Nhdjdk32.exe 1836 Nbinad32.exe 3028 Nicfnn32.exe 2568 Naokbq32.exe 2892 Ohhcokmp.exe 2832 Omekgakg.exe 2060 Ofnppgbh.exe 2820 Omhhma32.exe 2676 Ohmljj32.exe 588 Omjeba32.exe 996 Obgmjh32.exe 2944 Omlahqeo.exe 1944 Obijpgcf.exe 2156 Plaoim32.exe 1640 Pfgcff32.exe 2028 Pldknmhd.exe 1500 Paqdgcfl.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 2224 Dlqgob32.exe 2224 Dlqgob32.exe 2584 Doocln32.exe 2584 Doocln32.exe 2780 Dbmlal32.exe 2780 Dbmlal32.exe 2756 Dgoakpjn.exe 2756 Dgoakpjn.exe 2792 Ehonebqq.exe 2792 Ehonebqq.exe 2796 Eipjmk32.exe 2796 Eipjmk32.exe 2684 Elqcnfdp.exe 2684 Elqcnfdp.exe 3064 Epnldd32.exe 3064 Epnldd32.exe 1912 Eekdmk32.exe 1912 Eekdmk32.exe 1104 Fadagl32.exe 1104 Fadagl32.exe 1112 Fnkblm32.exe 1112 Fnkblm32.exe 3040 Faikbkhj.exe 3040 Faikbkhj.exe 956 Fkapkq32.exe 956 Fkapkq32.exe 2440 Gofajcog.exe 2440 Gofajcog.exe 852 Gjkfglom.exe 852 Gjkfglom.exe 884 Gmloigln.exe 884 Gmloigln.exe 1680 Gmnlog32.exe 1680 Gmnlog32.exe 804 Gfgpgmql.exe 804 Gfgpgmql.exe 520 Helmiiec.exe 520 Helmiiec.exe 1020 Hgmfjdbe.exe 1020 Hgmfjdbe.exe 1616 Heqfdh32.exe 1616 Heqfdh32.exe 2500 Hiblmldn.exe 2500 Hiblmldn.exe 1884 Hchpjddc.exe 1884 Hchpjddc.exe 3024 Imcaijia.exe 3024 Imcaijia.exe 3036 Ienfml32.exe 3036 Ienfml32.exe 2912 Ihooog32.exe 2912 Ihooog32.exe 1564 Ibdclp32.exe 1564 Ibdclp32.exe 2772 Jhchjgoh.exe 2772 Jhchjgoh.exe 2872 Jmpqbnmp.exe 2872 Jmpqbnmp.exe 2640 Jmejmm32.exe 2640 Jmejmm32.exe 2668 Jepoao32.exe 2668 Jepoao32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppgfciee.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Didlinpd.dll Akjjifji.exe File created C:\Windows\SysWOW64\Faikbkhj.exe Fnkblm32.exe File created C:\Windows\SysWOW64\Bnbldghq.dll Jmpqbnmp.exe File created C:\Windows\SysWOW64\Bqnknp32.dll Gacgli32.exe File created C:\Windows\SysWOW64\Lpbhmiji.exe Ldlghhde.exe File opened for modification C:\Windows\SysWOW64\Pdjpmi32.exe Onmgeb32.exe File created C:\Windows\SysWOW64\Ppencmog.dll Panpgn32.exe File created C:\Windows\SysWOW64\Febmfcjj.exe Feppqc32.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Hqemlbqi.exe File created C:\Windows\SysWOW64\Kcfifj32.dll Hgmfjdbe.exe File created C:\Windows\SysWOW64\Holjmiol.dll Lolbjahp.exe File created C:\Windows\SysWOW64\Ldlghhde.exe Lkccob32.exe File opened for modification C:\Windows\SysWOW64\Cqneaodd.exe Ckamihfm.exe File created C:\Windows\SysWOW64\Fkpeojha.exe Febmfcjj.exe File created C:\Windows\SysWOW64\Ciknhb32.exe Cneiki32.exe File created C:\Windows\SysWOW64\Nnfeep32.exe Nqbdllld.exe File created C:\Windows\SysWOW64\Nmkbfmpf.exe Ngoinfao.exe File opened for modification C:\Windows\SysWOW64\Ppgfciee.exe Pbcfie32.exe File opened for modification C:\Windows\SysWOW64\Eipjmk32.exe Ehonebqq.exe File opened for modification C:\Windows\SysWOW64\Ljbmbpkb.exe Kngcbpjc.exe File opened for modification C:\Windows\SysWOW64\Qicoleno.exe Phabdmgq.exe File opened for modification C:\Windows\SysWOW64\Dcihdo32.exe Dmopge32.exe File created C:\Windows\SysWOW64\Jdplmflg.exe Jhikhefb.exe File created C:\Windows\SysWOW64\Pdbabndd.dll Lhpmhgbf.exe File created C:\Windows\SysWOW64\Kmqqeq32.dll Gcocnk32.exe File created C:\Windows\SysWOW64\Hiblmldn.exe Heqfdh32.exe File created C:\Windows\SysWOW64\Naokbq32.exe Nnpofe32.exe File created C:\Windows\SysWOW64\Qicoleno.exe Phabdmgq.exe File created C:\Windows\SysWOW64\Gocnjn32.exe Fejjah32.exe File created C:\Windows\SysWOW64\Lhpmhgbf.exe Lohiob32.exe File created C:\Windows\SysWOW64\Obdjjb32.exe Nmkbfmpf.exe File opened for modification C:\Windows\SysWOW64\Fhfihd32.exe Falakjag.exe File opened for modification C:\Windows\SysWOW64\Gjcekj32.exe Gdfmccfm.exe File created C:\Windows\SysWOW64\Lkccob32.exe Lolbjahp.exe File created C:\Windows\SysWOW64\Bocfch32.exe Bjgmka32.exe File opened for modification C:\Windows\SysWOW64\Jmejmm32.exe Jmpqbnmp.exe File opened for modification C:\Windows\SysWOW64\Jepoao32.exe Jmejmm32.exe File created C:\Windows\SysWOW64\Qonapd32.dll Obgmjh32.exe File opened for modification C:\Windows\SysWOW64\Akbgdkgm.exe Afeold32.exe File created C:\Windows\SysWOW64\Hcnfjpib.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Hfdbji32.exe File opened for modification C:\Windows\SysWOW64\Hqemlbqi.exe Hjkdoh32.exe File created C:\Windows\SysWOW64\Maonll32.dll Hfdbji32.exe File opened for modification C:\Windows\SysWOW64\Naokbq32.exe Nnpofe32.exe File created C:\Windows\SysWOW64\Mnpkkdjl.dll Bjlnaghp.exe File created C:\Windows\SysWOW64\Cfjdfg32.exe Cmapna32.exe File opened for modification C:\Windows\SysWOW64\Fejjah32.exe Fhfihd32.exe File created C:\Windows\SysWOW64\Idegal32.dll Johlpoij.exe File opened for modification C:\Windows\SysWOW64\Bfpkfb32.exe Blgfml32.exe File created C:\Windows\SysWOW64\Bmmjkf32.dll Cjkcedgp.exe File opened for modification C:\Windows\SysWOW64\Mcknjidn.exe Mjpmkdpp.exe File created C:\Windows\SysWOW64\Ohhcokmp.exe Naokbq32.exe File opened for modification C:\Windows\SysWOW64\Bqffna32.exe Bjlnaghp.exe File created C:\Windows\SysWOW64\Dlfina32.exe Djemfibq.exe File created C:\Windows\SysWOW64\Kldchgag.exe Kekkkm32.exe File opened for modification C:\Windows\SysWOW64\Mbhnpplb.exe Mjmiknng.exe File created C:\Windows\SysWOW64\Pdnihiad.exe Piiekp32.exe File created C:\Windows\SysWOW64\Cgjjdijo.exe Cmeffp32.exe File created C:\Windows\SysWOW64\Dgoakpjn.exe Dbmlal32.exe File created C:\Windows\SysWOW64\Obijpgcf.exe Omlahqeo.exe File created C:\Windows\SysWOW64\Pbpilaid.dll Afeold32.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dmopge32.exe File created C:\Windows\SysWOW64\Dhniof32.dll Gkiooocb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3928 3980 WerFault.exe 283 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkgqpjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhniof32.dll" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebhani32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjnaehgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omlahqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akbgdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phpjbcci.dll" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndcfjlj.dll" Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djkodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdfdn32.dll" Eaegaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcnhqfk.dll" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbpoih.dll" Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjijn32.dll" Hhhblgim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faohlp32.dll" Ajlabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahemgbf.dll" Pdjpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepjk32.dll" Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofonpnk.dll" Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnhahoi.dll" Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjkcedgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmbkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djemfibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igioiacg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkchooim.dll" Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dippfplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbllph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Gemfghek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll" Ppgfciee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blgfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdmbl32.dll" Hchpjddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omldapkm.dll" Plaoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdlbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gofajcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khhndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqqeq32.dll" Gcocnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjpmkdpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfojg32.dll" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklpml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfdbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbflqccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkndijfb.dll" Nicfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggppdpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngplbcl.dll" Qeihfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imcaijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gemfghek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgiin32.dll" Imdjlida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlbhlf32.dll" Bhgaan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeijpdbd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2224 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 29 PID 2256 wrote to memory of 2224 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 29 PID 2256 wrote to memory of 2224 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 29 PID 2256 wrote to memory of 2224 2256 34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe 29 PID 2224 wrote to memory of 2584 2224 Dlqgob32.exe 30 PID 2224 wrote to memory of 2584 2224 Dlqgob32.exe 30 PID 2224 wrote to memory of 2584 2224 Dlqgob32.exe 30 PID 2224 wrote to memory of 2584 2224 Dlqgob32.exe 30 PID 2584 wrote to memory of 2780 2584 Doocln32.exe 31 PID 2584 wrote to memory of 2780 2584 Doocln32.exe 31 PID 2584 wrote to memory of 2780 2584 Doocln32.exe 31 PID 2584 wrote to memory of 2780 2584 Doocln32.exe 31 PID 2780 wrote to memory of 2756 2780 Dbmlal32.exe 32 PID 2780 wrote to memory of 2756 2780 Dbmlal32.exe 32 PID 2780 wrote to memory of 2756 2780 Dbmlal32.exe 32 PID 2780 wrote to memory of 2756 2780 Dbmlal32.exe 32 PID 2756 wrote to memory of 2792 2756 Dgoakpjn.exe 33 PID 2756 wrote to memory of 2792 2756 Dgoakpjn.exe 33 PID 2756 wrote to memory of 2792 2756 Dgoakpjn.exe 33 PID 2756 wrote to memory of 2792 2756 Dgoakpjn.exe 33 PID 2792 wrote to memory of 2796 2792 Ehonebqq.exe 34 PID 2792 wrote to memory of 2796 2792 Ehonebqq.exe 34 PID 2792 wrote to memory of 2796 2792 Ehonebqq.exe 34 PID 2792 wrote to memory of 2796 2792 Ehonebqq.exe 34 PID 2796 wrote to memory of 2684 2796 Eipjmk32.exe 35 PID 2796 wrote to memory of 2684 2796 Eipjmk32.exe 35 PID 2796 wrote to memory of 2684 2796 Eipjmk32.exe 35 PID 2796 wrote to memory of 2684 2796 Eipjmk32.exe 35 PID 2684 wrote to memory of 3064 2684 Elqcnfdp.exe 36 PID 2684 wrote to memory of 3064 2684 Elqcnfdp.exe 36 PID 2684 wrote to memory of 3064 2684 Elqcnfdp.exe 36 PID 2684 wrote to memory of 3064 2684 Elqcnfdp.exe 36 PID 3064 wrote to memory of 1912 3064 Epnldd32.exe 37 PID 3064 wrote to memory of 1912 3064 Epnldd32.exe 37 PID 3064 wrote to memory of 1912 3064 Epnldd32.exe 37 PID 3064 wrote to memory of 1912 3064 Epnldd32.exe 37 PID 1912 wrote to memory of 1104 1912 Eekdmk32.exe 38 PID 1912 wrote to memory of 1104 1912 Eekdmk32.exe 38 PID 1912 wrote to memory of 1104 1912 Eekdmk32.exe 38 PID 1912 wrote to memory of 1104 1912 Eekdmk32.exe 38 PID 1104 wrote to memory of 1112 1104 Fadagl32.exe 39 PID 1104 wrote to memory of 1112 1104 Fadagl32.exe 39 PID 1104 wrote to memory of 1112 1104 Fadagl32.exe 39 PID 1104 wrote to memory of 1112 1104 Fadagl32.exe 39 PID 1112 wrote to memory of 3040 1112 Fnkblm32.exe 40 PID 1112 wrote to memory of 3040 1112 Fnkblm32.exe 40 PID 1112 wrote to memory of 3040 1112 Fnkblm32.exe 40 PID 1112 wrote to memory of 3040 1112 Fnkblm32.exe 40 PID 3040 wrote to memory of 956 3040 Faikbkhj.exe 41 PID 3040 wrote to memory of 956 3040 Faikbkhj.exe 41 PID 3040 wrote to memory of 956 3040 Faikbkhj.exe 41 PID 3040 wrote to memory of 956 3040 Faikbkhj.exe 41 PID 956 wrote to memory of 2440 956 Fkapkq32.exe 42 PID 956 wrote to memory of 2440 956 Fkapkq32.exe 42 PID 956 wrote to memory of 2440 956 Fkapkq32.exe 42 PID 956 wrote to memory of 2440 956 Fkapkq32.exe 42 PID 2440 wrote to memory of 852 2440 Gofajcog.exe 43 PID 2440 wrote to memory of 852 2440 Gofajcog.exe 43 PID 2440 wrote to memory of 852 2440 Gofajcog.exe 43 PID 2440 wrote to memory of 852 2440 Gofajcog.exe 43 PID 852 wrote to memory of 884 852 Gjkfglom.exe 44 PID 852 wrote to memory of 884 852 Gjkfglom.exe 44 PID 852 wrote to memory of 884 852 Gjkfglom.exe 44 PID 852 wrote to memory of 884 852 Gjkfglom.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe"C:\Users\Admin\AppData\Local\Temp\34c7fcbb388da0356ea025cbcc2291d453c3824f04309ae0703059f8d8a07398.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe33⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe38⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe39⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe41⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe44⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe48⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe49⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe50⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe52⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe57⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe62⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe64⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe66⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe68⤵PID:2124
-
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe69⤵PID:752
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe70⤵PID:1668
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe71⤵PID:2300
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe72⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe73⤵PID:2900
-
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe74⤵PID:3052
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe75⤵PID:1692
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe76⤵PID:3068
-
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe78⤵PID:2920
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe79⤵PID:3008
-
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe80⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe82⤵PID:1820
-
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe84⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe85⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe86⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe89⤵PID:2468
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Bqffna32.exeC:\Windows\system32\Bqffna32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe93⤵PID:1920
-
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe95⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe97⤵PID:2408
-
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe99⤵PID:1800
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe100⤵PID:1192
-
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe101⤵PID:2204
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe102⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe103⤵PID:1312
-
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe104⤵PID:2940
-
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe105⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe107⤵PID:1148
-
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe108⤵PID:2172
-
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe110⤵PID:1644
-
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe111⤵PID:1604
-
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe112⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe115⤵PID:2768
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe117⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe118⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe120⤵PID:1388
-
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-