Analysis
-
max time kernel
98s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe
-
Size
59KB
-
MD5
93c695191d39d29c0457298b289eb2c6
-
SHA1
948dc10aa78aff56bf0f6471b306f8e1d24f5c29
-
SHA256
c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa
-
SHA512
695c6a8a45bbb649d8ac4c0c100315a1d2b99cd2a98fb8e1779f197b08c6fd1db2db597958823f7a01c067ca8cfa1f6dbed5e820fe015edbf6dcdb2cdb8114f9
-
SSDEEP
768:2eH22+mMMkU67ZsZg0DEBEyLJ1UoPiHON281veTp7XUaB+zRTtoiiSeB09B7O2pG:2eHflBUATEKGNPhev7SvO2LXO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopnca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgfbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momckfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhfhaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caligc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpliac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofefqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpfcnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkphmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmnjenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpnmhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlqao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcllmhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cignlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhhchlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbmdphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbdce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjocoedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gielchpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadcdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoflpbmo.exe -
Executes dropped EXE 64 IoCs
pid Process 2200 Fepnhjdh.exe 2108 Fnkblm32.exe 2760 Fdekigip.exe 2740 Fnnobl32.exe 2748 Fgfckbfa.exe 2768 Fjfllm32.exe 2664 Gfmmanif.exe 2484 Gjkfglom.exe 1488 Gfbfln32.exe 1980 Gmloigln.exe 1148 Gmnlog32.exe 1100 Gielchpp.exe 1608 Hqpahkmj.exe 3000 Hndaao32.exe 852 Haejcj32.exe 884 Hpjgdf32.exe 2020 Hbkpfa32.exe 2608 Icjmpd32.exe 1644 Iigehk32.exe 1736 Ihlbih32.exe 1800 Iaegbmlq.exe 2520 Ibdclp32.exe 1652 Ilmgef32.exe 1932 Iokdaa32.exe 860 Jmpqbnmp.exe 2364 Jfkbqcam.exe 1540 Jmejmm32.exe 2584 Jilkbn32.exe 1312 Jeblgodb.exe 2868 Kokppd32.exe 2876 Kommediq.exe 2884 Kdlbckee.exe 2636 Kapbmo32.exe 2288 Kdooij32.exe 2236 Kjlgaa32.exe 2256 Lgphke32.exe 1956 Ljpqlqmd.exe 1776 Lhenmm32.exe 1048 Lfingaaf.exe 2068 Llfcik32.exe 952 Mbbkabdh.exe 1928 Mhlcnl32.exe 1680 Mnilfc32.exe 2328 Mdcdcmai.exe 2044 Mbgela32.exe 2976 Mnneabff.exe 2268 Nfncad32.exe 1596 Nmhlnngi.exe 2352 Ncbdjhnf.exe 3044 Necqbp32.exe 2912 Npieoi32.exe 2880 Neemgp32.exe 2864 Npkaei32.exe 2820 Nalnmahf.exe 2828 Nhffikob.exe 1440 Njdbefnf.exe 2956 Odmgnl32.exe 2952 Oldooi32.exe 832 Oaaghp32.exe 916 Ofnppgbh.exe 1072 Opfdim32.exe 2924 Ofpmegpe.exe 1508 Ophanl32.exe 2156 Ojnelefl.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 2200 Fepnhjdh.exe 2200 Fepnhjdh.exe 2108 Fnkblm32.exe 2108 Fnkblm32.exe 2760 Fdekigip.exe 2760 Fdekigip.exe 2740 Fnnobl32.exe 2740 Fnnobl32.exe 2748 Fgfckbfa.exe 2748 Fgfckbfa.exe 2768 Fjfllm32.exe 2768 Fjfllm32.exe 2664 Gfmmanif.exe 2664 Gfmmanif.exe 2484 Gjkfglom.exe 2484 Gjkfglom.exe 1488 Gfbfln32.exe 1488 Gfbfln32.exe 1980 Gmloigln.exe 1980 Gmloigln.exe 1148 Gmnlog32.exe 1148 Gmnlog32.exe 1100 Gielchpp.exe 1100 Gielchpp.exe 1608 Hqpahkmj.exe 1608 Hqpahkmj.exe 3000 Hndaao32.exe 3000 Hndaao32.exe 852 Haejcj32.exe 852 Haejcj32.exe 884 Hpjgdf32.exe 884 Hpjgdf32.exe 2020 Hbkpfa32.exe 2020 Hbkpfa32.exe 2608 Icjmpd32.exe 2608 Icjmpd32.exe 1644 Iigehk32.exe 1644 Iigehk32.exe 1736 Ihlbih32.exe 1736 Ihlbih32.exe 1800 Iaegbmlq.exe 1800 Iaegbmlq.exe 2520 Ibdclp32.exe 2520 Ibdclp32.exe 1652 Ilmgef32.exe 1652 Ilmgef32.exe 1932 Iokdaa32.exe 1932 Iokdaa32.exe 860 Jmpqbnmp.exe 860 Jmpqbnmp.exe 2364 Jfkbqcam.exe 2364 Jfkbqcam.exe 1540 Jmejmm32.exe 1540 Jmejmm32.exe 2584 Jilkbn32.exe 2584 Jilkbn32.exe 1312 Jeblgodb.exe 1312 Jeblgodb.exe 2868 Kokppd32.exe 2868 Kokppd32.exe 2876 Kommediq.exe 2876 Kommediq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bgablmfa.exe Bimbbhgh.exe File opened for modification C:\Windows\SysWOW64\Lophcpam.exe Ldfgbb32.exe File created C:\Windows\SysWOW64\Opicgenj.exe Onggom32.exe File created C:\Windows\SysWOW64\Qngclgob.dll Jpmcmf32.exe File created C:\Windows\SysWOW64\Kdlbckee.exe Kommediq.exe File opened for modification C:\Windows\SysWOW64\Boolhikf.exe Aefhpc32.exe File created C:\Windows\SysWOW64\Imliaacf.dll Process not Found File created C:\Windows\SysWOW64\Djieql32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eahkag32.exe Deajlf32.exe File created C:\Windows\SysWOW64\Pehiqp32.exe Plpehj32.exe File created C:\Windows\SysWOW64\Ekohac32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kdooij32.exe Kapbmo32.exe File created C:\Windows\SysWOW64\Mhidjd32.dll Ncellpog.exe File created C:\Windows\SysWOW64\Hakehc32.dll Aflkiapg.exe File opened for modification C:\Windows\SysWOW64\Lpkmkl32.exe Lmjdia32.exe File created C:\Windows\SysWOW64\Eloimcca.exe Efeaqi32.exe File created C:\Windows\SysWOW64\Jpmcmf32.exe Jjckpl32.exe File created C:\Windows\SysWOW64\Kpliac32.exe Kfgedkko.exe File created C:\Windows\SysWOW64\Hdnclg32.dll Naedfi32.exe File opened for modification C:\Windows\SysWOW64\Bjlnaghp.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Piaebfcm.dll Ndfppije.exe File created C:\Windows\SysWOW64\Ilfploin.dll Process not Found File opened for modification C:\Windows\SysWOW64\Colegflh.exe Bjomoo32.exe File created C:\Windows\SysWOW64\Hlpcgm32.dll Fioajqmb.exe File opened for modification C:\Windows\SysWOW64\Cbmoeeod.exe Chgkgmoo.exe File opened for modification C:\Windows\SysWOW64\Gccjbo32.exe Gbbnkfjq.exe File opened for modification C:\Windows\SysWOW64\Dkbpbe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eiibok32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmloigln.exe Gfbfln32.exe File created C:\Windows\SysWOW64\Ophanl32.exe Ofpmegpe.exe File opened for modification C:\Windows\SysWOW64\Fgaibb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kqijck32.exe Kkmakd32.exe File opened for modification C:\Windows\SysWOW64\Kfklgape.exe Kigkmmql.exe File opened for modification C:\Windows\SysWOW64\Kfknpj32.exe Kpoegc32.exe File created C:\Windows\SysWOW64\Hadckp32.exe Process not Found File created C:\Windows\SysWOW64\Ofmknifp.exe Ooccap32.exe File created C:\Windows\SysWOW64\Pbhhkhlk.dll Lifoia32.exe File created C:\Windows\SysWOW64\Ldfediek.dll Kcjqlm32.exe File opened for modification C:\Windows\SysWOW64\Okjoec32.exe Occgce32.exe File created C:\Windows\SysWOW64\Ngfhbd32.exe Nkphmc32.exe File created C:\Windows\SysWOW64\Fhlhmi32.exe Ejhhcdjm.exe File created C:\Windows\SysWOW64\Aoppkj32.dll Lgaaiian.exe File created C:\Windows\SysWOW64\Dgpiebfa.dll Mhbdce32.exe File created C:\Windows\SysWOW64\Cmnjgo32.exe Cceenilo.exe File created C:\Windows\SysWOW64\Kgjpfago.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mfkcdgfi.exe Process not Found File created C:\Windows\SysWOW64\Emilqb32.exe Dcaghm32.exe File opened for modification C:\Windows\SysWOW64\Bodhlane.exe Bgichoqj.exe File created C:\Windows\SysWOW64\Floaji32.exe Process not Found File created C:\Windows\SysWOW64\Dgenpi32.dll Kmnljc32.exe File opened for modification C:\Windows\SysWOW64\Emadjj32.exe Efglmpbn.exe File created C:\Windows\SysWOW64\Dfigiloo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Odnjbibf.exe Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Negffbdi.exe Process not Found File created C:\Windows\SysWOW64\Jaaope32.dll Ommfibdg.exe File created C:\Windows\SysWOW64\Ppcoqbao.exe Pghklq32.exe File opened for modification C:\Windows\SysWOW64\Fhpflblk.exe Fliefa32.exe File created C:\Windows\SysWOW64\Gphfgbaa.dll Fnglekch.exe File opened for modification C:\Windows\SysWOW64\Jodmdboj.exe Jlfahgpf.exe File created C:\Windows\SysWOW64\Igjlnf32.dll Pobhfl32.exe File opened for modification C:\Windows\SysWOW64\Clgpckcb.exe Chigmlml.exe File created C:\Windows\SysWOW64\Aaligm32.dll Ajelmiag.exe File opened for modification C:\Windows\SysWOW64\Milcphgf.exe Mgkghp32.exe File opened for modification C:\Windows\SysWOW64\Kpoegc32.exe Kgfannba.exe -
Program crash 1 IoCs
pid pid_target Process 6600 6760 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhhkhlk.dll" Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndjpoaa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmhipha.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimfcedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkpji32.dll" Belfldoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepjpajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfgbaa.dll" Fnglekch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbemm32.dll" Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfehcia.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll" Ombhgljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dailkl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dicmlpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gloppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokjce32.dll" Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaligm32.dll" Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahbckfe.dll" Ebhani32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohhfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjaadjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qibjjgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihdakqq.dll" Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgpgjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgibeklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgockh32.dll" Kjngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icjmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbkabdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imepgbnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feppqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiglbkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlgfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibehna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhbahal.dll" Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahfoa32.dll" Dmimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpeil32.dll" Dafeaapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcmojia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blcacnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcield32.dll" Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkcibn.dll" Olobcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppcoqbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcoei32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2200 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 29 PID 2388 wrote to memory of 2200 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 29 PID 2388 wrote to memory of 2200 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 29 PID 2388 wrote to memory of 2200 2388 c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe 29 PID 2200 wrote to memory of 2108 2200 Fepnhjdh.exe 30 PID 2200 wrote to memory of 2108 2200 Fepnhjdh.exe 30 PID 2200 wrote to memory of 2108 2200 Fepnhjdh.exe 30 PID 2200 wrote to memory of 2108 2200 Fepnhjdh.exe 30 PID 2108 wrote to memory of 2760 2108 Fnkblm32.exe 31 PID 2108 wrote to memory of 2760 2108 Fnkblm32.exe 31 PID 2108 wrote to memory of 2760 2108 Fnkblm32.exe 31 PID 2108 wrote to memory of 2760 2108 Fnkblm32.exe 31 PID 2760 wrote to memory of 2740 2760 Fdekigip.exe 32 PID 2760 wrote to memory of 2740 2760 Fdekigip.exe 32 PID 2760 wrote to memory of 2740 2760 Fdekigip.exe 32 PID 2760 wrote to memory of 2740 2760 Fdekigip.exe 32 PID 2740 wrote to memory of 2748 2740 Fnnobl32.exe 33 PID 2740 wrote to memory of 2748 2740 Fnnobl32.exe 33 PID 2740 wrote to memory of 2748 2740 Fnnobl32.exe 33 PID 2740 wrote to memory of 2748 2740 Fnnobl32.exe 33 PID 2748 wrote to memory of 2768 2748 Fgfckbfa.exe 34 PID 2748 wrote to memory of 2768 2748 Fgfckbfa.exe 34 PID 2748 wrote to memory of 2768 2748 Fgfckbfa.exe 34 PID 2748 wrote to memory of 2768 2748 Fgfckbfa.exe 34 PID 2768 wrote to memory of 2664 2768 Fjfllm32.exe 35 PID 2768 wrote to memory of 2664 2768 Fjfllm32.exe 35 PID 2768 wrote to memory of 2664 2768 Fjfllm32.exe 35 PID 2768 wrote to memory of 2664 2768 Fjfllm32.exe 35 PID 2664 wrote to memory of 2484 2664 Gfmmanif.exe 36 PID 2664 wrote to memory of 2484 2664 Gfmmanif.exe 36 PID 2664 wrote to memory of 2484 2664 Gfmmanif.exe 36 PID 2664 wrote to memory of 2484 2664 Gfmmanif.exe 36 PID 2484 wrote to memory of 1488 2484 Gjkfglom.exe 37 PID 2484 wrote to memory of 1488 2484 Gjkfglom.exe 37 PID 2484 wrote to memory of 1488 2484 Gjkfglom.exe 37 PID 2484 wrote to memory of 1488 2484 Gjkfglom.exe 37 PID 1488 wrote to memory of 1980 1488 Gfbfln32.exe 38 PID 1488 wrote to memory of 1980 1488 Gfbfln32.exe 38 PID 1488 wrote to memory of 1980 1488 Gfbfln32.exe 38 PID 1488 wrote to memory of 1980 1488 Gfbfln32.exe 38 PID 1980 wrote to memory of 1148 1980 Gmloigln.exe 39 PID 1980 wrote to memory of 1148 1980 Gmloigln.exe 39 PID 1980 wrote to memory of 1148 1980 Gmloigln.exe 39 PID 1980 wrote to memory of 1148 1980 Gmloigln.exe 39 PID 1148 wrote to memory of 1100 1148 Gmnlog32.exe 40 PID 1148 wrote to memory of 1100 1148 Gmnlog32.exe 40 PID 1148 wrote to memory of 1100 1148 Gmnlog32.exe 40 PID 1148 wrote to memory of 1100 1148 Gmnlog32.exe 40 PID 1100 wrote to memory of 1608 1100 Gielchpp.exe 41 PID 1100 wrote to memory of 1608 1100 Gielchpp.exe 41 PID 1100 wrote to memory of 1608 1100 Gielchpp.exe 41 PID 1100 wrote to memory of 1608 1100 Gielchpp.exe 41 PID 1608 wrote to memory of 3000 1608 Hqpahkmj.exe 42 PID 1608 wrote to memory of 3000 1608 Hqpahkmj.exe 42 PID 1608 wrote to memory of 3000 1608 Hqpahkmj.exe 42 PID 1608 wrote to memory of 3000 1608 Hqpahkmj.exe 42 PID 3000 wrote to memory of 852 3000 Hndaao32.exe 43 PID 3000 wrote to memory of 852 3000 Hndaao32.exe 43 PID 3000 wrote to memory of 852 3000 Hndaao32.exe 43 PID 3000 wrote to memory of 852 3000 Hndaao32.exe 43 PID 852 wrote to memory of 884 852 Haejcj32.exe 44 PID 852 wrote to memory of 884 852 Haejcj32.exe 44 PID 852 wrote to memory of 884 852 Haejcj32.exe 44 PID 852 wrote to memory of 884 852 Haejcj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe"C:\Users\Admin\AppData\Local\Temp\c2b5e28c0981c5dcbea08bd0fe4bc8bfe48eb32a5e14b90c5297e090fdbc56aa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe35⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe36⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe37⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe38⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe39⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe40⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe41⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe43⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe44⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe45⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe48⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe49⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe50⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe51⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe52⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe53⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe55⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe57⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe58⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe59⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe60⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe61⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe62⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe64⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe65⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe66⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe68⤵PID:2500
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe69⤵PID:868
-
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe70⤵PID:2972
-
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe71⤵PID:2504
-
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe72⤵PID:2576
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe73⤵PID:2756
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe74⤵PID:3060
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe76⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe77⤵PID:2960
-
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe78⤵PID:2324
-
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe79⤵PID:1032
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe80⤵PID:1908
-
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe81⤵PID:684
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe83⤵PID:1824
-
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe84⤵PID:1676
-
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe85⤵PID:2316
-
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe86⤵PID:1560
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe87⤵PID:2356
-
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe88⤵PID:2148
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe89⤵PID:2640
-
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe90⤵PID:2800
-
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe91⤵PID:2132
-
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe92⤵PID:1696
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe93⤵PID:2704
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe94⤵PID:736
-
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe95⤵PID:1584
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe96⤵PID:1064
-
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe97⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe98⤵PID:532
-
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe99⤵PID:2536
-
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe100⤵PID:1020
-
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe101⤵PID:908
-
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe102⤵PID:2112
-
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe105⤵PID:2796
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe107⤵PID:588
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe108⤵PID:1972
-
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe109⤵PID:2100
-
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe110⤵PID:1600
-
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe111⤵PID:1384
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe112⤵PID:2276
-
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe113⤵PID:2300
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe114⤵PID:2844
-
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe115⤵PID:2916
-
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe116⤵PID:2648
-
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe117⤵PID:880
-
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe118⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe119⤵PID:1500
-
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe120⤵PID:1464
-
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe121⤵PID:1616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-