Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
392c39d5ab5c168218a1f8435ae02db0N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
392c39d5ab5c168218a1f8435ae02db0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
392c39d5ab5c168218a1f8435ae02db0N.exe
-
Size
55KB
-
MD5
392c39d5ab5c168218a1f8435ae02db0
-
SHA1
57d54e245b6d4db6df22e30fb9635c88400ac9b9
-
SHA256
22fd3f895e75ace46b7d0a5b986d4b25457a7cdaa5cd5523dcddd4c5b97156d8
-
SHA512
ce68c087836b0a1867c3f113d7976707abd265a788b9165e808419fe5451ff8c46a7de770bf4bc07507301b5a1acc3048e99b76d3a738b243e254cb4a5344291
-
SSDEEP
768:vFl+HlWVyjFoHRC0YwEqfKQMroJtQjh94FH0flRAqtXyH56bZ2GbP2p/1H5tXdnh:vFl+HkVsLlfKNwhpbZZbP2Lx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnifg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihlqeib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giipab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigma32.exe -
Executes dropped EXE 64 IoCs
pid Process 2404 Eldglp32.exe 2976 Ecnoijbd.exe 2480 Eelkeeah.exe 2848 Elfcbo32.exe 2484 Ecploipa.exe 2908 Eijdkcgn.exe 2616 Elipgofb.exe 2868 Eeaepd32.exe 1388 Ehpalp32.exe 2368 Enlidg32.exe 1500 Edfbaabj.exe 1108 Folfoj32.exe 2896 Fajbke32.exe 2920 Fggkcl32.exe 2136 Fjegog32.exe 1940 Fdkklp32.exe 2252 Fgigil32.exe 1332 Fncpef32.exe 1288 Flfpabkp.exe 1524 Fdmhbplb.exe 1528 Ffodjh32.exe 1780 Fnflke32.exe 2380 Flhmfbim.exe 1804 Fogibnha.exe 320 Fgnadkic.exe 2972 Fhomkcoa.exe 2832 Gceailog.exe 2760 Ghajacmo.exe 2988 Golbnm32.exe 2784 Gfejjgli.exe 2664 Ghdgfbkl.exe 2168 Gfhgpg32.exe 1368 Gdkgkcpq.exe 1228 Gbohehoj.exe 1420 Giipab32.exe 2364 Ggkqmoma.exe 1016 Gneijien.exe 2964 Gbadjg32.exe 2928 Ggnmbn32.exe 2228 Hmkeke32.exe 2196 Hebnlb32.exe 1588 Hjofdi32.exe 628 Hmmbqegc.exe 1376 Hahnac32.exe 1556 Hfegij32.exe 2028 Hmoofdea.exe 2020 Hakkgc32.exe 588 Hpnkbpdd.exe 2812 Hblgnkdh.exe 1956 Hjcppidk.exe 2076 Hifpke32.exe 2808 Hmalldcn.exe 2748 Hpphhp32.exe 1748 Hboddk32.exe 2600 Hfjpdjjo.exe 2140 Hemqpf32.exe 1080 Hihlqeib.exe 1896 Hmdhad32.exe 2492 Hpbdmo32.exe 2248 Hneeilgj.exe 908 Iflmjihl.exe 3008 Ieomef32.exe 352 Iikifegp.exe 1812 Iliebpfc.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 2404 Eldglp32.exe 2404 Eldglp32.exe 2976 Ecnoijbd.exe 2976 Ecnoijbd.exe 2480 Eelkeeah.exe 2480 Eelkeeah.exe 2848 Elfcbo32.exe 2848 Elfcbo32.exe 2484 Ecploipa.exe 2484 Ecploipa.exe 2908 Eijdkcgn.exe 2908 Eijdkcgn.exe 2616 Elipgofb.exe 2616 Elipgofb.exe 2868 Eeaepd32.exe 2868 Eeaepd32.exe 1388 Ehpalp32.exe 1388 Ehpalp32.exe 2368 Enlidg32.exe 2368 Enlidg32.exe 1500 Edfbaabj.exe 1500 Edfbaabj.exe 1108 Folfoj32.exe 1108 Folfoj32.exe 2896 Fajbke32.exe 2896 Fajbke32.exe 2920 Fggkcl32.exe 2920 Fggkcl32.exe 2136 Fjegog32.exe 2136 Fjegog32.exe 1940 Fdkklp32.exe 1940 Fdkklp32.exe 2252 Fgigil32.exe 2252 Fgigil32.exe 1332 Fncpef32.exe 1332 Fncpef32.exe 1288 Flfpabkp.exe 1288 Flfpabkp.exe 1524 Fdmhbplb.exe 1524 Fdmhbplb.exe 1528 Ffodjh32.exe 1528 Ffodjh32.exe 1780 Fnflke32.exe 1780 Fnflke32.exe 2380 Flhmfbim.exe 2380 Flhmfbim.exe 1804 Fogibnha.exe 1804 Fogibnha.exe 320 Fgnadkic.exe 320 Fgnadkic.exe 2972 Fhomkcoa.exe 2972 Fhomkcoa.exe 2832 Gceailog.exe 2832 Gceailog.exe 2760 Ghajacmo.exe 2760 Ghajacmo.exe 2988 Golbnm32.exe 2988 Golbnm32.exe 2784 Gfejjgli.exe 2784 Gfejjgli.exe 2664 Ghdgfbkl.exe 2664 Ghdgfbkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdmhbplb.exe Flfpabkp.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Pkcbnanl.exe File created C:\Windows\SysWOW64\Gphfihaj.dll Ijnbcmkk.exe File created C:\Windows\SysWOW64\Codfplej.dll Jikeeh32.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Fajbke32.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Elfcbo32.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fgigil32.exe File created C:\Windows\SysWOW64\Apoldh32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Iimfld32.exe File opened for modification C:\Windows\SysWOW64\Jbqmhnbo.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Alnalh32.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Hjofdi32.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Lkkapd32.dll Jajcdjca.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Mpebmc32.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe Hblgnkdh.exe File created C:\Windows\SysWOW64\Oqfqioai.dll Kpgffe32.exe File created C:\Windows\SysWOW64\Lbfook32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Oekjjl32.exe File created C:\Windows\SysWOW64\Agjobffl.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Lkgngb32.exe File created C:\Windows\SysWOW64\Legdph32.dll Lhnkffeo.exe File created C:\Windows\SysWOW64\Lgpgbj32.dll Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Nckljk32.dll Inlkik32.exe File created C:\Windows\SysWOW64\Kpdjaecc.exe Kaajei32.exe File created C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bjdkjpkb.exe File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Iliebpfc.exe Iikifegp.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Ibkhnd32.dll Phqmgg32.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pghfnc32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bgcbhd32.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Ihpfgalh.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ihdpbq32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Knkgpi32.exe Kjokokha.exe File created C:\Windows\SysWOW64\Nhgnaehm.exe Nidmfh32.exe File created C:\Windows\SysWOW64\Egjfigdn.dll Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Paiaplin.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Imafcg32.dll Alihaioe.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Accqnc32.exe File created C:\Windows\SysWOW64\Achjibcl.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iefcfe32.exe File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe Odedge32.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cepipm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4372 4340 WerFault.exe 352 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiepeo32.dll" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll" Bccmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olebgfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpkhoab.dll" Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbid32.dll" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppllabf.dll" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoggjip.dll" Lgchgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojojafnk.dll" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjibgc32.dll" Mmbmeifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdpbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhipb32.dll" Golbnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfkdo32.dll" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhnnjob.dll" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achjibcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncfhkjh.dll" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hebnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbbpakg.dll" Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjdkjpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedfqeka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbglhjq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2404 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 30 PID 2108 wrote to memory of 2404 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 30 PID 2108 wrote to memory of 2404 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 30 PID 2108 wrote to memory of 2404 2108 392c39d5ab5c168218a1f8435ae02db0N.exe 30 PID 2404 wrote to memory of 2976 2404 Eldglp32.exe 31 PID 2404 wrote to memory of 2976 2404 Eldglp32.exe 31 PID 2404 wrote to memory of 2976 2404 Eldglp32.exe 31 PID 2404 wrote to memory of 2976 2404 Eldglp32.exe 31 PID 2976 wrote to memory of 2480 2976 Ecnoijbd.exe 32 PID 2976 wrote to memory of 2480 2976 Ecnoijbd.exe 32 PID 2976 wrote to memory of 2480 2976 Ecnoijbd.exe 32 PID 2976 wrote to memory of 2480 2976 Ecnoijbd.exe 32 PID 2480 wrote to memory of 2848 2480 Eelkeeah.exe 33 PID 2480 wrote to memory of 2848 2480 Eelkeeah.exe 33 PID 2480 wrote to memory of 2848 2480 Eelkeeah.exe 33 PID 2480 wrote to memory of 2848 2480 Eelkeeah.exe 33 PID 2848 wrote to memory of 2484 2848 Elfcbo32.exe 34 PID 2848 wrote to memory of 2484 2848 Elfcbo32.exe 34 PID 2848 wrote to memory of 2484 2848 Elfcbo32.exe 34 PID 2848 wrote to memory of 2484 2848 Elfcbo32.exe 34 PID 2484 wrote to memory of 2908 2484 Ecploipa.exe 35 PID 2484 wrote to memory of 2908 2484 Ecploipa.exe 35 PID 2484 wrote to memory of 2908 2484 Ecploipa.exe 35 PID 2484 wrote to memory of 2908 2484 Ecploipa.exe 35 PID 2908 wrote to memory of 2616 2908 Eijdkcgn.exe 36 PID 2908 wrote to memory of 2616 2908 Eijdkcgn.exe 36 PID 2908 wrote to memory of 2616 2908 Eijdkcgn.exe 36 PID 2908 wrote to memory of 2616 2908 Eijdkcgn.exe 36 PID 2616 wrote to memory of 2868 2616 Elipgofb.exe 37 PID 2616 wrote to memory of 2868 2616 Elipgofb.exe 37 PID 2616 wrote to memory of 2868 2616 Elipgofb.exe 37 PID 2616 wrote to memory of 2868 2616 Elipgofb.exe 37 PID 2868 wrote to memory of 1388 2868 Eeaepd32.exe 38 PID 2868 wrote to memory of 1388 2868 Eeaepd32.exe 38 PID 2868 wrote to memory of 1388 2868 Eeaepd32.exe 38 PID 2868 wrote to memory of 1388 2868 Eeaepd32.exe 38 PID 1388 wrote to memory of 2368 1388 Ehpalp32.exe 39 PID 1388 wrote to memory of 2368 1388 Ehpalp32.exe 39 PID 1388 wrote to memory of 2368 1388 Ehpalp32.exe 39 PID 1388 wrote to memory of 2368 1388 Ehpalp32.exe 39 PID 2368 wrote to memory of 1500 2368 Enlidg32.exe 40 PID 2368 wrote to memory of 1500 2368 Enlidg32.exe 40 PID 2368 wrote to memory of 1500 2368 Enlidg32.exe 40 PID 2368 wrote to memory of 1500 2368 Enlidg32.exe 40 PID 1500 wrote to memory of 1108 1500 Edfbaabj.exe 41 PID 1500 wrote to memory of 1108 1500 Edfbaabj.exe 41 PID 1500 wrote to memory of 1108 1500 Edfbaabj.exe 41 PID 1500 wrote to memory of 1108 1500 Edfbaabj.exe 41 PID 1108 wrote to memory of 2896 1108 Folfoj32.exe 42 PID 1108 wrote to memory of 2896 1108 Folfoj32.exe 42 PID 1108 wrote to memory of 2896 1108 Folfoj32.exe 42 PID 1108 wrote to memory of 2896 1108 Folfoj32.exe 42 PID 2896 wrote to memory of 2920 2896 Fajbke32.exe 43 PID 2896 wrote to memory of 2920 2896 Fajbke32.exe 43 PID 2896 wrote to memory of 2920 2896 Fajbke32.exe 43 PID 2896 wrote to memory of 2920 2896 Fajbke32.exe 43 PID 2920 wrote to memory of 2136 2920 Fggkcl32.exe 44 PID 2920 wrote to memory of 2136 2920 Fggkcl32.exe 44 PID 2920 wrote to memory of 2136 2920 Fggkcl32.exe 44 PID 2920 wrote to memory of 2136 2920 Fggkcl32.exe 44 PID 2136 wrote to memory of 1940 2136 Fjegog32.exe 45 PID 2136 wrote to memory of 1940 2136 Fjegog32.exe 45 PID 2136 wrote to memory of 1940 2136 Fjegog32.exe 45 PID 2136 wrote to memory of 1940 2136 Fjegog32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\392c39d5ab5c168218a1f8435ae02db0N.exe"C:\Users\Admin\AppData\Local\Temp\392c39d5ab5c168218a1f8435ae02db0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe34⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe37⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe38⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe45⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe46⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe47⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe49⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe51⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe53⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe55⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe57⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe59⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe60⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe61⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe62⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe66⤵PID:2112
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe67⤵PID:2260
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe68⤵PID:2376
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe70⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe71⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe72⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe73⤵PID:808
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe74⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe75⤵PID:580
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe76⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe79⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe81⤵PID:1088
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe83⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe84⤵PID:1300
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe85⤵PID:3056
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe86⤵PID:1872
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe88⤵PID:2288
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe91⤵PID:1656
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe93⤵PID:292
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe94⤵PID:2128
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe95⤵PID:2984
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe97⤵PID:2300
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe98⤵PID:2680
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe100⤵PID:1772
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe101⤵PID:804
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe102⤵PID:448
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe104⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe105⤵PID:1516
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe106⤵PID:2296
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe108⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe109⤵PID:2856
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe110⤵PID:832
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe112⤵PID:1736
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe113⤵PID:2960
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe115⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe116⤵PID:1860
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe117⤵PID:2836
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe118⤵PID:1416
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe119⤵PID:1684
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe120⤵PID:2468
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-