Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 16:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee700e6452c89392c9a1dd2cf9fe6440N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ee700e6452c89392c9a1dd2cf9fe6440N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
ee700e6452c89392c9a1dd2cf9fe6440N.exe
-
Size
448KB
-
MD5
ee700e6452c89392c9a1dd2cf9fe6440
-
SHA1
4ce3492ec2a25bcfb864a2bfb8986a40cf3e302e
-
SHA256
23055f673b8b2caa9f6e35f22693fed5ee64957274c52ab0ce7053fd870ad45c
-
SHA512
b6b7099fbd9ff4f863263bef21a6b33a54372204e7b84cdda641550ff4af37bf19c1b2b9bdfd4523bbdb10e0b7cd285c79265125e601cd20331a04b3da0b5aad
-
SSDEEP
6144:ah5Ygz3rPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:aPrW/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdqlkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflmbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjjofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpagbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpjeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimckl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjedk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmfmacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbagaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Licbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooiepnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foacmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqnfqcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blcokf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqadknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghjjoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfobjdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeigi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgdgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkkdqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelqff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmphpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbeecaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllkaobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhclfphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efihcpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqmadn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkojcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbeqjpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqemlbqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbdgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjnolap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpfmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhljlnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojbbiae.exe -
Executes dropped EXE 64 IoCs
pid Process 1644 Obamebfc.exe 2040 Oebffm32.exe 2700 Ojakdd32.exe 2828 Pmbdfolj.exe 2196 Ppcmhj32.exe 2636 Pfobjdoe.exe 2608 Pmijgn32.exe 1608 Qeglqpaj.exe 1620 Alcqcjgd.exe 3044 Aabfqp32.exe 2992 Alncgn32.exe 2388 Achlch32.exe 1140 Bapejd32.exe 1512 Bocfch32.exe 2076 Bfnnpbnn.exe 2136 Bhljlnma.exe 1528 Cnmlpd32.exe 2584 Ccmanjch.exe 732 Cfknjfbl.exe 1000 Cqqbgoba.exe 1720 Cilfka32.exe 804 Cqcomn32.exe 2448 Cfpgee32.exe 1028 Deedfacn.exe 868 Dmllgo32.exe 1588 Dpjhcj32.exe 2352 Dkaihkih.exe 844 Djffihmp.exe 2720 Dbmnjenb.exe 2864 Dlfbck32.exe 2772 Dcaghm32.exe 2712 Ehopnk32.exe 2624 Ejmljg32.exe 2672 Ejpipf32.exe 2956 Elaego32.exe 2476 Eabgjeef.exe 2960 Fhlogo32.exe 2704 Fpcghl32.exe 1804 Fkmhij32.exe 1328 Flmecm32.exe 2816 Fmnakege.exe 976 Fkbadifn.exe 2540 Fomndhng.exe 1832 Fpojlp32.exe 1136 Fgibijkb.exe 1476 Gpagbp32.exe 1724 Gkfkoi32.exe 2692 Glhhgahg.exe 2232 Gcapckod.exe 1680 Geplpfnh.exe 2304 Gebiefle.exe 1180 Gllabp32.exe 2268 Geeekf32.exe 2736 Ghcbga32.exe 2888 Gcifdj32.exe 2648 Gegbpe32.exe 2740 Hnbgdh32.exe 1984 Hancef32.exe 2944 Hgkknm32.exe 2932 Hobcok32.exe 2436 Hqcpfcbl.exe 2192 Hdolga32.exe 2384 Hgmhcm32.exe 2264 Hqemlbqi.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 1644 Obamebfc.exe 1644 Obamebfc.exe 2040 Oebffm32.exe 2040 Oebffm32.exe 2700 Ojakdd32.exe 2700 Ojakdd32.exe 2828 Pmbdfolj.exe 2828 Pmbdfolj.exe 2196 Ppcmhj32.exe 2196 Ppcmhj32.exe 2636 Pfobjdoe.exe 2636 Pfobjdoe.exe 2608 Pmijgn32.exe 2608 Pmijgn32.exe 1608 Qeglqpaj.exe 1608 Qeglqpaj.exe 1620 Alcqcjgd.exe 1620 Alcqcjgd.exe 3044 Aabfqp32.exe 3044 Aabfqp32.exe 2992 Alncgn32.exe 2992 Alncgn32.exe 2388 Achlch32.exe 2388 Achlch32.exe 1140 Bapejd32.exe 1140 Bapejd32.exe 1512 Bocfch32.exe 1512 Bocfch32.exe 2076 Bfnnpbnn.exe 2076 Bfnnpbnn.exe 2136 Bhljlnma.exe 2136 Bhljlnma.exe 1528 Cnmlpd32.exe 1528 Cnmlpd32.exe 2584 Ccmanjch.exe 2584 Ccmanjch.exe 732 Cfknjfbl.exe 732 Cfknjfbl.exe 1000 Cqqbgoba.exe 1000 Cqqbgoba.exe 1720 Cilfka32.exe 1720 Cilfka32.exe 804 Cqcomn32.exe 804 Cqcomn32.exe 2448 Cfpgee32.exe 2448 Cfpgee32.exe 1028 Deedfacn.exe 1028 Deedfacn.exe 868 Dmllgo32.exe 868 Dmllgo32.exe 1588 Dpjhcj32.exe 1588 Dpjhcj32.exe 2352 Dkaihkih.exe 2352 Dkaihkih.exe 844 Djffihmp.exe 844 Djffihmp.exe 2720 Dbmnjenb.exe 2720 Dbmnjenb.exe 2864 Dlfbck32.exe 2864 Dlfbck32.exe 2772 Dcaghm32.exe 2772 Dcaghm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pjpfjf32.dll Njlopkmg.exe File created C:\Windows\SysWOW64\Pafpjljk.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Qfganb32.exe Qajiek32.exe File created C:\Windows\SysWOW64\Jbmdig32.exe Jmplqp32.exe File created C:\Windows\SysWOW64\Lpiqel32.exe Lmjdia32.exe File created C:\Windows\SysWOW64\Kililk32.dll Pblkgh32.exe File created C:\Windows\SysWOW64\Lhongdah.dll Bjehlldb.exe File created C:\Windows\SysWOW64\Hlhleh32.dll Hojbbiae.exe File created C:\Windows\SysWOW64\Lgjfmlkm.exe Lmbadfdl.exe File created C:\Windows\SysWOW64\Monkbfga.dll Akpfmnmh.exe File created C:\Windows\SysWOW64\Giaddm32.exe Glmckikf.exe File opened for modification C:\Windows\SysWOW64\Ojakdd32.exe Oebffm32.exe File created C:\Windows\SysWOW64\Kcgdgnmc.exe Kaihjbno.exe File created C:\Windows\SysWOW64\Eabgjeef.exe Elaego32.exe File created C:\Windows\SysWOW64\Ogiqoelh.dll Iiekkdjo.exe File opened for modification C:\Windows\SysWOW64\Hojbbiae.exe Hkngbj32.exe File opened for modification C:\Windows\SysWOW64\Beccgi32.exe Bdbfpafn.exe File opened for modification C:\Windows\SysWOW64\Dfmbmkgm.exe Dbaflm32.exe File created C:\Windows\SysWOW64\Djqdgfho.dll Hkkaik32.exe File created C:\Windows\SysWOW64\Aifiogon.dll Amcfpl32.exe File created C:\Windows\SysWOW64\Pcemeqqm.dll Cghpgbce.exe File opened for modification C:\Windows\SysWOW64\Eqjceidf.exe Eickdlcd.exe File created C:\Windows\SysWOW64\Legmpdga.exe Llnhgn32.exe File created C:\Windows\SysWOW64\Abkdaqcl.dll Injlmcib.exe File opened for modification C:\Windows\SysWOW64\Mhobldaf.exe Mdcfle32.exe File opened for modification C:\Windows\SysWOW64\Fbpihafp.exe Endmgb32.exe File opened for modification C:\Windows\SysWOW64\Jofhqiec.exe Jimodo32.exe File created C:\Windows\SysWOW64\Aojjdb32.dll Bpbadcbj.exe File opened for modification C:\Windows\SysWOW64\Fomndhng.exe Fkbadifn.exe File opened for modification C:\Windows\SysWOW64\Ggekhhle.exe Gdgoll32.exe File opened for modification C:\Windows\SysWOW64\Ikembicd.exe Idkdfo32.exe File opened for modification C:\Windows\SysWOW64\Epkgkfmd.exe Emlkoknp.exe File opened for modification C:\Windows\SysWOW64\Aabfqp32.exe Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Jgdkbo32.exe Jajbfeop.exe File created C:\Windows\SysWOW64\Jckflh32.dll Fmhaep32.exe File opened for modification C:\Windows\SysWOW64\Mpjqfpke.exe Miphjf32.exe File created C:\Windows\SysWOW64\Bocfch32.exe Bapejd32.exe File opened for modification C:\Windows\SysWOW64\Cnmlpd32.exe Bhljlnma.exe File opened for modification C:\Windows\SysWOW64\Ekcdegqe.exe Efglmpbn.exe File created C:\Windows\SysWOW64\Hobfgcdb.exe Hkgjge32.exe File opened for modification C:\Windows\SysWOW64\Bdiciboh.exe Bakgmgpe.exe File created C:\Windows\SysWOW64\Neikfk32.dll Ebjfiboe.exe File created C:\Windows\SysWOW64\Heccqa32.dll Emdgjpkd.exe File created C:\Windows\SysWOW64\Jidppaio.exe Jkqpfmje.exe File created C:\Windows\SysWOW64\Pkoipb32.dll Iofiimkd.exe File opened for modification C:\Windows\SysWOW64\Cdbqflae.exe Cqfdem32.exe File created C:\Windows\SysWOW64\Ffifbijg.dll Angafl32.exe File opened for modification C:\Windows\SysWOW64\Jpdibapb.exe Jijqeg32.exe File created C:\Windows\SysWOW64\Khedkiag.dll Igojmjgf.exe File created C:\Windows\SysWOW64\Cedabe32.dll Kmbeecaq.exe File created C:\Windows\SysWOW64\Ieckbh32.dll Adadedjq.exe File created C:\Windows\SysWOW64\Nboddhfb.dll Babdhlmh.exe File created C:\Windows\SysWOW64\Kgdijk32.exe Kefmnp32.exe File opened for modification C:\Windows\SysWOW64\Olhmnb32.exe Onelbfab.exe File created C:\Windows\SysWOW64\Cpnkmh32.dll Fefdhj32.exe File opened for modification C:\Windows\SysWOW64\Bdpgai32.exe Bncboo32.exe File created C:\Windows\SysWOW64\Gaaicjed.dll Icqagkqp.exe File opened for modification C:\Windows\SysWOW64\Pphilb32.exe Pfpdcm32.exe File created C:\Windows\SysWOW64\Cofaad32.exe Cpcaeghc.exe File created C:\Windows\SysWOW64\Fjdqbbkp.exe Fdkheh32.exe File created C:\Windows\SysWOW64\Ofkeem32.dll Najbbepc.exe File opened for modification C:\Windows\SysWOW64\Cemfnh32.exe Cnfnlk32.exe File opened for modification C:\Windows\SysWOW64\Ejmljg32.exe Ehopnk32.exe File opened for modification C:\Windows\SysWOW64\Feeldk32.exe Fnkchahn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6992 2304 WerFault.exe 708 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcklqli.dll" Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdonndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbgbmnl.dll" Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmecm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiibmmc.dll" Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheabh32.dll" Cclmlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieaekdkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdbeqmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgibijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqjfam32.dll" Kcgdgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coledgje.dll" Mcpmonea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obddhc32.dll" Gijncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nffenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqlikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegdinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbigeniq.dll" Aflmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlqniihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efolfnif.dll" Hhbgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckghggc.dll" Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkdcib.dll" Kjdiigbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdieho32.dll" Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joeaefka.dll" Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daedpf32.dll" Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpllqnn.dll" Hopibdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckajclq.dll" Kaojiqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daopajpf.dll" Jfigdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immkokcl.dll" Liaenblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjehlldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfemdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfgnibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdonpjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akekgimh.dll" Kfnpgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aflmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnkpaedi.dll" Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibbioilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpnhnoo.dll" Abodlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fecado32.dll" Pgjgapaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodkcbje.dll" Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnlnkk32.dll" Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhaep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeikohgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jliaac32.dll" Okecak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgodphlm.dll" Olhmnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndfmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfmdfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1644 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 29 PID 1732 wrote to memory of 1644 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 29 PID 1732 wrote to memory of 1644 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 29 PID 1732 wrote to memory of 1644 1732 ee700e6452c89392c9a1dd2cf9fe6440N.exe 29 PID 1644 wrote to memory of 2040 1644 Obamebfc.exe 30 PID 1644 wrote to memory of 2040 1644 Obamebfc.exe 30 PID 1644 wrote to memory of 2040 1644 Obamebfc.exe 30 PID 1644 wrote to memory of 2040 1644 Obamebfc.exe 30 PID 2040 wrote to memory of 2700 2040 Oebffm32.exe 31 PID 2040 wrote to memory of 2700 2040 Oebffm32.exe 31 PID 2040 wrote to memory of 2700 2040 Oebffm32.exe 31 PID 2040 wrote to memory of 2700 2040 Oebffm32.exe 31 PID 2700 wrote to memory of 2828 2700 Ojakdd32.exe 32 PID 2700 wrote to memory of 2828 2700 Ojakdd32.exe 32 PID 2700 wrote to memory of 2828 2700 Ojakdd32.exe 32 PID 2700 wrote to memory of 2828 2700 Ojakdd32.exe 32 PID 2828 wrote to memory of 2196 2828 Pmbdfolj.exe 33 PID 2828 wrote to memory of 2196 2828 Pmbdfolj.exe 33 PID 2828 wrote to memory of 2196 2828 Pmbdfolj.exe 33 PID 2828 wrote to memory of 2196 2828 Pmbdfolj.exe 33 PID 2196 wrote to memory of 2636 2196 Ppcmhj32.exe 34 PID 2196 wrote to memory of 2636 2196 Ppcmhj32.exe 34 PID 2196 wrote to memory of 2636 2196 Ppcmhj32.exe 34 PID 2196 wrote to memory of 2636 2196 Ppcmhj32.exe 34 PID 2636 wrote to memory of 2608 2636 Pfobjdoe.exe 35 PID 2636 wrote to memory of 2608 2636 Pfobjdoe.exe 35 PID 2636 wrote to memory of 2608 2636 Pfobjdoe.exe 35 PID 2636 wrote to memory of 2608 2636 Pfobjdoe.exe 35 PID 2608 wrote to memory of 1608 2608 Pmijgn32.exe 36 PID 2608 wrote to memory of 1608 2608 Pmijgn32.exe 36 PID 2608 wrote to memory of 1608 2608 Pmijgn32.exe 36 PID 2608 wrote to memory of 1608 2608 Pmijgn32.exe 36 PID 1608 wrote to memory of 1620 1608 Qeglqpaj.exe 37 PID 1608 wrote to memory of 1620 1608 Qeglqpaj.exe 37 PID 1608 wrote to memory of 1620 1608 Qeglqpaj.exe 37 PID 1608 wrote to memory of 1620 1608 Qeglqpaj.exe 37 PID 1620 wrote to memory of 3044 1620 Alcqcjgd.exe 38 PID 1620 wrote to memory of 3044 1620 Alcqcjgd.exe 38 PID 1620 wrote to memory of 3044 1620 Alcqcjgd.exe 38 PID 1620 wrote to memory of 3044 1620 Alcqcjgd.exe 38 PID 3044 wrote to memory of 2992 3044 Aabfqp32.exe 39 PID 3044 wrote to memory of 2992 3044 Aabfqp32.exe 39 PID 3044 wrote to memory of 2992 3044 Aabfqp32.exe 39 PID 3044 wrote to memory of 2992 3044 Aabfqp32.exe 39 PID 2992 wrote to memory of 2388 2992 Alncgn32.exe 40 PID 2992 wrote to memory of 2388 2992 Alncgn32.exe 40 PID 2992 wrote to memory of 2388 2992 Alncgn32.exe 40 PID 2992 wrote to memory of 2388 2992 Alncgn32.exe 40 PID 2388 wrote to memory of 1140 2388 Achlch32.exe 41 PID 2388 wrote to memory of 1140 2388 Achlch32.exe 41 PID 2388 wrote to memory of 1140 2388 Achlch32.exe 41 PID 2388 wrote to memory of 1140 2388 Achlch32.exe 41 PID 1140 wrote to memory of 1512 1140 Bapejd32.exe 42 PID 1140 wrote to memory of 1512 1140 Bapejd32.exe 42 PID 1140 wrote to memory of 1512 1140 Bapejd32.exe 42 PID 1140 wrote to memory of 1512 1140 Bapejd32.exe 42 PID 1512 wrote to memory of 2076 1512 Bocfch32.exe 43 PID 1512 wrote to memory of 2076 1512 Bocfch32.exe 43 PID 1512 wrote to memory of 2076 1512 Bocfch32.exe 43 PID 1512 wrote to memory of 2076 1512 Bocfch32.exe 43 PID 2076 wrote to memory of 2136 2076 Bfnnpbnn.exe 44 PID 2076 wrote to memory of 2136 2076 Bfnnpbnn.exe 44 PID 2076 wrote to memory of 2136 2076 Bfnnpbnn.exe 44 PID 2076 wrote to memory of 2136 2076 Bfnnpbnn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee700e6452c89392c9a1dd2cf9fe6440N.exe"C:\Users\Admin\AppData\Local\Temp\ee700e6452c89392c9a1dd2cf9fe6440N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe34⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe35⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe37⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe38⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe40⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe42⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe44⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe48⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe51⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe52⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe53⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe54⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe55⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe56⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe57⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe58⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe59⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe60⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Hobcok32.exeC:\Windows\system32\Hobcok32.exe61⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe62⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe63⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe66⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe67⤵PID:576
-
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe68⤵PID:1704
-
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe69⤵PID:936
-
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe70⤵PID:2172
-
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe71⤵PID:2300
-
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe72⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe73⤵PID:2484
-
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe74⤵PID:2464
-
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe75⤵PID:2844
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe77⤵PID:1056
-
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe78⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe79⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe80⤵PID:2376
-
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe81⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe82⤵PID:1552
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe83⤵PID:2568
-
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe84⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe85⤵PID:1696
-
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe86⤵PID:828
-
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe87⤵PID:2324
-
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe88⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe89⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe90⤵PID:2652
-
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe91⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe92⤵PID:2492
-
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe93⤵PID:2904
-
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe95⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe96⤵PID:2204
-
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe98⤵PID:1772
-
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe99⤵PID:584
-
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe100⤵PID:1664
-
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe101⤵PID:1372
-
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe102⤵PID:2820
-
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe104⤵PID:2884
-
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe105⤵PID:2880
-
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe107⤵PID:572
-
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe108⤵PID:2580
-
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe109⤵PID:2344
-
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe110⤵PID:1736
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe112⤵PID:860
-
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe113⤵PID:1324
-
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe114⤵PID:1072
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe115⤵PID:1200
-
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe116⤵PID:1812
-
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe119⤵PID:2684
-
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe120⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-