Analysis
-
max time kernel
95s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-10-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe
-
Size
248KB
-
MD5
87e1905afd5be25c4dd1e16b28811ec6
-
SHA1
74d0da5f96c92e203ff95c0d3252858defe28fc2
-
SHA256
8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908
-
SHA512
c54c8d6de324b2ab6c23488e5d940df325582c654fa4a2d02a88b3a69fe7ecdb1682cf80997f1990ecbc572cffb7a5c26e5e525ef95e35a61ccd5ecefc6044da
-
SSDEEP
6144:HZpbwFmvXT83nL0qzdwOSzhrQD2s68RXT83nL0qzdwOSL:DbAew3P+hrYw3P0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afceja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiiljje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkccdfia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igoafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjgiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmpbjkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egngjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kliacgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aafachmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecjhbnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahabcapc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnjof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdnkbjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnheklmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlpklga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcbeacj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balifcca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljnbbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdkfioi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkqqbff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqlhaolm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhbnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipaqhblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnndhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdmqdnog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipddhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhiqnjbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmemdin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npioml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feenlcmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njehpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppoeeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdmnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfogogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedeqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodnlnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngfelna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alheipla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafdamao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojaidbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijoefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklbdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmalbdim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbnhkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacgqlfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfanec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgonof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnodjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoqckd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqjonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonecbmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljpfgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comgqb32.exe -
Executes dropped EXE 64 IoCs
pid Process 276 Hnlqdl32.exe 1812 Lgggmc32.exe 1600 Lglphbhe.exe 960 Lnheklmo.exe 1932 Monkncoh.exe 288 Mikiahac.exe 588 Nmokqkbp.exe 1832 Njehpo32.exe 1704 Obcjiako.exe 1524 Ohbogh32.exe 1304 Odklahje.exe 1756 Ppgfbi32.exe 1104 Poqmnd32.exe 1124 Agcgcf32.exe 1440 Afjajb32.exe 1852 Bhkjkm32.exe 1760 Cpgkmj32.exe 240 Dhjfak32.exe 1980 Dnfkde32.exe 1512 Eidepbal.exe 1732 Epqjblfg.exe 580 Eiioka32.exe 1644 Ekmhhj32.exe 1408 Ekoemi32.exe 1604 Fkaacimm.exe 1688 Fjfode32.exe 828 Fppgqpib.exe 1692 Fgmlcinl.exe 848 Ffbidf32.exe 360 Gkanbloi.exe 1820 Gbkfof32.exe 1332 Ghenkqnb.exe 684 Gbmcdfdc.exe 520 Gkfgml32.exe 1804 Gjkdnhpk.exe 604 Hkjqhkgn.exe 1008 Holfanjn.exe 812 Hcjohm32.exe 1612 Hcmkmlna.exe 1340 Igoafp32.exe 1748 Ijafnjlo.exe 1856 Jibckegi.exe 1388 Klcllp32.exe 1776 Khjmaajo.exe 1788 Legcijal.exe 2000 Lgfpcm32.exe 1368 Lcmqhnnc.exe 1356 Nnndhn32.exe 632 Neglehnb.exe 2004 Ophcfddi.exe 1660 Omopehap.exe 1952 Plhgad32.exe 1960 Poipco32.exe 800 Ppoeeg32.exe 1328 Qdmnle32.exe 1376 Qmecdknc.exe 1684 Aljpfgbk.exe 1728 Almlkgqh.exe 1552 Ahcmphfm.exe 1580 Aonemb32.exe 1984 Agijad32.exe 1160 Bcddad32.exe 1292 Cijppj32.exe 864 Cknege32.exe -
Loads dropped DLL 64 IoCs
pid Process 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 276 Hnlqdl32.exe 276 Hnlqdl32.exe 1812 Lgggmc32.exe 1812 Lgggmc32.exe 1600 Lglphbhe.exe 1600 Lglphbhe.exe 960 Lnheklmo.exe 960 Lnheklmo.exe 1932 Monkncoh.exe 1932 Monkncoh.exe 288 Mikiahac.exe 288 Mikiahac.exe 588 Nmokqkbp.exe 588 Nmokqkbp.exe 1832 Njehpo32.exe 1832 Njehpo32.exe 1704 Obcjiako.exe 1704 Obcjiako.exe 1524 Ohbogh32.exe 1524 Ohbogh32.exe 1304 Odklahje.exe 1304 Odklahje.exe 1756 Ppgfbi32.exe 1756 Ppgfbi32.exe 1104 Poqmnd32.exe 1104 Poqmnd32.exe 1124 Agcgcf32.exe 1124 Agcgcf32.exe 1440 Afjajb32.exe 1440 Afjajb32.exe 1852 Bhkjkm32.exe 1852 Bhkjkm32.exe 1760 Cpgkmj32.exe 1760 Cpgkmj32.exe 240 Dhjfak32.exe 240 Dhjfak32.exe 1980 Dnfkde32.exe 1980 Dnfkde32.exe 1512 Eidepbal.exe 1512 Eidepbal.exe 1732 Epqjblfg.exe 1732 Epqjblfg.exe 1672 Eofgch32.exe 1672 Eofgch32.exe 1644 Ekmhhj32.exe 1644 Ekmhhj32.exe 1408 Ekoemi32.exe 1408 Ekoemi32.exe 1604 Fkaacimm.exe 1604 Fkaacimm.exe 1688 Fjfode32.exe 1688 Fjfode32.exe 828 Fppgqpib.exe 828 Fppgqpib.exe 1692 Fgmlcinl.exe 1692 Fgmlcinl.exe 848 Ffbidf32.exe 848 Ffbidf32.exe 360 Gkanbloi.exe 360 Gkanbloi.exe 1820 Gbkfof32.exe 1820 Gbkfof32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhkgcd32.exe Femkgi32.exe File created C:\Windows\SysWOW64\Pffkoa32.dll Lnmfkb32.exe File opened for modification C:\Windows\SysWOW64\Kiebimlk.exe Kanjhpli.exe File opened for modification C:\Windows\SysWOW64\Kldneiko.exe Kiebimlk.exe File opened for modification C:\Windows\SysWOW64\Ookbdm32.exe Onjfmedl.exe File created C:\Windows\SysWOW64\Bpfjnbec.exe Bmhnbffp.exe File created C:\Windows\SysWOW64\Cngcfcep.exe Cepkefdn.exe File created C:\Windows\SysWOW64\Chlpja32.dll Geejkgpj.exe File created C:\Windows\SysWOW64\Odcpod32.dll Ppoeeg32.exe File created C:\Windows\SysWOW64\Khkojj32.exe Kldneiko.exe File opened for modification C:\Windows\SysWOW64\Llckdlnj.exe Ldhfpjqo.exe File created C:\Windows\SysWOW64\Elbbfd32.dll Poqmnd32.exe File created C:\Windows\SysWOW64\Apdaio32.exe Alheipla.exe File created C:\Windows\SysWOW64\Fcjkmp32.exe Fbinfhlh.exe File created C:\Windows\SysWOW64\Aafachmg.exe Aoheglnc.exe File created C:\Windows\SysWOW64\Cindkdjd.exe Cgohoikp.exe File created C:\Windows\SysWOW64\Gkijqe32.dll Qcncmf32.exe File opened for modification C:\Windows\SysWOW64\Eaicdi32.exe Depfih32.exe File opened for modification C:\Windows\SysWOW64\Kancmj32.exe Kifkll32.exe File created C:\Windows\SysWOW64\Qdmnle32.exe Ppoeeg32.exe File created C:\Windows\SysWOW64\Cijppj32.exe Bcddad32.exe File opened for modification C:\Windows\SysWOW64\Hncind32.exe Hkemah32.exe File opened for modification C:\Windows\SysWOW64\Ihbebjid.exe Ijoefm32.exe File created C:\Windows\SysWOW64\Hlakldho.exe Hicophil.exe File created C:\Windows\SysWOW64\Jegicofd.exe Jnnafe32.exe File opened for modification C:\Windows\SysWOW64\Ejememkc.exe Eggaiakp.exe File created C:\Windows\SysWOW64\Fkbjpk32.dll Fbinfhlh.exe File opened for modification C:\Windows\SysWOW64\Ghhpba32.exe Gangfgck.exe File created C:\Windows\SysWOW64\Pjhgop32.dll Mikiahac.exe File created C:\Windows\SysWOW64\Fjhapaho.dll Hncind32.exe File opened for modification C:\Windows\SysWOW64\Ifajhfdp.exe Icbnkkel.exe File created C:\Windows\SysWOW64\Epjmblhk.dll Acmgfoop.exe File opened for modification C:\Windows\SysWOW64\Ongigefo.exe Ojlmffne.exe File opened for modification C:\Windows\SysWOW64\Fcmgcp32.exe Fankgd32.exe File created C:\Windows\SysWOW64\Cbkcmnnh.exe Comgqb32.exe File created C:\Windows\SysWOW64\Eboigp32.exe Epamke32.exe File created C:\Windows\SysWOW64\Jncgep32.exe Jkekid32.exe File created C:\Windows\SysWOW64\Hcqfmn32.dll Ggemppkh.exe File created C:\Windows\SysWOW64\Ogblncbq.exe Oddpbgcm.exe File created C:\Windows\SysWOW64\Gijpeplb.dll Bianep32.exe File created C:\Windows\SysWOW64\Fhhake32.exe Fpaiih32.exe File opened for modification C:\Windows\SysWOW64\Lobgphmn.exe Llckdlnj.exe File created C:\Windows\SysWOW64\Okepfh32.dll Llckdlnj.exe File opened for modification C:\Windows\SysWOW64\Gjkdnhpk.exe Gkfgml32.exe File created C:\Windows\SysWOW64\Beeplh32.exe Bcgcpm32.exe File created C:\Windows\SysWOW64\Peancb32.exe Pngefhij.exe File created C:\Windows\SysWOW64\Hkcbeacj.exe Hdijhg32.exe File created C:\Windows\SysWOW64\Dpbhalef.exe Dndleqfb.exe File created C:\Windows\SysWOW64\Kfocfp32.dll Epkjlf32.exe File created C:\Windows\SysWOW64\Hkkcac32.exe Hdakdige.exe File created C:\Windows\SysWOW64\Hlqick32.exe Hjbmgp32.exe File created C:\Windows\SysWOW64\Nbbkcaka.exe Mdhdgf32.exe File created C:\Windows\SysWOW64\Ifffno32.dll Khjmaajo.exe File created C:\Windows\SysWOW64\Mgonof32.exe Mdpabk32.exe File created C:\Windows\SysWOW64\Pbpaia32.dll Kgidmcki.exe File created C:\Windows\SysWOW64\Jonobafd.dll Cindkdjd.exe File opened for modification C:\Windows\SysWOW64\Fmelle32.exe Fcmgcp32.exe File created C:\Windows\SysWOW64\Jcdbnpjm.exe Joifna32.exe File created C:\Windows\SysWOW64\Gidlhdpk.dll Moimafgf.exe File opened for modification C:\Windows\SysWOW64\Eiodaikf.exe Egngjq32.exe File created C:\Windows\SysWOW64\Mhegbk32.exe Molcjepc.exe File opened for modification C:\Windows\SysWOW64\Fpkidbqp.exe Fmmlhgal.exe File opened for modification C:\Windows\SysWOW64\Ajmkpfmn.exe Acccclfa.exe File created C:\Windows\SysWOW64\Mnibedoo.dll Jjnkkj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2128 2120 WerFault.exe 832 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flbiic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmhojpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njehpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgndi32.dll" Fpebdgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogbjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bajcliab.dll" Ebjiakmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjnkkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqdcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlilhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkjdddpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambnla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Holfanjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjlakfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjjeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccobckgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepbhkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omiqge32.dll" Pnjddqnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppnknok.dll" Gepjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oneojnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdndgqdp.dll" Hkemah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmalbdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mabefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dckboimo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpiidg32.dll" Fmpkfpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflfbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaadl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhoajkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkflh32.dll" Hologh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmponmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apimmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjohm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgdaeida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjdddpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nopaia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacdam32.dll" Fcdhoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlilhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqacnng.dll" Ccobckgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjomfg32.dll" Njehpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfjnbec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acccclfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcqfee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlpigfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgijojj.dll" Bhndhhmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neglehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijadk32.dll" Iccpdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haadbb32.dll" Dfinkelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnkmaak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafijmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhggho32.dll" Jgllnejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpibpg.dll" Bnepobfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacgqlfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjopllbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdmpbjkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooebogjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfneol32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 276 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 27 PID 2036 wrote to memory of 276 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 27 PID 2036 wrote to memory of 276 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 27 PID 2036 wrote to memory of 276 2036 8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe 27 PID 276 wrote to memory of 1812 276 Hnlqdl32.exe 28 PID 276 wrote to memory of 1812 276 Hnlqdl32.exe 28 PID 276 wrote to memory of 1812 276 Hnlqdl32.exe 28 PID 276 wrote to memory of 1812 276 Hnlqdl32.exe 28 PID 1812 wrote to memory of 1600 1812 Lgggmc32.exe 29 PID 1812 wrote to memory of 1600 1812 Lgggmc32.exe 29 PID 1812 wrote to memory of 1600 1812 Lgggmc32.exe 29 PID 1812 wrote to memory of 1600 1812 Lgggmc32.exe 29 PID 1600 wrote to memory of 960 1600 Lglphbhe.exe 30 PID 1600 wrote to memory of 960 1600 Lglphbhe.exe 30 PID 1600 wrote to memory of 960 1600 Lglphbhe.exe 30 PID 1600 wrote to memory of 960 1600 Lglphbhe.exe 30 PID 960 wrote to memory of 1932 960 Lnheklmo.exe 31 PID 960 wrote to memory of 1932 960 Lnheklmo.exe 31 PID 960 wrote to memory of 1932 960 Lnheklmo.exe 31 PID 960 wrote to memory of 1932 960 Lnheklmo.exe 31 PID 1932 wrote to memory of 288 1932 Monkncoh.exe 32 PID 1932 wrote to memory of 288 1932 Monkncoh.exe 32 PID 1932 wrote to memory of 288 1932 Monkncoh.exe 32 PID 1932 wrote to memory of 288 1932 Monkncoh.exe 32 PID 288 wrote to memory of 588 288 Mikiahac.exe 33 PID 288 wrote to memory of 588 288 Mikiahac.exe 33 PID 288 wrote to memory of 588 288 Mikiahac.exe 33 PID 288 wrote to memory of 588 288 Mikiahac.exe 33 PID 588 wrote to memory of 1832 588 Nmokqkbp.exe 34 PID 588 wrote to memory of 1832 588 Nmokqkbp.exe 34 PID 588 wrote to memory of 1832 588 Nmokqkbp.exe 34 PID 588 wrote to memory of 1832 588 Nmokqkbp.exe 34 PID 1832 wrote to memory of 1704 1832 Njehpo32.exe 35 PID 1832 wrote to memory of 1704 1832 Njehpo32.exe 35 PID 1832 wrote to memory of 1704 1832 Njehpo32.exe 35 PID 1832 wrote to memory of 1704 1832 Njehpo32.exe 35 PID 1704 wrote to memory of 1524 1704 Obcjiako.exe 36 PID 1704 wrote to memory of 1524 1704 Obcjiako.exe 36 PID 1704 wrote to memory of 1524 1704 Obcjiako.exe 36 PID 1704 wrote to memory of 1524 1704 Obcjiako.exe 36 PID 1524 wrote to memory of 1304 1524 Ohbogh32.exe 37 PID 1524 wrote to memory of 1304 1524 Ohbogh32.exe 37 PID 1524 wrote to memory of 1304 1524 Ohbogh32.exe 37 PID 1524 wrote to memory of 1304 1524 Ohbogh32.exe 37 PID 1304 wrote to memory of 1756 1304 Odklahje.exe 38 PID 1304 wrote to memory of 1756 1304 Odklahje.exe 38 PID 1304 wrote to memory of 1756 1304 Odklahje.exe 38 PID 1304 wrote to memory of 1756 1304 Odklahje.exe 38 PID 1756 wrote to memory of 1104 1756 Ppgfbi32.exe 39 PID 1756 wrote to memory of 1104 1756 Ppgfbi32.exe 39 PID 1756 wrote to memory of 1104 1756 Ppgfbi32.exe 39 PID 1756 wrote to memory of 1104 1756 Ppgfbi32.exe 39 PID 1104 wrote to memory of 1124 1104 Poqmnd32.exe 40 PID 1104 wrote to memory of 1124 1104 Poqmnd32.exe 40 PID 1104 wrote to memory of 1124 1104 Poqmnd32.exe 40 PID 1104 wrote to memory of 1124 1104 Poqmnd32.exe 40 PID 1124 wrote to memory of 1440 1124 Agcgcf32.exe 41 PID 1124 wrote to memory of 1440 1124 Agcgcf32.exe 41 PID 1124 wrote to memory of 1440 1124 Agcgcf32.exe 41 PID 1124 wrote to memory of 1440 1124 Agcgcf32.exe 41 PID 1440 wrote to memory of 1852 1440 Afjajb32.exe 42 PID 1440 wrote to memory of 1852 1440 Afjajb32.exe 42 PID 1440 wrote to memory of 1852 1440 Afjajb32.exe 42 PID 1440 wrote to memory of 1852 1440 Afjajb32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe"C:\Users\Admin\AppData\Local\Temp\8cef743a92a922b3b45b6a02660a0fbbb13328a0d6a9e1ffebad51cb88910908.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Hnlqdl32.exeC:\Windows\system32\Hnlqdl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Lgggmc32.exeC:\Windows\system32\Lgggmc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Lglphbhe.exeC:\Windows\system32\Lglphbhe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Lnheklmo.exeC:\Windows\system32\Lnheklmo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Monkncoh.exeC:\Windows\system32\Monkncoh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mikiahac.exeC:\Windows\system32\Mikiahac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Nmokqkbp.exeC:\Windows\system32\Nmokqkbp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Njehpo32.exeC:\Windows\system32\Njehpo32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Obcjiako.exeC:\Windows\system32\Obcjiako.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Ohbogh32.exeC:\Windows\system32\Ohbogh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Odklahje.exeC:\Windows\system32\Odklahje.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Ppgfbi32.exeC:\Windows\system32\Ppgfbi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Poqmnd32.exeC:\Windows\system32\Poqmnd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Agcgcf32.exeC:\Windows\system32\Agcgcf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Afjajb32.exeC:\Windows\system32\Afjajb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Bhkjkm32.exeC:\Windows\system32\Bhkjkm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Cpgkmj32.exeC:\Windows\system32\Cpgkmj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Dhjfak32.exeC:\Windows\system32\Dhjfak32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Dnfkde32.exeC:\Windows\system32\Dnfkde32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Eidepbal.exeC:\Windows\system32\Eidepbal.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Epqjblfg.exeC:\Windows\system32\Epqjblfg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Eiioka32.exeC:\Windows\system32\Eiioka32.exe23⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Eofgch32.exeC:\Windows\system32\Eofgch32.exe24⤵
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Ekmhhj32.exeC:\Windows\system32\Ekmhhj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Ekoemi32.exeC:\Windows\system32\Ekoemi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Fkaacimm.exeC:\Windows\system32\Fkaacimm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Fjfode32.exeC:\Windows\system32\Fjfode32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Fppgqpib.exeC:\Windows\system32\Fppgqpib.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Fgmlcinl.exeC:\Windows\system32\Fgmlcinl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Ffbidf32.exeC:\Windows\system32\Ffbidf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Gkanbloi.exeC:\Windows\system32\Gkanbloi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360 -
C:\Windows\SysWOW64\Gbkfof32.exeC:\Windows\system32\Gbkfof32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Ghenkqnb.exeC:\Windows\system32\Ghenkqnb.exe34⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gbmcdfdc.exeC:\Windows\system32\Gbmcdfdc.exe35⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Gkfgml32.exeC:\Windows\system32\Gkfgml32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Gjkdnhpk.exeC:\Windows\system32\Gjkdnhpk.exe37⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Hkjqhkgn.exeC:\Windows\system32\Hkjqhkgn.exe38⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Holfanjn.exeC:\Windows\system32\Holfanjn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Hcjohm32.exeC:\Windows\system32\Hcjohm32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Hcmkmlna.exeC:\Windows\system32\Hcmkmlna.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Igoafp32.exeC:\Windows\system32\Igoafp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ijafnjlo.exeC:\Windows\system32\Ijafnjlo.exe43⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Jibckegi.exeC:\Windows\system32\Jibckegi.exe44⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Klcllp32.exeC:\Windows\system32\Klcllp32.exe45⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Khjmaajo.exeC:\Windows\system32\Khjmaajo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Legcijal.exeC:\Windows\system32\Legcijal.exe47⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Lgfpcm32.exeC:\Windows\system32\Lgfpcm32.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Lcmqhnnc.exeC:\Windows\system32\Lcmqhnnc.exe49⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Nnndhn32.exeC:\Windows\system32\Nnndhn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Neglehnb.exeC:\Windows\system32\Neglehnb.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Ophcfddi.exeC:\Windows\system32\Ophcfddi.exe52⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Omopehap.exeC:\Windows\system32\Omopehap.exe53⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Plhgad32.exeC:\Windows\system32\Plhgad32.exe54⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Poipco32.exeC:\Windows\system32\Poipco32.exe55⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ppoeeg32.exeC:\Windows\system32\Ppoeeg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Qdmnle32.exeC:\Windows\system32\Qdmnle32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Qmecdknc.exeC:\Windows\system32\Qmecdknc.exe58⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Aljpfgbk.exeC:\Windows\system32\Aljpfgbk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Almlkgqh.exeC:\Windows\system32\Almlkgqh.exe60⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ahcmphfm.exeC:\Windows\system32\Ahcmphfm.exe61⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Aonemb32.exeC:\Windows\system32\Aonemb32.exe62⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Agijad32.exeC:\Windows\system32\Agijad32.exe63⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Bcddad32.exeC:\Windows\system32\Bcddad32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Cijppj32.exeC:\Windows\system32\Cijppj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Cknege32.exeC:\Windows\system32\Cknege32.exe66⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Dpbgfh32.exeC:\Windows\system32\Dpbgfh32.exe67⤵PID:316
-
C:\Windows\SysWOW64\Dpfqagke.exeC:\Windows\system32\Dpfqagke.exe68⤵PID:1572
-
C:\Windows\SysWOW64\Dhdbkifn.exeC:\Windows\system32\Dhdbkifn.exe69⤵PID:1264
-
C:\Windows\SysWOW64\Epkjlf32.exeC:\Windows\system32\Epkjlf32.exe70⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Eafijmdd.exeC:\Windows\system32\Eafijmdd.exe71⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Fickdopl.exeC:\Windows\system32\Fickdopl.exe72⤵PID:1884
-
C:\Windows\SysWOW64\Flddfj32.exeC:\Windows\system32\Flddfj32.exe73⤵PID:552
-
C:\Windows\SysWOW64\Gknjbf32.exeC:\Windows\system32\Gknjbf32.exe74⤵PID:624
-
C:\Windows\SysWOW64\Ghbkkjli.exeC:\Windows\system32\Ghbkkjli.exe75⤵PID:1560
-
C:\Windows\SysWOW64\Gnoccaka.exeC:\Windows\system32\Gnoccaka.exe76⤵PID:1456
-
C:\Windows\SysWOW64\Hjmjia32.exeC:\Windows\system32\Hjmjia32.exe77⤵PID:988
-
C:\Windows\SysWOW64\Hologh32.exeC:\Windows\system32\Hologh32.exe78⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Hdkdeobf.exeC:\Windows\system32\Hdkdeobf.exe79⤵PID:560
-
C:\Windows\SysWOW64\Hgiqajaj.exeC:\Windows\system32\Hgiqajaj.exe80⤵PID:428
-
C:\Windows\SysWOW64\Hkemah32.exeC:\Windows\system32\Hkemah32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Hncind32.exeC:\Windows\system32\Hncind32.exe82⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Idmajnqd.exeC:\Windows\system32\Idmajnqd.exe83⤵PID:2064
-
C:\Windows\SysWOW64\Ikgighhq.exeC:\Windows\system32\Ikgighhq.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Iqdboofh.exeC:\Windows\system32\Iqdboofh.exe85⤵PID:2080
-
C:\Windows\SysWOW64\Icbnkkel.exeC:\Windows\system32\Icbnkkel.exe86⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Ifajhfdp.exeC:\Windows\system32\Ifajhfdp.exe87⤵PID:2096
-
C:\Windows\SysWOW64\Imkbdp32.exeC:\Windows\system32\Imkbdp32.exe88⤵PID:2104
-
C:\Windows\SysWOW64\Jppeak32.exeC:\Windows\system32\Jppeak32.exe89⤵PID:2112
-
C:\Windows\SysWOW64\Jadnnbic.exeC:\Windows\system32\Jadnnbic.exe90⤵PID:2120
-
C:\Windows\SysWOW64\Jafkdb32.exeC:\Windows\system32\Jafkdb32.exe91⤵PID:2128
-
C:\Windows\SysWOW64\Jlloak32.exeC:\Windows\system32\Jlloak32.exe92⤵PID:2136
-
C:\Windows\SysWOW64\Jnjkmf32.exeC:\Windows\system32\Jnjkmf32.exe93⤵PID:2144
-
C:\Windows\SysWOW64\Jedcjqmg.exeC:\Windows\system32\Jedcjqmg.exe94⤵PID:2152
-
C:\Windows\SysWOW64\Jhbpfllk.exeC:\Windows\system32\Jhbpfllk.exe95⤵PID:2160
-
C:\Windows\SysWOW64\Khelll32.exeC:\Windows\system32\Khelll32.exe96⤵PID:2168
-
C:\Windows\SysWOW64\Kificdpf.exeC:\Windows\system32\Kificdpf.exe97⤵PID:2208
-
C:\Windows\SysWOW64\Kflfbh32.exeC:\Windows\system32\Kflfbh32.exe98⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Kmfnoadj.exeC:\Windows\system32\Kmfnoadj.exe99⤵PID:2260
-
C:\Windows\SysWOW64\Kogkgj32.exeC:\Windows\system32\Kogkgj32.exe100⤵PID:2388
-
C:\Windows\SysWOW64\Lkcegj32.exeC:\Windows\system32\Lkcegj32.exe101⤵PID:2396
-
C:\Windows\SysWOW64\Laafodoo.exeC:\Windows\system32\Laafodoo.exe102⤵PID:2404
-
C:\Windows\SysWOW64\Ldpckonb.exeC:\Windows\system32\Ldpckonb.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Mjaene32.exeC:\Windows\system32\Mjaene32.exe104⤵PID:2420
-
C:\Windows\SysWOW64\Mlpaja32.exeC:\Windows\system32\Mlpaja32.exe105⤵PID:2428
-
C:\Windows\SysWOW64\Nddheb32.exeC:\Windows\system32\Nddheb32.exe106⤵PID:2436
-
C:\Windows\SysWOW64\Ngceam32.exeC:\Windows\system32\Ngceam32.exe107⤵PID:2444
-
C:\Windows\SysWOW64\Ngeafmjj.exeC:\Windows\system32\Ngeafmjj.exe108⤵PID:2452
-
C:\Windows\SysWOW64\Nfhabj32.exeC:\Windows\system32\Nfhabj32.exe109⤵PID:2460
-
C:\Windows\SysWOW64\Nqnfob32.exeC:\Windows\system32\Nqnfob32.exe110⤵PID:2468
-
C:\Windows\SysWOW64\Nclbkn32.exeC:\Windows\system32\Nclbkn32.exe111⤵PID:2584
-
C:\Windows\SysWOW64\Omgcjc32.exeC:\Windows\system32\Omgcjc32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Ooepfo32.exeC:\Windows\system32\Ooepfo32.exe113⤵PID:2600
-
C:\Windows\SysWOW64\Ofohbijl.exeC:\Windows\system32\Ofohbijl.exe114⤵PID:2608
-
C:\Windows\SysWOW64\Obfhhj32.exeC:\Windows\system32\Obfhhj32.exe115⤵PID:2616
-
C:\Windows\SysWOW64\Ogeneple.exeC:\Windows\system32\Ogeneple.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Ojcjalki.exeC:\Windows\system32\Ojcjalki.exe117⤵PID:2632
-
C:\Windows\SysWOW64\Omdccg32.exeC:\Windows\system32\Omdccg32.exe118⤵PID:2644
-
C:\Windows\SysWOW64\Aoheglnc.exeC:\Windows\system32\Aoheglnc.exe119⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Aafachmg.exeC:\Windows\system32\Aafachmg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Acmgfoop.exeC:\Windows\system32\Acmgfoop.exe121⤵
- Drops file in System32 directory
PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-