Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-03-2024 23:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe
-
Size
232KB
-
MD5
ebfb3e439f41c104a2e766e0a935c1e3
-
SHA1
7782ef5da85102f17f74a9be1984e82d8426a060
-
SHA256
ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000
-
SHA512
1de8502ad3d49938644472a9a586f6661e699cd0d6d595c81fd7ed687d7c54231d318ea8699816657d19fe8ba8cbff0922ae68446e6c33c94506408f2b0c047f
-
SSDEEP
3072:yXkZy180sVt7nG8+V+07usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121Tzlz:MbcVt7nGX36s21L7/s50z/Wa3/PNlPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifdbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgmoggn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namclbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmibgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leopgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plgolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niedqnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcmgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooicid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemhhpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meffhnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeefofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddnnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qinjgbpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npolmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meffhnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdojcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiecgjba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe -
Executes dropped EXE 64 IoCs
pid Process 2016 Cmjbhh32.exe 2728 Cpkkjc32.exe 2160 Ccigfn32.exe 2448 Chhldeho.exe 2420 Ddajoelp.exe 2984 Dknoaoaj.exe 1316 Egglkp32.exe 2308 Epoqde32.exe 2748 Ehmbng32.exe 2512 Efqbglen.exe 2624 Fjeefofk.exe 1652 Femeig32.exe 2628 Ffqofohj.exe 884 Gmmdiind.exe 1716 Gehhmkko.exe 2932 Gppipc32.exe 2280 Gligjd32.exe 944 Ihbqdh32.exe 1668 Jfcqgpfi.exe 1376 Jpiedieo.exe 1012 Jonbee32.exe 1528 Jcjnfdbp.exe 2172 Kfjggo32.exe 928 Kglcogeo.exe 2972 Knekla32.exe 2188 Khkpijma.exe 1232 Kbcdbp32.exe 1600 Kceqjhiq.exe 2272 Kmmebm32.exe 3040 Kcgmoggn.exe 2576 Lopkjhko.exe 2680 Lfjcfb32.exe 2564 Lmdkcl32.exe 2816 Leopgo32.exe 1612 Lmfhil32.exe 2104 Lbcpac32.exe 2468 Lpgajgeg.exe 2488 Ledibnco.exe 2404 Ljabkeaf.exe 676 Meffhnal.exe 2408 Mlpneh32.exe 1760 Mfjoeeeh.exe 1764 Mpbdnk32.exe 2492 Mabphn32.exe 1236 Mdpldi32.exe 284 Mimemp32.exe 2844 Mfaefd32.exe 1276 Nlnnnk32.exe 2248 Nefbga32.exe 2052 Nbjcqe32.exe 2936 Namclbil.exe 2304 Nkegeg32.exe 2196 Ndnlnm32.exe 1136 Nkhdkgnj.exe 1908 Nemhhpmp.exe 1800 Ngneph32.exe 1548 Ohnaik32.exe 1752 Ocgbji32.exe 1096 Ogcnkgoh.exe 1904 Opkccm32.exe 1988 Ogekpg32.exe 1444 Onocmadb.exe 2148 Ocllehcj.exe 2920 Oifdbb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 2016 Cmjbhh32.exe 2016 Cmjbhh32.exe 2728 Cpkkjc32.exe 2728 Cpkkjc32.exe 2160 Ccigfn32.exe 2160 Ccigfn32.exe 2448 Chhldeho.exe 2448 Chhldeho.exe 2420 Ddajoelp.exe 2420 Ddajoelp.exe 2984 Dknoaoaj.exe 2984 Dknoaoaj.exe 1316 Egglkp32.exe 1316 Egglkp32.exe 2308 Epoqde32.exe 2308 Epoqde32.exe 2748 Ehmbng32.exe 2748 Ehmbng32.exe 2512 Efqbglen.exe 2512 Efqbglen.exe 2624 Fjeefofk.exe 2624 Fjeefofk.exe 1652 Femeig32.exe 1652 Femeig32.exe 2628 Ffqofohj.exe 2628 Ffqofohj.exe 884 Gmmdiind.exe 884 Gmmdiind.exe 1716 Gehhmkko.exe 1716 Gehhmkko.exe 2932 Gppipc32.exe 2932 Gppipc32.exe 2280 Gligjd32.exe 2280 Gligjd32.exe 944 Ihbqdh32.exe 944 Ihbqdh32.exe 1668 Jfcqgpfi.exe 1668 Jfcqgpfi.exe 1376 Jpiedieo.exe 1376 Jpiedieo.exe 1012 Jonbee32.exe 1012 Jonbee32.exe 1528 Jcjnfdbp.exe 1528 Jcjnfdbp.exe 2172 Kfjggo32.exe 2172 Kfjggo32.exe 928 Kglcogeo.exe 928 Kglcogeo.exe 2972 Knekla32.exe 2972 Knekla32.exe 2188 Khkpijma.exe 2188 Khkpijma.exe 1232 Kbcdbp32.exe 1232 Kbcdbp32.exe 1600 Kceqjhiq.exe 1600 Kceqjhiq.exe 2272 Kmmebm32.exe 2272 Kmmebm32.exe 2228 Lmbonmll.exe 2228 Lmbonmll.exe 2576 Lopkjhko.exe 2576 Lopkjhko.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcjnfdbp.exe Jonbee32.exe File created C:\Windows\SysWOW64\Jmobpj32.dll Namclbil.exe File opened for modification C:\Windows\SysWOW64\Jdhgnf32.exe Jjbbpmgo.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qpbglhjq.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Jcjnfdbp.exe File created C:\Windows\SysWOW64\Ljabkeaf.exe Ledibnco.exe File created C:\Windows\SysWOW64\Iacpmi32.dll Opqoge32.exe File created C:\Windows\SysWOW64\Aaimopli.exe Aojabdlf.exe File created C:\Windows\SysWOW64\Apfhke32.dll Fjeefofk.exe File created C:\Windows\SysWOW64\Gppipc32.exe Gehhmkko.exe File opened for modification C:\Windows\SysWOW64\Mabphn32.exe Mpbdnk32.exe File opened for modification C:\Windows\SysWOW64\Aekqmbod.exe Aeidgbaf.exe File opened for modification C:\Windows\SysWOW64\Idcacc32.exe Iaeegh32.exe File created C:\Windows\SysWOW64\Nlnpgd32.exe Nfahomfd.exe File created C:\Windows\SysWOW64\Nfdkoc32.exe Nagbgl32.exe File created C:\Windows\SysWOW64\Pdlmgo32.dll Mikjpiim.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bqlfaj32.exe File created C:\Windows\SysWOW64\Dbjdoj32.dll Nbjcqe32.exe File created C:\Windows\SysWOW64\Bmibgd32.exe Akhfoldn.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hdlkcdog.exe File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Obdojcef.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Nkegeg32.exe Namclbil.exe File created C:\Windows\SysWOW64\Hpdqdddf.dll Jdhgnf32.exe File created C:\Windows\SysWOW64\Olmcchlg.exe Obdojcef.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Pojecajj.exe File created C:\Windows\SysWOW64\Lhmlombo.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Jgdfdbhk.exe Jagnlkjd.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Ikcljcke.dll Bagkmb32.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Mqpflg32.exe File created C:\Windows\SysWOW64\Pmdmmalf.exe Pggdejno.exe File opened for modification C:\Windows\SysWOW64\Lfpeeqig.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Lhnkffeo.exe Ldbofgme.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Khoebi32.exe Khlili32.exe File opened for modification C:\Windows\SysWOW64\Mnomjl32.exe Mkqqnq32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Aaimopli.exe File opened for modification C:\Windows\SysWOW64\Akcomepg.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Qfmafg32.exe Pdldnomh.exe File created C:\Windows\SysWOW64\Ilofhffj.exe Iipiljgf.exe File opened for modification C:\Windows\SysWOW64\Oeehln32.exe Ookpodkj.exe File created C:\Windows\SysWOW64\Nefbga32.exe Nlnnnk32.exe File created C:\Windows\SysWOW64\Nllcmj32.dll Nfnneb32.exe File created C:\Windows\SysWOW64\Pdbdqh32.exe Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Mdpldi32.exe Mabphn32.exe File created C:\Windows\SysWOW64\Oeindm32.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Fjeefofk.exe Efqbglen.exe File created C:\Windows\SysWOW64\Oeiligca.dll Nefbga32.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Bbpiog32.dll Hhjcic32.exe File created C:\Windows\SysWOW64\Qcogbdkg.exe Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Bkegah32.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Ciohdhad.dll Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Nbjcqe32.exe Nefbga32.exe File opened for modification C:\Windows\SysWOW64\Akhfoldn.exe Aboaff32.exe File created C:\Windows\SysWOW64\Hnpbjnpo.exe Hlafnbal.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pkcbnanl.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Daplkmbg.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Daplkmbg.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3976 2428 WerFault.exe 305 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfeaiog.dll" Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadcepg.dll" Nlnpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gligjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leopgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejonffm.dll" Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcaiilc.dll" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmjncbj.dll" Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efqbglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnbeb32.dll" Ihbqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbdnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggogki32.dll" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdqdddf.dll" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Femeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfaefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagkmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdakniag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomlpk32.dll" Qfmafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lainhkdi.dll" Ngneph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffjegma.dll" Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjbmelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meekooeb.dll" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chiimh32.dll" Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akncimmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifmdk32.dll" Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbaocobg.dll" Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmkli32.dll" Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkojbh32.dll" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjghm32.dll" Iipiljgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipokcdjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Ookpodkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Odchbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllbljej.dll" Hnpbjnpo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 2016 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 28 PID 1332 wrote to memory of 2016 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 28 PID 1332 wrote to memory of 2016 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 28 PID 1332 wrote to memory of 2016 1332 ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe 28 PID 2016 wrote to memory of 2728 2016 Cmjbhh32.exe 29 PID 2016 wrote to memory of 2728 2016 Cmjbhh32.exe 29 PID 2016 wrote to memory of 2728 2016 Cmjbhh32.exe 29 PID 2016 wrote to memory of 2728 2016 Cmjbhh32.exe 29 PID 2728 wrote to memory of 2160 2728 Cpkkjc32.exe 30 PID 2728 wrote to memory of 2160 2728 Cpkkjc32.exe 30 PID 2728 wrote to memory of 2160 2728 Cpkkjc32.exe 30 PID 2728 wrote to memory of 2160 2728 Cpkkjc32.exe 30 PID 2160 wrote to memory of 2448 2160 Ccigfn32.exe 31 PID 2160 wrote to memory of 2448 2160 Ccigfn32.exe 31 PID 2160 wrote to memory of 2448 2160 Ccigfn32.exe 31 PID 2160 wrote to memory of 2448 2160 Ccigfn32.exe 31 PID 2448 wrote to memory of 2420 2448 Chhldeho.exe 32 PID 2448 wrote to memory of 2420 2448 Chhldeho.exe 32 PID 2448 wrote to memory of 2420 2448 Chhldeho.exe 32 PID 2448 wrote to memory of 2420 2448 Chhldeho.exe 32 PID 2420 wrote to memory of 2984 2420 Ddajoelp.exe 33 PID 2420 wrote to memory of 2984 2420 Ddajoelp.exe 33 PID 2420 wrote to memory of 2984 2420 Ddajoelp.exe 33 PID 2420 wrote to memory of 2984 2420 Ddajoelp.exe 33 PID 2984 wrote to memory of 1316 2984 Dknoaoaj.exe 34 PID 2984 wrote to memory of 1316 2984 Dknoaoaj.exe 34 PID 2984 wrote to memory of 1316 2984 Dknoaoaj.exe 34 PID 2984 wrote to memory of 1316 2984 Dknoaoaj.exe 34 PID 1316 wrote to memory of 2308 1316 Egglkp32.exe 35 PID 1316 wrote to memory of 2308 1316 Egglkp32.exe 35 PID 1316 wrote to memory of 2308 1316 Egglkp32.exe 35 PID 1316 wrote to memory of 2308 1316 Egglkp32.exe 35 PID 2308 wrote to memory of 2748 2308 Epoqde32.exe 36 PID 2308 wrote to memory of 2748 2308 Epoqde32.exe 36 PID 2308 wrote to memory of 2748 2308 Epoqde32.exe 36 PID 2308 wrote to memory of 2748 2308 Epoqde32.exe 36 PID 2748 wrote to memory of 2512 2748 Ehmbng32.exe 37 PID 2748 wrote to memory of 2512 2748 Ehmbng32.exe 37 PID 2748 wrote to memory of 2512 2748 Ehmbng32.exe 37 PID 2748 wrote to memory of 2512 2748 Ehmbng32.exe 37 PID 2512 wrote to memory of 2624 2512 Efqbglen.exe 38 PID 2512 wrote to memory of 2624 2512 Efqbglen.exe 38 PID 2512 wrote to memory of 2624 2512 Efqbglen.exe 38 PID 2512 wrote to memory of 2624 2512 Efqbglen.exe 38 PID 2624 wrote to memory of 1652 2624 Fjeefofk.exe 39 PID 2624 wrote to memory of 1652 2624 Fjeefofk.exe 39 PID 2624 wrote to memory of 1652 2624 Fjeefofk.exe 39 PID 2624 wrote to memory of 1652 2624 Fjeefofk.exe 39 PID 1652 wrote to memory of 2628 1652 Femeig32.exe 40 PID 1652 wrote to memory of 2628 1652 Femeig32.exe 40 PID 1652 wrote to memory of 2628 1652 Femeig32.exe 40 PID 1652 wrote to memory of 2628 1652 Femeig32.exe 40 PID 2628 wrote to memory of 884 2628 Ffqofohj.exe 41 PID 2628 wrote to memory of 884 2628 Ffqofohj.exe 41 PID 2628 wrote to memory of 884 2628 Ffqofohj.exe 41 PID 2628 wrote to memory of 884 2628 Ffqofohj.exe 41 PID 884 wrote to memory of 1716 884 Gmmdiind.exe 42 PID 884 wrote to memory of 1716 884 Gmmdiind.exe 42 PID 884 wrote to memory of 1716 884 Gmmdiind.exe 42 PID 884 wrote to memory of 1716 884 Gmmdiind.exe 42 PID 1716 wrote to memory of 2932 1716 Gehhmkko.exe 43 PID 1716 wrote to memory of 2932 1716 Gehhmkko.exe 43 PID 1716 wrote to memory of 2932 1716 Gehhmkko.exe 43 PID 1716 wrote to memory of 2932 1716 Gehhmkko.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe"C:\Users\Admin\AppData\Local\Temp\ccdf4d063941c65f6800f54e92e81b4a5b56f8eabbecb12b9c3a14f8b54f2000.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe32⤵
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe34⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe37⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe38⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe39⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe41⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe47⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe48⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe54⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe55⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe56⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe59⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe60⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe61⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe67⤵PID:2812
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe69⤵PID:2456
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe70⤵PID:2980
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe71⤵PID:2464
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe74⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe75⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe76⤵PID:1736
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe77⤵PID:2648
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe78⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe80⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe81⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe82⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe83⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe84⤵PID:1480
-
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe86⤵PID:2380
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe87⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe88⤵PID:940
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe89⤵PID:2036
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe90⤵PID:1916
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe91⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe92⤵PID:2656
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe94⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe95⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe99⤵PID:112
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe100⤵PID:2600
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe101⤵PID:2784
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe102⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe103⤵PID:1432
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe104⤵PID:2112
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe106⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe107⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe108⤵PID:2960
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe109⤵PID:1052
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe110⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe111⤵PID:1964
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe112⤵PID:1976
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe113⤵PID:768
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe114⤵PID:864
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe115⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe116⤵PID:2596
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe118⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe119⤵PID:1448
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe121⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-