Analysis
-
max time kernel
195s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe
-
Size
312KB
-
MD5
170554d6b4bfa363a65ab745e86da295
-
SHA1
d396f3265712dca21bc0443e8beabd678d37b842
-
SHA256
61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37
-
SHA512
b142bb79b44c23a83496a796334bf27b310ea815ff613c469bf6f4310250cca0360dc12ad7081f72322ecdbfef70baee2957d2f0eea35da895a5f9f7c4d45da4
-
SSDEEP
6144:0ZOPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSf:fuqFHRFbev
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmcbio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkggkphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmfpnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkboiamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaqnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkffl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaieai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niangl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmldajml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiqephm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leallkbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cecnflpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqajfmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpnlgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpgnbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnmne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfoon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigkjmap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbebjpaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igacia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqmadn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbbiafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daoeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmblljb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikplopnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijhompm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igacia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclqhfpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpgfae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bickkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbeqalkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbdmbmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daoeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogkhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqjdon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljnmkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgfcbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habnkkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgnoeii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmfeldm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknaahhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkdieii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjianec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olehbh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3012 Oemhjlha.exe 2336 Lnambeed.exe 2772 Empphi32.exe 2668 Ijphqbpo.exe 2884 Kaieai32.exe 1940 Kdincdcl.exe 1488 Kldchgag.exe 1096 Lnmfpnqn.exe 2304 Lnobfn32.exe 2264 Lhegcg32.exe 1248 Mfoqephq.exe 1864 Mgomoboc.exe 968 Mlkegimk.exe 1584 Mnakjaoc.exe 1968 Nbaafocg.exe 1044 Nnknqpgi.exe 748 Ojdlkp32.exe 1448 Olehbh32.exe 2556 Olokighn.exe 1752 Pdjpmi32.exe 2452 Pljnmkoo.exe 2484 Plljbkml.exe 1548 Phckglbq.exe 1996 Ahjahk32.exe 2992 Dbadcdgp.exe 396 Kjalch32.exe 2820 Ohgnoeii.exe 2744 Fajpdmgb.exe 2756 Fjbdmbmb.exe 2044 Fjdqbbkp.exe 2860 Gfkagc32.exe 1196 Geehcoaf.exe 1536 Gbihmcqp.exe 1072 Hobfgcdb.exe 2024 Hgnjlfam.exe 2384 Hpfoekhm.exe 1288 Hincna32.exe 2284 Iomhkgkb.exe 1232 Iegaha32.exe 2216 Ickaaf32.exe 1632 Ihhjjm32.exe 2348 Iaqnbb32.exe 680 Ilfbpk32.exe 1672 Idagdm32.exe 2108 Ikkoagjo.exe 1896 Ibehna32.exe 240 Jqjdon32.exe 2812 Jkpilg32.exe 2608 Jqmadn32.exe 1700 Jfijmdbh.exe 1712 Jcmjfiab.exe 3004 Jmfoon32.exe 932 Jmhkdnfp.exe 2480 Kbedmedg.exe 2072 Knldaf32.exe 2828 Kiaiooja.exe 2864 Kamncagl.exe 2660 Kkbbqjgb.exe 2340 Kaojiqej.exe 1084 Kcmfeldm.exe 2332 Kaagnp32.exe 1656 Lpiqel32.exe 1344 Lfbibfmi.exe 1728 Llpajmkq.exe -
Loads dropped DLL 64 IoCs
pid Process 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 3012 Oemhjlha.exe 3012 Oemhjlha.exe 2336 Lnambeed.exe 2336 Lnambeed.exe 2772 Empphi32.exe 2772 Empphi32.exe 2668 Ijphqbpo.exe 2668 Ijphqbpo.exe 2884 Kaieai32.exe 2884 Kaieai32.exe 1940 Kdincdcl.exe 1940 Kdincdcl.exe 1488 Kldchgag.exe 1488 Kldchgag.exe 1096 Lnmfpnqn.exe 1096 Lnmfpnqn.exe 2304 Lnobfn32.exe 2304 Lnobfn32.exe 2264 Lhegcg32.exe 2264 Lhegcg32.exe 1248 Mfoqephq.exe 1248 Mfoqephq.exe 1864 Mgomoboc.exe 1864 Mgomoboc.exe 968 Mlkegimk.exe 968 Mlkegimk.exe 1584 Mnakjaoc.exe 1584 Mnakjaoc.exe 1968 Nbaafocg.exe 1968 Nbaafocg.exe 1044 Nnknqpgi.exe 1044 Nnknqpgi.exe 748 Ojdlkp32.exe 748 Ojdlkp32.exe 1448 Olehbh32.exe 1448 Olehbh32.exe 2556 Olokighn.exe 2556 Olokighn.exe 1752 Pdjpmi32.exe 1752 Pdjpmi32.exe 2452 Pljnmkoo.exe 2452 Pljnmkoo.exe 2484 Plljbkml.exe 2484 Plljbkml.exe 1548 Phckglbq.exe 1548 Phckglbq.exe 1996 Ahjahk32.exe 1996 Ahjahk32.exe 2992 Dbadcdgp.exe 2992 Dbadcdgp.exe 396 Kjalch32.exe 396 Kjalch32.exe 2820 Ohgnoeii.exe 2820 Ohgnoeii.exe 2744 Fajpdmgb.exe 2744 Fajpdmgb.exe 2756 Fjbdmbmb.exe 2756 Fjbdmbmb.exe 2044 Fjdqbbkp.exe 2044 Fjdqbbkp.exe 2860 Gfkagc32.exe 2860 Gfkagc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhckimed.dll Phckglbq.exe File created C:\Windows\SysWOW64\Pmbaklha.dll Cjpgnbol.exe File opened for modification C:\Windows\SysWOW64\Gmfnen32.exe Gcnjmi32.exe File created C:\Windows\SysWOW64\Ikplopnp.exe Igdpoa32.exe File created C:\Windows\SysWOW64\Mnakjaoc.exe Mlkegimk.exe File opened for modification C:\Windows\SysWOW64\Fjbdmbmb.exe Fajpdmgb.exe File created C:\Windows\SysWOW64\Egcjkjmo.dll Hincna32.exe File opened for modification C:\Windows\SysWOW64\Knldaf32.exe Kbedmedg.exe File created C:\Windows\SysWOW64\Pidnhdck.dll Lpiqel32.exe File opened for modification C:\Windows\SysWOW64\Pdhflg32.exe Kfiajj32.exe File created C:\Windows\SysWOW64\Dhfpljnn.exe Ddkdkk32.exe File opened for modification C:\Windows\SysWOW64\Fhkffl32.exe Fcnmne32.exe File opened for modification C:\Windows\SysWOW64\Gbecce32.exe Ghmokomm.exe File created C:\Windows\SysWOW64\Hogdmb32.dll Ickacb32.exe File opened for modification C:\Windows\SysWOW64\Jialbh32.exe Jcddja32.exe File opened for modification C:\Windows\SysWOW64\Lnobfn32.exe Lnmfpnqn.exe File opened for modification C:\Windows\SysWOW64\Ibehna32.exe Ikkoagjo.exe File created C:\Windows\SysWOW64\Lpiqel32.exe Kaagnp32.exe File opened for modification C:\Windows\SysWOW64\Mlidplcf.exe Mbqpgf32.exe File created C:\Windows\SysWOW64\Angohn32.dll Jqmadn32.exe File opened for modification C:\Windows\SysWOW64\Bfgkdp32.exe Bomcgfjh.exe File opened for modification C:\Windows\SysWOW64\Ddkdkk32.exe Donlcdgn.exe File opened for modification C:\Windows\SysWOW64\Mahinb32.exe Mknaahhn.exe File created C:\Windows\SysWOW64\Mgebfi32.exe Mahinb32.exe File created C:\Windows\SysWOW64\Lcadcmef.dll Ifqgaibk.exe File opened for modification C:\Windows\SysWOW64\Jfijmdbh.exe Jqmadn32.exe File created C:\Windows\SysWOW64\Jialbh32.exe Jcddja32.exe File created C:\Windows\SysWOW64\Ijphqbpo.exe Empphi32.exe File created C:\Windows\SysWOW64\Mgomoboc.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Jmhkdnfp.exe Jmfoon32.exe File opened for modification C:\Windows\SysWOW64\Kbedmedg.exe Jmhkdnfp.exe File opened for modification C:\Windows\SysWOW64\Lfbibfmi.exe Lpiqel32.exe File created C:\Windows\SysWOW64\Immhck32.dll Pigkjmap.exe File created C:\Windows\SysWOW64\Gcnjmi32.exe Fgbpmh32.exe File created C:\Windows\SysWOW64\Bjjmbe32.dll Fgbpmh32.exe File created C:\Windows\SysWOW64\Gjjoob32.exe Gqajfmpb.exe File created C:\Windows\SysWOW64\Hhmfhe32.exe Habnkkld.exe File created C:\Windows\SysWOW64\Mmfdna32.dll Mgnhpanm.exe File created C:\Windows\SysWOW64\Onjianec.exe Ngpadd32.exe File created C:\Windows\SysWOW64\Iaakko32.dll Onjianec.exe File opened for modification C:\Windows\SysWOW64\Gfkagc32.exe Fjdqbbkp.exe File opened for modification C:\Windows\SysWOW64\Habnkkld.exe Gkkfem32.exe File opened for modification C:\Windows\SysWOW64\Mfoqephq.exe Lhegcg32.exe File opened for modification C:\Windows\SysWOW64\Fajpdmgb.exe Ohgnoeii.exe File created C:\Windows\SysWOW64\Mahinb32.exe Mknaahhn.exe File created C:\Windows\SysWOW64\Ibolep32.dll Daoeeo32.exe File created C:\Windows\SysWOW64\Bkeooo32.dll Jqjdon32.exe File opened for modification C:\Windows\SysWOW64\Anepooja.exe Agkhbece.exe File created C:\Windows\SysWOW64\Aphjld32.dll Afbbiafj.exe File created C:\Windows\SysWOW64\Bmfjmn32.dll Bickkl32.exe File created C:\Windows\SysWOW64\Nnknqpgi.exe Nbaafocg.exe File created C:\Windows\SysWOW64\Plgojd32.dll Nnknqpgi.exe File created C:\Windows\SysWOW64\Gplamind.dll Hobfgcdb.exe File opened for modification C:\Windows\SysWOW64\Ickaaf32.exe Iegaha32.exe File created C:\Windows\SysWOW64\Ihhjjm32.exe Ickaaf32.exe File created C:\Windows\SysWOW64\Dfikeg32.dll Adjoqjfc.exe File created C:\Windows\SysWOW64\Emmljodk.exe Egbcne32.exe File created C:\Windows\SysWOW64\Gnhffghb.dll Fcnmne32.exe File created C:\Windows\SysWOW64\Faegda32.exe Fogkhf32.exe File created C:\Windows\SysWOW64\Gbgciabj.dll Ghmokomm.exe File created C:\Windows\SysWOW64\Iapcoh32.dll Mdmonf32.exe File created C:\Windows\SysWOW64\Dflbbm32.dll Iegaha32.exe File created C:\Windows\SysWOW64\Cnflmc32.dll Ikkoagjo.exe File created C:\Windows\SysWOW64\Lldkem32.exe Lpmjplag.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhmmobd.dll" Pljnmkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmmbajg.dll" Plljbkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeekfj32.dll" Mlfgkleh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmljodk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkggkphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghjdjcn.dll" Jbegpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daoeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ickaaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccanfla.dll" Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibloljfb.dll" Knldaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghdolen.dll" Pcmcmcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphjld32.dll" Afbbiafj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bickkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdgab32.dll" Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enloogna.dll" Kaagnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iapcoh32.dll" Mdmonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkggkphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefpnicb.dll" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhkdnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhqc32.dll" Anepooja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deegjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leciaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbedmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogicdck.dll" Gkkfem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbbk32.dll" Mpacmghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okpkjodk.dll" Mpdpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmpgfae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbffalnq.dll" Cflanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgghmcc.dll" Ikmpipqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahinb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqjedjbn.dll" Anpgdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomcgfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmldajml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egbcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikmpipqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjianec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anepooja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jialbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbegpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idagdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokfkini.dll" Ammjekmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddebg32.dll" Gcnjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaoelf32.dll" Hkkcdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcadcmef.dll" Ifqgaibk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokdobid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohgnoeii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geehcoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmoh32.dll" Agkhbece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmokomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaccp32.dll" Kjpekn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 3012 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 29 PID 2432 wrote to memory of 3012 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 29 PID 2432 wrote to memory of 3012 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 29 PID 2432 wrote to memory of 3012 2432 61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe 29 PID 3012 wrote to memory of 2336 3012 Oemhjlha.exe 30 PID 3012 wrote to memory of 2336 3012 Oemhjlha.exe 30 PID 3012 wrote to memory of 2336 3012 Oemhjlha.exe 30 PID 3012 wrote to memory of 2336 3012 Oemhjlha.exe 30 PID 2336 wrote to memory of 2772 2336 Lnambeed.exe 31 PID 2336 wrote to memory of 2772 2336 Lnambeed.exe 31 PID 2336 wrote to memory of 2772 2336 Lnambeed.exe 31 PID 2336 wrote to memory of 2772 2336 Lnambeed.exe 31 PID 2772 wrote to memory of 2668 2772 Empphi32.exe 32 PID 2772 wrote to memory of 2668 2772 Empphi32.exe 32 PID 2772 wrote to memory of 2668 2772 Empphi32.exe 32 PID 2772 wrote to memory of 2668 2772 Empphi32.exe 32 PID 2668 wrote to memory of 2884 2668 Ijphqbpo.exe 33 PID 2668 wrote to memory of 2884 2668 Ijphqbpo.exe 33 PID 2668 wrote to memory of 2884 2668 Ijphqbpo.exe 33 PID 2668 wrote to memory of 2884 2668 Ijphqbpo.exe 33 PID 2884 wrote to memory of 1940 2884 Kaieai32.exe 34 PID 2884 wrote to memory of 1940 2884 Kaieai32.exe 34 PID 2884 wrote to memory of 1940 2884 Kaieai32.exe 34 PID 2884 wrote to memory of 1940 2884 Kaieai32.exe 34 PID 1940 wrote to memory of 1488 1940 Kdincdcl.exe 35 PID 1940 wrote to memory of 1488 1940 Kdincdcl.exe 35 PID 1940 wrote to memory of 1488 1940 Kdincdcl.exe 35 PID 1940 wrote to memory of 1488 1940 Kdincdcl.exe 35 PID 1488 wrote to memory of 1096 1488 Kldchgag.exe 36 PID 1488 wrote to memory of 1096 1488 Kldchgag.exe 36 PID 1488 wrote to memory of 1096 1488 Kldchgag.exe 36 PID 1488 wrote to memory of 1096 1488 Kldchgag.exe 36 PID 1096 wrote to memory of 2304 1096 Lnmfpnqn.exe 37 PID 1096 wrote to memory of 2304 1096 Lnmfpnqn.exe 37 PID 1096 wrote to memory of 2304 1096 Lnmfpnqn.exe 37 PID 1096 wrote to memory of 2304 1096 Lnmfpnqn.exe 37 PID 2304 wrote to memory of 2264 2304 Lnobfn32.exe 38 PID 2304 wrote to memory of 2264 2304 Lnobfn32.exe 38 PID 2304 wrote to memory of 2264 2304 Lnobfn32.exe 38 PID 2304 wrote to memory of 2264 2304 Lnobfn32.exe 38 PID 2264 wrote to memory of 1248 2264 Lhegcg32.exe 39 PID 2264 wrote to memory of 1248 2264 Lhegcg32.exe 39 PID 2264 wrote to memory of 1248 2264 Lhegcg32.exe 39 PID 2264 wrote to memory of 1248 2264 Lhegcg32.exe 39 PID 1248 wrote to memory of 1864 1248 Mfoqephq.exe 40 PID 1248 wrote to memory of 1864 1248 Mfoqephq.exe 40 PID 1248 wrote to memory of 1864 1248 Mfoqephq.exe 40 PID 1248 wrote to memory of 1864 1248 Mfoqephq.exe 40 PID 1864 wrote to memory of 968 1864 Mgomoboc.exe 41 PID 1864 wrote to memory of 968 1864 Mgomoboc.exe 41 PID 1864 wrote to memory of 968 1864 Mgomoboc.exe 41 PID 1864 wrote to memory of 968 1864 Mgomoboc.exe 41 PID 968 wrote to memory of 1584 968 Mlkegimk.exe 42 PID 968 wrote to memory of 1584 968 Mlkegimk.exe 42 PID 968 wrote to memory of 1584 968 Mlkegimk.exe 42 PID 968 wrote to memory of 1584 968 Mlkegimk.exe 42 PID 1584 wrote to memory of 1968 1584 Mnakjaoc.exe 43 PID 1584 wrote to memory of 1968 1584 Mnakjaoc.exe 43 PID 1584 wrote to memory of 1968 1584 Mnakjaoc.exe 43 PID 1584 wrote to memory of 1968 1584 Mnakjaoc.exe 43 PID 1968 wrote to memory of 1044 1968 Nbaafocg.exe 44 PID 1968 wrote to memory of 1044 1968 Nbaafocg.exe 44 PID 1968 wrote to memory of 1044 1968 Nbaafocg.exe 44 PID 1968 wrote to memory of 1044 1968 Nbaafocg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe"C:\Users\Admin\AppData\Local\Temp\61f6e221f355707604e7e36634a3bba27386cdc28839ee04bd968de668d39f37.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Mfoqephq.exeC:\Windows\system32\Mfoqephq.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Pdjpmi32.exeC:\Windows\system32\Pdjpmi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Gbihmcqp.exeC:\Windows\system32\Gbihmcqp.exe34⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe36⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe37⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe39⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Ickaaf32.exeC:\Windows\system32\Ickaaf32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe44⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe47⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:240 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe51⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe53⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe60⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe67⤵PID:2292
-
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe68⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe69⤵PID:1444
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe70⤵PID:2940
-
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe71⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe72⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe73⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe74⤵PID:1628
-
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe77⤵PID:1404
-
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe78⤵PID:2704
-
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Kfiajj32.exeC:\Windows\system32\Kfiajj32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Pdhflg32.exeC:\Windows\system32\Pdhflg32.exe81⤵PID:2760
-
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe83⤵PID:2868
-
C:\Windows\SysWOW64\Pcmcmcjc.exeC:\Windows\system32\Pcmcmcjc.exe84⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Qjnajl32.exeC:\Windows\system32\Qjnajl32.exe88⤵PID:1464
-
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528 -
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe90⤵PID:2052
-
C:\Windows\SysWOW64\Anpgdp32.exeC:\Windows\system32\Anpgdp32.exe91⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Adjoqjfc.exeC:\Windows\system32\Adjoqjfc.exe92⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Anbcio32.exeC:\Windows\system32\Anbcio32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe96⤵PID:880
-
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe97⤵PID:1812
-
C:\Windows\SysWOW64\Afbbiafj.exeC:\Windows\system32\Afbbiafj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ammjekmg.exeC:\Windows\system32\Ammjekmg.exe99⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe100⤵PID:2632
-
C:\Windows\SysWOW64\Bickkl32.exeC:\Windows\system32\Bickkl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Bomcgfjh.exeC:\Windows\system32\Bomcgfjh.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Bfgkdp32.exeC:\Windows\system32\Bfgkdp32.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Bkdclgpl.exeC:\Windows\system32\Bkdclgpl.exe104⤵PID:1980
-
C:\Windows\SysWOW64\Bbnlia32.exeC:\Windows\system32\Bbnlia32.exe105⤵PID:396
-
C:\Windows\SysWOW64\Bbbedqcc.exeC:\Windows\system32\Bbbedqcc.exe106⤵PID:2756
-
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Cecnflpd.exeC:\Windows\system32\Cecnflpd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Cjpgnbol.exeC:\Windows\system32\Cjpgnbol.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Cajokmfi.exeC:\Windows\system32\Cajokmfi.exe111⤵PID:2636
-
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe112⤵PID:2200
-
C:\Windows\SysWOW64\Cjbccb32.exeC:\Windows\system32\Cjbccb32.exe113⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Cckhlhcj.exeC:\Windows\system32\Cckhlhcj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Cjepib32.exeC:\Windows\system32\Cjepib32.exe115⤵PID:1120
-
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe116⤵PID:1084
-
C:\Windows\SysWOW64\Ccmdbg32.exeC:\Windows\system32\Ccmdbg32.exe117⤵PID:1344
-
C:\Windows\SysWOW64\Cflanc32.exeC:\Windows\system32\Cflanc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe119⤵PID:1276
-
C:\Windows\SysWOW64\Dfnncb32.exeC:\Windows\system32\Dfnncb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-