Analysis
-
max time kernel
30s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 17:49
Static task
static1
3 signatures
Behavioral task
behavioral1
Sample
2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
-
Size
163KB
-
MD5
e412b710126b8ce84feaf3c1e256a6b9
-
SHA1
7f5d5264ea2ec0805b0e7c666e3256578b494f7c
-
SHA256
2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6
-
SHA512
fe984c449d1a84cb1274c018c46a2af1baa263b33be9d88d7fe14340a7b7b6ee8521d3d6896c40a39a74567b167c33548f332771e812c1f6d587c73b8f2598cc
-
SSDEEP
3072:ZOAmCe9EaLymaScTPShd+Ba6ltOrWKDBr+yJb:Zr69pyiJhd+BXLOf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjndlqal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnejbmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jliohkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfccei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heokmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidlgdlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkpdfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhhaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgjqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjegqif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpcqnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkileele.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohjnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfefmnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoqnhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnnnk32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x0006000000016cd2-308.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c93-297.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c1d-285.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016bf8-275.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016826-263.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000165bc-253.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001635e-242.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000161a3-233.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015f0e-220.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e9f-213.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e5d-198.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e05-185.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d8a-172.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c9b-147.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c76-146.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x002c000000014381-132.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c46-119.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c29-104.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c02-92.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015627-79.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00070000000155db-67.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000014652-53.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000700000001446a-41.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x002b00000001429d-28.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cf3-319.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000d000000012225-14.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1292-328-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d14-330.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d39-341.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d4d-351.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d7f-363.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016dbb-372.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017048-384.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018668-395.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001870b-406.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018ae3-416.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b16-427.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b43-438.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b6b-448.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b93-457.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000192af-469.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001930b-478.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019337-490.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000400000001936a-501.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000400000001939d-511.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000193b2-521.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000193f0-533.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0004000000019446-543.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0004000000019454-552.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0004000000019465-556.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000400000001946b-576.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0004000000019471-584.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0004000000019487-597.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000194d0-607.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000194d8-619.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000194de-628.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ec-640.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194f4-648.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019536-660.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019549-670.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195e4-682.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001994c-694.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000199de-704.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c04-715.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x0006000000016cd2-308.dat UPX behavioral1/files/0x0006000000016c93-297.dat UPX behavioral1/files/0x0006000000016c1d-285.dat UPX behavioral1/files/0x0006000000016bf8-275.dat UPX behavioral1/files/0x0006000000016826-263.dat UPX behavioral1/files/0x00060000000165bc-253.dat UPX behavioral1/files/0x000600000001635e-242.dat UPX behavioral1/files/0x00060000000161a3-233.dat UPX behavioral1/files/0x0006000000015f0e-220.dat UPX behavioral1/files/0x0006000000015e9f-213.dat UPX behavioral1/files/0x0006000000015e5d-198.dat UPX behavioral1/files/0x0006000000015e05-185.dat UPX behavioral1/files/0x0006000000015d8a-172.dat UPX behavioral1/files/0x0006000000015c9b-147.dat UPX behavioral1/files/0x0006000000015c76-146.dat UPX behavioral1/files/0x002c000000014381-132.dat UPX behavioral1/files/0x0006000000015c46-119.dat UPX behavioral1/files/0x0006000000015c29-104.dat UPX behavioral1/files/0x0006000000015c02-92.dat UPX behavioral1/files/0x0006000000015627-79.dat UPX behavioral1/files/0x00070000000155db-67.dat UPX behavioral1/files/0x0009000000014652-53.dat UPX behavioral1/files/0x000700000001446a-41.dat UPX behavioral1/files/0x002b00000001429d-28.dat UPX behavioral1/files/0x0006000000016cf3-319.dat UPX behavioral1/files/0x000d000000012225-14.dat UPX behavioral1/files/0x0006000000016d14-330.dat UPX behavioral1/files/0x0006000000016d39-341.dat UPX behavioral1/files/0x0006000000016d4d-351.dat UPX behavioral1/memory/2564-359-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral1/files/0x0006000000016d7f-363.dat UPX behavioral1/files/0x0006000000016dbb-372.dat UPX behavioral1/files/0x0006000000017048-384.dat UPX behavioral1/files/0x0005000000018668-395.dat UPX behavioral1/files/0x000500000001870b-406.dat UPX behavioral1/files/0x0006000000018ae3-416.dat UPX behavioral1/files/0x0006000000018b16-427.dat UPX behavioral1/files/0x0006000000018b43-438.dat UPX behavioral1/files/0x0006000000018b6b-448.dat UPX behavioral1/files/0x0006000000018b93-457.dat UPX behavioral1/files/0x00050000000192af-469.dat UPX behavioral1/files/0x000500000001930b-478.dat UPX behavioral1/files/0x0005000000019337-490.dat UPX behavioral1/files/0x000400000001936a-501.dat UPX behavioral1/files/0x000400000001939d-511.dat UPX behavioral1/files/0x00040000000193b2-521.dat UPX behavioral1/files/0x00040000000193f0-533.dat UPX behavioral1/files/0x0004000000019446-543.dat UPX behavioral1/files/0x0004000000019454-552.dat UPX behavioral1/files/0x0004000000019465-556.dat UPX behavioral1/files/0x000400000001946b-576.dat UPX behavioral1/files/0x0004000000019471-584.dat UPX behavioral1/files/0x0004000000019487-597.dat UPX behavioral1/files/0x00040000000194d0-607.dat UPX behavioral1/files/0x00040000000194d8-619.dat UPX behavioral1/files/0x00040000000194de-628.dat UPX behavioral1/files/0x00050000000194ec-640.dat UPX behavioral1/files/0x00050000000194f4-648.dat UPX behavioral1/files/0x0005000000019536-660.dat UPX behavioral1/files/0x0005000000019549-670.dat UPX behavioral1/files/0x00050000000195e4-682.dat UPX behavioral1/files/0x000500000001994c-694.dat UPX behavioral1/files/0x00050000000199de-704.dat UPX behavioral1/files/0x0005000000019c04-715.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2516 Mmihhelk.exe 2756 Moidahcn.exe 2732 Nkpegi32.exe 2908 Nlcnda32.exe 1940 Ncmfqkdj.exe 2988 Nenobfak.exe 2404 Npccpo32.exe 472 Ocdmaj32.exe 2800 Ookmfk32.exe 2600 Onpjghhn.exe 1108 Okdkal32.exe 284 Okfgfl32.exe 2820 Odoloalf.exe 884 Pjnamh32.exe 2388 Pcfefmnk.exe 2928 Pmojocel.exe 952 Pckoam32.exe 828 Qbplbi32.exe 1376 Qbbhgi32.exe 1552 Qjnmlk32.exe 1300 Acfaeq32.exe 796 Aajbne32.exe 2972 Agfgqo32.exe 1988 Apalea32.exe 556 Apdhjq32.exe 1292 Bnielm32.exe 2232 Bajomhbl.exe 2152 Bbikgk32.exe 2564 Bdmddc32.exe 2808 Cdoajb32.exe 2560 Clmbddgp.exe 2104 Cbgjqo32.exe 1368 Cegcbjkn.exe 1316 Cckdlnjg.exe 2876 Dcnqanhd.exe 2512 Dhkiid32.exe 1884 Dngabk32.exe 2640 Edccch32.exe 568 Fokdfajl.exe 1360 Fidhof32.exe 1956 Fqomci32.exe 2288 Fncmmmma.exe 2924 Fcpfedki.exe 2352 Fnejbmko.exe 1348 Fgnokb32.exe 1996 Fpicodoj.exe 1012 Gehhmkko.exe 1220 Gmoqnhla.exe 1752 Gblifo32.exe 1656 Gfgegnbb.exe 1268 Gaafhloq.exe 864 Glgjednf.exe 2720 Ghmkjedk.exe 2572 Gngcgp32.exe 2684 Hddlof32.exe 2824 Hjndlqal.exe 2740 Hajinjff.exe 2544 Hfgafadm.exe 524 Hdkape32.exe 2080 Helngnie.exe 1592 Heokmmgb.exe 1680 Ipdojfgh.exe 2652 Ibckfa32.exe 856 Ilkpogmm.exe -
Loads dropped DLL 64 IoCs
pid Process 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 2516 Mmihhelk.exe 2516 Mmihhelk.exe 2756 Moidahcn.exe 2756 Moidahcn.exe 2732 Nkpegi32.exe 2732 Nkpegi32.exe 2908 Nlcnda32.exe 2908 Nlcnda32.exe 1940 Ncmfqkdj.exe 1940 Ncmfqkdj.exe 2988 Nenobfak.exe 2988 Nenobfak.exe 2404 Npccpo32.exe 2404 Npccpo32.exe 472 Ocdmaj32.exe 472 Ocdmaj32.exe 2800 Ookmfk32.exe 2800 Ookmfk32.exe 2600 Onpjghhn.exe 2600 Onpjghhn.exe 1108 Okdkal32.exe 1108 Okdkal32.exe 284 Okfgfl32.exe 284 Okfgfl32.exe 2820 Odoloalf.exe 2820 Odoloalf.exe 884 Pjnamh32.exe 884 Pjnamh32.exe 2388 Pcfefmnk.exe 2388 Pcfefmnk.exe 2928 Pmojocel.exe 2928 Pmojocel.exe 952 Pckoam32.exe 952 Pckoam32.exe 828 Qbplbi32.exe 828 Qbplbi32.exe 1376 Qbbhgi32.exe 1376 Qbbhgi32.exe 1552 Qjnmlk32.exe 1552 Qjnmlk32.exe 1300 Acfaeq32.exe 1300 Acfaeq32.exe 796 Aajbne32.exe 796 Aajbne32.exe 2972 Agfgqo32.exe 2972 Agfgqo32.exe 1988 Apalea32.exe 1988 Apalea32.exe 556 Apdhjq32.exe 556 Apdhjq32.exe 1292 Bnielm32.exe 1292 Bnielm32.exe 2232 Bajomhbl.exe 2232 Bajomhbl.exe 2152 Bbikgk32.exe 2152 Bbikgk32.exe 2564 Bdmddc32.exe 2564 Bdmddc32.exe 2808 Cdoajb32.exe 2808 Cdoajb32.exe 2560 Clmbddgp.exe 2560 Clmbddgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcabof32.dll Inafbooe.exe File created C:\Windows\SysWOW64\Bmibgd32.exe Ajjfkh32.exe File created C:\Windows\SysWOW64\Noafdi32.dll Kcamjb32.exe File opened for modification C:\Windows\SysWOW64\Gjojef32.exe Gceailog.exe File opened for modification C:\Windows\SysWOW64\Nenobfak.exe Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Bgdibkam.exe Bajqfq32.exe File opened for modification C:\Windows\SysWOW64\Jbhcim32.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Jnhlbn32.exe Jcbhee32.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Daipqhdg.exe File created C:\Windows\SysWOW64\Hhhgcc32.exe Hanogipc.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kohnoc32.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Npolmh32.exe File opened for modification C:\Windows\SysWOW64\Qjkjle32.exe Pqnlhpfb.exe File created C:\Windows\SysWOW64\Jemoqj32.dll Fokdfajl.exe File created C:\Windows\SysWOW64\Hcmgmfld.dll Lkgkoiqc.exe File created C:\Windows\SysWOW64\Bcegin32.exe Bagkmb32.exe File created C:\Windows\SysWOW64\Dgbdoe32.dll Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Jcbhee32.exe Jliohkak.exe File opened for modification C:\Windows\SysWOW64\Kceqjhiq.exe Knhhaaki.exe File created C:\Windows\SysWOW64\Jkdgkc32.dll Ajjfkh32.exe File created C:\Windows\SysWOW64\Bibpad32.exe Bfccei32.exe File created C:\Windows\SysWOW64\Gjdjklek.exe Ggfnopfg.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Idfdcijh.exe Ibehla32.exe File created C:\Windows\SysWOW64\Bpgcnh32.dll Diibag32.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hpkompgg.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kgnbnpkp.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lboiol32.exe File opened for modification C:\Windows\SysWOW64\Fnejbmko.exe Fcpfedki.exe File created C:\Windows\SysWOW64\Apdhjq32.exe Apalea32.exe File created C:\Windows\SysWOW64\Affdle32.exe Abkhkgbb.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Npccpo32.exe Nenobfak.exe File created C:\Windows\SysWOW64\Kqiaclhj.exe Knjegqif.exe File created C:\Windows\SysWOW64\Aggpdnpj.exe Affdle32.exe File created C:\Windows\SysWOW64\Elldgehk.exe Eccpoo32.exe File created C:\Windows\SysWOW64\Gljpncgc.exe Gildahhp.exe File created C:\Windows\SysWOW64\Kqdhhm32.exe Kobkpdfa.exe File opened for modification C:\Windows\SysWOW64\Helgmg32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Phfmllbd.exe Pciddedl.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Kddomchg.exe File created C:\Windows\SysWOW64\Lahmbo32.exe Lpgajgeg.exe File opened for modification C:\Windows\SysWOW64\Bcegin32.exe Bagkmb32.exe File created C:\Windows\SysWOW64\Bbjdjjdn.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Koddccaa.exe Knbhlkkc.exe File opened for modification C:\Windows\SysWOW64\Meoell32.exe Mpamde32.exe File created C:\Windows\SysWOW64\Oackeakj.dll Nenobfak.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Diibag32.exe Dbojdmcd.exe File opened for modification C:\Windows\SysWOW64\Idknoi32.exe Inafbooe.exe File created C:\Windows\SysWOW64\Lbogfcjc.exe Lopkjhko.exe File opened for modification C:\Windows\SysWOW64\Dbojdmcd.exe Dpqnhadq.exe File created C:\Windows\SysWOW64\Gpabcbdb.exe Gmbfggdo.exe File opened for modification C:\Windows\SysWOW64\Opaebkmc.exe Omcifpnp.exe File opened for modification C:\Windows\SysWOW64\Pdmnam32.exe Panaeb32.exe File created C:\Windows\SysWOW64\Dhjojo32.dll Aknlofim.exe File opened for modification C:\Windows\SysWOW64\Fncmmmma.exe Fqomci32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Lpnmgdli.exe File opened for modification C:\Windows\SysWOW64\Idicbbpi.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Fhgnge32.exe Fbmfkkbm.exe File created C:\Windows\SysWOW64\Gmhdjk32.dll Ohhmcinf.exe File created C:\Windows\SysWOW64\Hnheohcl.exe Ggnmbn32.exe File opened for modification C:\Windows\SysWOW64\Qmifhq32.exe Qjkjle32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjomgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Eolmip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbncfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnejbmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipbocjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqbqqjl.dll" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojfgkfk.dll" Gmmfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlenfjb.dll" Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldop32.dll" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojdkn32.dll" Ilkpogmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaheeecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaajei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldkgjni.dll" Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibcba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkhkgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeoep32.dll" Mlpneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcdmgon.dll" Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhjbobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgaebl32.dll" Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepejfpc.dll" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aboaff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfmdh32.dll" Pkdihhag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgofmajn.dll" Edccch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll" Pcfefmnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bajpcflf.dll" Aflfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhndalhm.dll" Qhmcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dicnkdnf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 2516 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 28 PID 1332 wrote to memory of 2516 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 28 PID 1332 wrote to memory of 2516 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 28 PID 1332 wrote to memory of 2516 1332 2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe 28 PID 2516 wrote to memory of 2756 2516 Mmihhelk.exe 29 PID 2516 wrote to memory of 2756 2516 Mmihhelk.exe 29 PID 2516 wrote to memory of 2756 2516 Mmihhelk.exe 29 PID 2516 wrote to memory of 2756 2516 Mmihhelk.exe 29 PID 2756 wrote to memory of 2732 2756 Moidahcn.exe 30 PID 2756 wrote to memory of 2732 2756 Moidahcn.exe 30 PID 2756 wrote to memory of 2732 2756 Moidahcn.exe 30 PID 2756 wrote to memory of 2732 2756 Moidahcn.exe 30 PID 2732 wrote to memory of 2908 2732 Nkpegi32.exe 31 PID 2732 wrote to memory of 2908 2732 Nkpegi32.exe 31 PID 2732 wrote to memory of 2908 2732 Nkpegi32.exe 31 PID 2732 wrote to memory of 2908 2732 Nkpegi32.exe 31 PID 2908 wrote to memory of 1940 2908 Nlcnda32.exe 32 PID 2908 wrote to memory of 1940 2908 Nlcnda32.exe 32 PID 2908 wrote to memory of 1940 2908 Nlcnda32.exe 32 PID 2908 wrote to memory of 1940 2908 Nlcnda32.exe 32 PID 1940 wrote to memory of 2988 1940 Ncmfqkdj.exe 33 PID 1940 wrote to memory of 2988 1940 Ncmfqkdj.exe 33 PID 1940 wrote to memory of 2988 1940 Ncmfqkdj.exe 33 PID 1940 wrote to memory of 2988 1940 Ncmfqkdj.exe 33 PID 2988 wrote to memory of 2404 2988 Nenobfak.exe 34 PID 2988 wrote to memory of 2404 2988 Nenobfak.exe 34 PID 2988 wrote to memory of 2404 2988 Nenobfak.exe 34 PID 2988 wrote to memory of 2404 2988 Nenobfak.exe 34 PID 2404 wrote to memory of 472 2404 Npccpo32.exe 35 PID 2404 wrote to memory of 472 2404 Npccpo32.exe 35 PID 2404 wrote to memory of 472 2404 Npccpo32.exe 35 PID 2404 wrote to memory of 472 2404 Npccpo32.exe 35 PID 472 wrote to memory of 2800 472 Ocdmaj32.exe 36 PID 472 wrote to memory of 2800 472 Ocdmaj32.exe 36 PID 472 wrote to memory of 2800 472 Ocdmaj32.exe 36 PID 472 wrote to memory of 2800 472 Ocdmaj32.exe 36 PID 2800 wrote to memory of 2600 2800 Ookmfk32.exe 37 PID 2800 wrote to memory of 2600 2800 Ookmfk32.exe 37 PID 2800 wrote to memory of 2600 2800 Ookmfk32.exe 37 PID 2800 wrote to memory of 2600 2800 Ookmfk32.exe 37 PID 2600 wrote to memory of 1108 2600 Onpjghhn.exe 38 PID 2600 wrote to memory of 1108 2600 Onpjghhn.exe 38 PID 2600 wrote to memory of 1108 2600 Onpjghhn.exe 38 PID 2600 wrote to memory of 1108 2600 Onpjghhn.exe 38 PID 1108 wrote to memory of 284 1108 Okdkal32.exe 39 PID 1108 wrote to memory of 284 1108 Okdkal32.exe 39 PID 1108 wrote to memory of 284 1108 Okdkal32.exe 39 PID 1108 wrote to memory of 284 1108 Okdkal32.exe 39 PID 284 wrote to memory of 2820 284 Okfgfl32.exe 40 PID 284 wrote to memory of 2820 284 Okfgfl32.exe 40 PID 284 wrote to memory of 2820 284 Okfgfl32.exe 40 PID 284 wrote to memory of 2820 284 Okfgfl32.exe 40 PID 2820 wrote to memory of 884 2820 Odoloalf.exe 41 PID 2820 wrote to memory of 884 2820 Odoloalf.exe 41 PID 2820 wrote to memory of 884 2820 Odoloalf.exe 41 PID 2820 wrote to memory of 884 2820 Odoloalf.exe 41 PID 884 wrote to memory of 2388 884 Pjnamh32.exe 42 PID 884 wrote to memory of 2388 884 Pjnamh32.exe 42 PID 884 wrote to memory of 2388 884 Pjnamh32.exe 42 PID 884 wrote to memory of 2388 884 Pjnamh32.exe 42 PID 2388 wrote to memory of 2928 2388 Pcfefmnk.exe 43 PID 2388 wrote to memory of 2928 2388 Pcfefmnk.exe 43 PID 2388 wrote to memory of 2928 2388 Pcfefmnk.exe 43 PID 2388 wrote to memory of 2928 2388 Pcfefmnk.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe"C:\Users\Admin\AppData\Local\Temp\2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe34⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe36⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe37⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe38⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe46⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe48⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe50⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe51⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe52⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe53⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe55⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe56⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe59⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe60⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe61⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe64⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe66⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe67⤵PID:628
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe68⤵PID:2940
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe69⤵PID:1980
-
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe71⤵PID:2380
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe72⤵PID:1704
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe73⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe74⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe76⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe77⤵PID:3020
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe78⤵PID:2568
-
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe79⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe80⤵PID:2576
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe81⤵PID:2548
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe82⤵PID:2592
-
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe83⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe84⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe87⤵PID:1968
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe90⤵PID:1932
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe92⤵PID:1504
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe93⤵PID:2788
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe94⤵PID:1132
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe95⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe96⤵PID:368
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe97⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe98⤵PID:1608
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe99⤵PID:2680
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe100⤵PID:2780
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe101⤵PID:2996
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe102⤵PID:2472
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe103⤵PID:780
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe104⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe105⤵PID:2120
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe106⤵PID:2784
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe107⤵PID:2804
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe108⤵PID:2208
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe109⤵PID:1716
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe110⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe111⤵PID:2280
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe112⤵PID:1688
-
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe113⤵PID:900
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe114⤵PID:3048
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe115⤵PID:1248
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe116⤵PID:3016
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe117⤵PID:3040
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe118⤵PID:2228
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe119⤵PID:2444
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe120⤵PID:2724
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-