Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 13:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe
-
Size
165KB
-
MD5
3ecd4131086634a188565c4ec5329e3d
-
SHA1
37945108d48d664dc477a59891f130cf54d465b5
-
SHA256
1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320
-
SHA512
3d22ab1f3529dce4a049c5008273b2fe44fd8b2f6865cc9aaf80fca0929d11736d1614a73e6448bcc51926e934de5785021a0622e2e1939091310d92889b9efa
-
SSDEEP
3072:TT8OwuWee8nmOT3vQfEdArGzHq+egM5bylnO/hZP:FwumK9bQMdArGzHregqgnO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofecpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kappfeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keikqhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madapkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe -
Executes dropped EXE 64 IoCs
pid Process 2488 Kappfeln.exe 2596 Kbalnnam.exe 2528 Kfmhol32.exe 2440 Kikdkh32.exe 2148 Kmgpkfab.exe 2524 Kinaqg32.exe 2316 Kmimafop.exe 2700 Knjiin32.exe 2752 Kedaeh32.exe 1744 Khcnad32.exe 1624 Kbhbom32.exe 1368 Kibjkgca.exe 2152 Kbkodl32.exe 2240 Keikqhhe.exe 1900 Lhggmchi.exe 2052 Loapim32.exe 488 Laplei32.exe 1580 Ldnhad32.exe 1832 Lhjdbcef.exe 108 Lkhpnnej.exe 1136 Labhkh32.exe 3060 Ldqegd32.exe 1612 Lkkmdn32.exe 2044 Lmiipi32.exe 1164 Lbfahp32.exe 1048 Lkmjin32.exe 1968 Lplogdmj.exe 2628 Midcpj32.exe 2532 Mlcple32.exe 2568 Mcmhiojk.exe 2736 Mekdekin.exe 2868 Mkhmma32.exe 644 Mochnppo.exe 2732 Mabejlob.exe 2864 Mdqafgnf.exe 2472 Mofecpnl.exe 2120 Madapkmp.exe 1488 Mdcnlglc.exe 1468 Mohbip32.exe 2076 Mdejaf32.exe 2220 Mgcgmb32.exe 1884 Nnnojlpa.exe 2820 Nplkfgoe.exe 588 Ncjgbcoi.exe 1456 Ngfcca32.exe 1892 Njdpomfe.exe 3052 Nlblkhei.exe 3056 Nghphaeo.exe 380 Nfkpdn32.exe 1072 Nqqdag32.exe 2724 Ncoamb32.exe 2780 Njiijlbp.exe 2496 Nhlifi32.exe 2008 Nqcagfim.exe 2636 Nofabc32.exe 2432 Nfpjomgd.exe 2692 Nhnfkigh.exe 2644 Nkmbgdfl.exe 2768 Nohnhc32.exe 1760 Okoomd32.exe 1796 Oojknblb.exe 1464 Odgcfijj.exe 1256 Ogfpbeim.exe 1952 Oqndkj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 2488 Kappfeln.exe 2488 Kappfeln.exe 2596 Kbalnnam.exe 2596 Kbalnnam.exe 2528 Kfmhol32.exe 2528 Kfmhol32.exe 2440 Kikdkh32.exe 2440 Kikdkh32.exe 2148 Kmgpkfab.exe 2148 Kmgpkfab.exe 2524 Kinaqg32.exe 2524 Kinaqg32.exe 2316 Kmimafop.exe 2316 Kmimafop.exe 2700 Knjiin32.exe 2700 Knjiin32.exe 2752 Kedaeh32.exe 2752 Kedaeh32.exe 1744 Khcnad32.exe 1744 Khcnad32.exe 1624 Kbhbom32.exe 1624 Kbhbom32.exe 1368 Kibjkgca.exe 1368 Kibjkgca.exe 2152 Kbkodl32.exe 2152 Kbkodl32.exe 2240 Keikqhhe.exe 2240 Keikqhhe.exe 1900 Lhggmchi.exe 1900 Lhggmchi.exe 2052 Loapim32.exe 2052 Loapim32.exe 488 Laplei32.exe 488 Laplei32.exe 1580 Ldnhad32.exe 1580 Ldnhad32.exe 1832 Lhjdbcef.exe 1832 Lhjdbcef.exe 108 Lkhpnnej.exe 108 Lkhpnnej.exe 1136 Labhkh32.exe 1136 Labhkh32.exe 3060 Ldqegd32.exe 3060 Ldqegd32.exe 1612 Lkkmdn32.exe 1612 Lkkmdn32.exe 2044 Lmiipi32.exe 2044 Lmiipi32.exe 1164 Lbfahp32.exe 1164 Lbfahp32.exe 1048 Lkmjin32.exe 1048 Lkmjin32.exe 1968 Lplogdmj.exe 1968 Lplogdmj.exe 2628 Midcpj32.exe 2628 Midcpj32.exe 2532 Mlcple32.exe 2532 Mlcple32.exe 2568 Mcmhiojk.exe 2568 Mcmhiojk.exe 2736 Mekdekin.exe 2736 Mekdekin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kihqkagp.exe Kemejc32.exe File created C:\Windows\SysWOW64\Nialog32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Odifab32.dll Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Kbqecg32.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Qmhccl32.dll Bidjnkdg.exe File created C:\Windows\SysWOW64\Eddpkh32.dll Bldcpf32.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Emieil32.exe File created C:\Windows\SysWOW64\Pdamlbjc.dll Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dflkdp32.exe File opened for modification C:\Windows\SysWOW64\Iblpjdpk.exe Inqcif32.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Dlnhdh32.dll Kmgpkfab.exe File created C:\Windows\SysWOW64\Andkhh32.dll Aigaon32.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Biapcobb.dll Jbllihbf.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Bnpmipql.exe File created C:\Windows\SysWOW64\Kbqecg32.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Obcccl32.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Ekholjqg.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Idhopq32.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Najgne32.dll Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kjqccigf.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Biicik32.exe File created C:\Windows\SysWOW64\Jlbjhf32.dll Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Ekjajfei.dll Bppoqeja.exe File opened for modification C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe File created C:\Windows\SysWOW64\Ljenlcfa.dll Eqonkmdh.exe File created C:\Windows\SysWOW64\Kjjmbj32.exe Kkgmgmfd.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Pdfdcg32.dll Bhahlj32.exe File opened for modification C:\Windows\SysWOW64\Bdooajdc.exe Baqbenep.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File opened for modification C:\Windows\SysWOW64\Nlfgbn32.dll Igihbknb.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Plahag32.exe Piblek32.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lmcijcbe.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Jkhgfq32.dll Dkcofe32.exe File created C:\Windows\SysWOW64\Lqamandk.dll Aajpelhl.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Bdhhqk32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6324 6296 WerFault.exe 625 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdecfpj.dll" Bnbjopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" Jnclnihj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecqqpgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlobf32.dll" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blipbfpp.dll" Ldqegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhpnnej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdekin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkophk32.dll" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfdejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2488 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 28 PID 1664 wrote to memory of 2488 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 28 PID 1664 wrote to memory of 2488 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 28 PID 1664 wrote to memory of 2488 1664 1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe 28 PID 2488 wrote to memory of 2596 2488 Kappfeln.exe 29 PID 2488 wrote to memory of 2596 2488 Kappfeln.exe 29 PID 2488 wrote to memory of 2596 2488 Kappfeln.exe 29 PID 2488 wrote to memory of 2596 2488 Kappfeln.exe 29 PID 2596 wrote to memory of 2528 2596 Kbalnnam.exe 30 PID 2596 wrote to memory of 2528 2596 Kbalnnam.exe 30 PID 2596 wrote to memory of 2528 2596 Kbalnnam.exe 30 PID 2596 wrote to memory of 2528 2596 Kbalnnam.exe 30 PID 2528 wrote to memory of 2440 2528 Kfmhol32.exe 31 PID 2528 wrote to memory of 2440 2528 Kfmhol32.exe 31 PID 2528 wrote to memory of 2440 2528 Kfmhol32.exe 31 PID 2528 wrote to memory of 2440 2528 Kfmhol32.exe 31 PID 2440 wrote to memory of 2148 2440 Kikdkh32.exe 32 PID 2440 wrote to memory of 2148 2440 Kikdkh32.exe 32 PID 2440 wrote to memory of 2148 2440 Kikdkh32.exe 32 PID 2440 wrote to memory of 2148 2440 Kikdkh32.exe 32 PID 2148 wrote to memory of 2524 2148 Kmgpkfab.exe 33 PID 2148 wrote to memory of 2524 2148 Kmgpkfab.exe 33 PID 2148 wrote to memory of 2524 2148 Kmgpkfab.exe 33 PID 2148 wrote to memory of 2524 2148 Kmgpkfab.exe 33 PID 2524 wrote to memory of 2316 2524 Kinaqg32.exe 34 PID 2524 wrote to memory of 2316 2524 Kinaqg32.exe 34 PID 2524 wrote to memory of 2316 2524 Kinaqg32.exe 34 PID 2524 wrote to memory of 2316 2524 Kinaqg32.exe 34 PID 2316 wrote to memory of 2700 2316 Kmimafop.exe 35 PID 2316 wrote to memory of 2700 2316 Kmimafop.exe 35 PID 2316 wrote to memory of 2700 2316 Kmimafop.exe 35 PID 2316 wrote to memory of 2700 2316 Kmimafop.exe 35 PID 2700 wrote to memory of 2752 2700 Knjiin32.exe 36 PID 2700 wrote to memory of 2752 2700 Knjiin32.exe 36 PID 2700 wrote to memory of 2752 2700 Knjiin32.exe 36 PID 2700 wrote to memory of 2752 2700 Knjiin32.exe 36 PID 2752 wrote to memory of 1744 2752 Kedaeh32.exe 37 PID 2752 wrote to memory of 1744 2752 Kedaeh32.exe 37 PID 2752 wrote to memory of 1744 2752 Kedaeh32.exe 37 PID 2752 wrote to memory of 1744 2752 Kedaeh32.exe 37 PID 1744 wrote to memory of 1624 1744 Khcnad32.exe 38 PID 1744 wrote to memory of 1624 1744 Khcnad32.exe 38 PID 1744 wrote to memory of 1624 1744 Khcnad32.exe 38 PID 1744 wrote to memory of 1624 1744 Khcnad32.exe 38 PID 1624 wrote to memory of 1368 1624 Kbhbom32.exe 39 PID 1624 wrote to memory of 1368 1624 Kbhbom32.exe 39 PID 1624 wrote to memory of 1368 1624 Kbhbom32.exe 39 PID 1624 wrote to memory of 1368 1624 Kbhbom32.exe 39 PID 1368 wrote to memory of 2152 1368 Kibjkgca.exe 40 PID 1368 wrote to memory of 2152 1368 Kibjkgca.exe 40 PID 1368 wrote to memory of 2152 1368 Kibjkgca.exe 40 PID 1368 wrote to memory of 2152 1368 Kibjkgca.exe 40 PID 2152 wrote to memory of 2240 2152 Kbkodl32.exe 41 PID 2152 wrote to memory of 2240 2152 Kbkodl32.exe 41 PID 2152 wrote to memory of 2240 2152 Kbkodl32.exe 41 PID 2152 wrote to memory of 2240 2152 Kbkodl32.exe 41 PID 2240 wrote to memory of 1900 2240 Keikqhhe.exe 42 PID 2240 wrote to memory of 1900 2240 Keikqhhe.exe 42 PID 2240 wrote to memory of 1900 2240 Keikqhhe.exe 42 PID 2240 wrote to memory of 1900 2240 Keikqhhe.exe 42 PID 1900 wrote to memory of 2052 1900 Lhggmchi.exe 43 PID 1900 wrote to memory of 2052 1900 Lhggmchi.exe 43 PID 1900 wrote to memory of 2052 1900 Lhggmchi.exe 43 PID 1900 wrote to memory of 2052 1900 Lhggmchi.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe"C:\Users\Admin\AppData\Local\Temp\1e06e2cbcea0abbe07d1b0477a9ce1b47239ef4060ed07ab91effe93eef89320.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe33⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe34⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe35⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe39⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe40⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe43⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe44⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe45⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe47⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe48⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe50⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe51⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe52⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe54⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe55⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe57⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe59⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe60⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe61⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe62⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe63⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe65⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe66⤵PID:540
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe67⤵PID:1684
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe68⤵PID:1420
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe69⤵PID:2972
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe71⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe72⤵PID:968
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe73⤵PID:1736
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe74⤵PID:2832
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe77⤵PID:2520
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe78⤵PID:2476
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe80⤵
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe81⤵PID:2656
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe82⤵
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe83⤵PID:1336
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe84⤵PID:2168
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe85⤵PID:2384
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe86⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe87⤵PID:1080
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe88⤵PID:808
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe89⤵PID:872
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe90⤵PID:980
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe92⤵PID:932
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe93⤵PID:2888
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe94⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe95⤵PID:2704
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe96⤵PID:2608
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe97⤵PID:2616
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe98⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe99⤵PID:2756
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe100⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe101⤵PID:1644
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe102⤵PID:1596
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe103⤵PID:1640
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe104⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe105⤵PID:1244
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe106⤵PID:2064
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe107⤵PID:600
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe108⤵PID:668
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe109⤵PID:652
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe110⤵PID:1012
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe111⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe112⤵PID:780
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe113⤵PID:924
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe114⤵PID:2428
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe115⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe116⤵PID:2420
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe117⤵PID:2448
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe118⤵PID:2408
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe119⤵PID:1768
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe120⤵PID:2164
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe121⤵PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-