Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe
-
Size
483KB
-
MD5
3b32bf3191a4cc054ed1a0268b082b3b
-
SHA1
77874233e06ebb8d2d36d247fd19ab9183589995
-
SHA256
6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9
-
SHA512
81074a2560ba8dc9fdfee3709f0c4f401e269362457eee21105f24b58754b9ded7d3e80b8c0f47ea8b34d95f3e721d5fe2cc8d9a2d2e2ae0ba0ba1adac78248b
-
SSDEEP
6144:vEqyKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpL1k3RC:vXtY5vARM0RM/3ARMSG0dhvARMoHG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgiqbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmonbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplkfgoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe -
Executes dropped EXE 64 IoCs
pid Process 2996 Lkkmdn32.exe 2644 Lganiohl.exe 2420 Lgdjnofi.exe 2436 Lmnbkinf.exe 2416 Midcpj32.exe 2600 Maphdl32.exe 2668 Migpeiag.exe 2784 Mlgigdoh.exe 2884 Mhnjle32.exe 1744 Mpjoqhah.exe 2292 Nplkfgoe.exe 1544 Nkaocp32.exe 1612 Njgldmdc.exe 2268 Nocemcbj.exe 1152 Ncancbha.exe 1072 Nkmbgdfl.exe 560 Odegpj32.exe 1700 Omloag32.exe 452 Odgcfijj.exe 2072 Oicpfh32.exe 1212 Oomhcbjp.exe 2328 Oqndkj32.exe 2056 Oiellh32.exe 1976 Onbddoog.exe 2364 Ogjimd32.exe 2604 Okfencna.exe 2556 Ocajbekl.exe 2536 Ojkboo32.exe 2824 Pminkk32.exe 2468 Pfbccp32.exe 2456 Pipopl32.exe 2916 Pcfcmd32.exe 1932 Piblek32.exe 2788 Plahag32.exe 1508 Pchpbded.exe 1940 Pmqdkj32.exe 1748 Pelipl32.exe 1848 Pigeqkai.exe 1596 Pbpjiphi.exe 2224 Penfelgm.exe 2508 Qhmbagfa.exe 2012 Qaefjm32.exe 2244 Qljkhe32.exe 1396 Qnigda32.exe 2380 Qmlgonbe.exe 3036 Qagcpljo.exe 1228 Ahakmf32.exe 1404 Ankdiqih.exe 2860 Aajpelhl.exe 1636 Adhlaggp.exe 1500 Affhncfc.exe 2552 Aiedjneg.exe 2624 Ampqjm32.exe 2828 Adjigg32.exe 2372 Abmibdlh.exe 2484 Ajdadamj.exe 2660 Ambmpmln.exe 356 Apajlhka.exe 1908 Abpfhcje.exe 2140 Aenbdoii.exe 1336 Aiinen32.exe 1588 Apcfahio.exe 1436 Abbbnchb.exe 1832 Afmonbqk.exe -
Loads dropped DLL 64 IoCs
pid Process 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 2996 Lkkmdn32.exe 2996 Lkkmdn32.exe 2644 Lganiohl.exe 2644 Lganiohl.exe 2420 Lgdjnofi.exe 2420 Lgdjnofi.exe 2436 Lmnbkinf.exe 2436 Lmnbkinf.exe 2416 Midcpj32.exe 2416 Midcpj32.exe 2600 Maphdl32.exe 2600 Maphdl32.exe 2668 Migpeiag.exe 2668 Migpeiag.exe 2784 Mlgigdoh.exe 2784 Mlgigdoh.exe 2884 Mhnjle32.exe 2884 Mhnjle32.exe 1744 Mpjoqhah.exe 1744 Mpjoqhah.exe 2292 Nplkfgoe.exe 2292 Nplkfgoe.exe 1544 Nkaocp32.exe 1544 Nkaocp32.exe 1612 Njgldmdc.exe 1612 Njgldmdc.exe 2268 Nocemcbj.exe 2268 Nocemcbj.exe 1152 Ncancbha.exe 1152 Ncancbha.exe 1072 Nkmbgdfl.exe 1072 Nkmbgdfl.exe 560 Odegpj32.exe 560 Odegpj32.exe 1700 Omloag32.exe 1700 Omloag32.exe 452 Odgcfijj.exe 452 Odgcfijj.exe 2072 Oicpfh32.exe 2072 Oicpfh32.exe 1212 Oomhcbjp.exe 1212 Oomhcbjp.exe 2328 Oqndkj32.exe 2328 Oqndkj32.exe 2056 Oiellh32.exe 2056 Oiellh32.exe 1976 Onbddoog.exe 1976 Onbddoog.exe 2364 Ogjimd32.exe 2364 Ogjimd32.exe 2604 Okfencna.exe 2604 Okfencna.exe 2556 Ocajbekl.exe 2556 Ocajbekl.exe 2536 Ojkboo32.exe 2536 Ojkboo32.exe 2824 Pminkk32.exe 2824 Pminkk32.exe 2468 Pfbccp32.exe 2468 Pfbccp32.exe 2456 Pipopl32.exe 2456 Pipopl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbhnhp32.exe Dojald32.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Cndbcc32.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Eeempocb.exe File created C:\Windows\SysWOW64\Faokjpfd.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Lflmci32.exe Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Nejiih32.exe Noqamn32.exe File created C:\Windows\SysWOW64\Dakmkaok.dll Ojahnj32.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Mlgigdoh.exe Migpeiag.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File opened for modification C:\Windows\SysWOW64\Jcdbbloa.exe Joifam32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kgpjanje.exe File created C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Mijfnh32.exe Mbpnanch.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Kodppf32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Dhbfdjdp.exe Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fidoim32.exe File created C:\Windows\SysWOW64\Apajlhka.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cjndop32.exe File opened for modification C:\Windows\SysWOW64\Eijcpoac.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nkbhgojk.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Ofbjgh32.dll Mmhodf32.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Cjndop32.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Lponfjoo.dll Hpapln32.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Meagci32.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe Pchpbded.exe File created C:\Windows\SysWOW64\Aifone32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Ocajbekl.exe Okfencna.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Meagci32.exe File created C:\Windows\SysWOW64\Jfjoqjhi.dll Lbcnhjnj.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mkeimlfm.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Mpjoqhah.exe Mhnjle32.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Egllae32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kcdnao32.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lhmjkaoc.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Mimbdhhb.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Mmhodf32.exe Mimbdhhb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5220 5196 WerFault.exe 475 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Nhiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfommp32.dll" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmolnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofmgl32.dll" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhohik.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdhhh32.dll" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klaoplan.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eliele32.dll" Mlgigdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokcgmee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2996 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 28 PID 2964 wrote to memory of 2996 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 28 PID 2964 wrote to memory of 2996 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 28 PID 2964 wrote to memory of 2996 2964 6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe 28 PID 2996 wrote to memory of 2644 2996 Lkkmdn32.exe 29 PID 2996 wrote to memory of 2644 2996 Lkkmdn32.exe 29 PID 2996 wrote to memory of 2644 2996 Lkkmdn32.exe 29 PID 2996 wrote to memory of 2644 2996 Lkkmdn32.exe 29 PID 2644 wrote to memory of 2420 2644 Lganiohl.exe 30 PID 2644 wrote to memory of 2420 2644 Lganiohl.exe 30 PID 2644 wrote to memory of 2420 2644 Lganiohl.exe 30 PID 2644 wrote to memory of 2420 2644 Lganiohl.exe 30 PID 2420 wrote to memory of 2436 2420 Lgdjnofi.exe 31 PID 2420 wrote to memory of 2436 2420 Lgdjnofi.exe 31 PID 2420 wrote to memory of 2436 2420 Lgdjnofi.exe 31 PID 2420 wrote to memory of 2436 2420 Lgdjnofi.exe 31 PID 2436 wrote to memory of 2416 2436 Lmnbkinf.exe 32 PID 2436 wrote to memory of 2416 2436 Lmnbkinf.exe 32 PID 2436 wrote to memory of 2416 2436 Lmnbkinf.exe 32 PID 2436 wrote to memory of 2416 2436 Lmnbkinf.exe 32 PID 2416 wrote to memory of 2600 2416 Midcpj32.exe 33 PID 2416 wrote to memory of 2600 2416 Midcpj32.exe 33 PID 2416 wrote to memory of 2600 2416 Midcpj32.exe 33 PID 2416 wrote to memory of 2600 2416 Midcpj32.exe 33 PID 2600 wrote to memory of 2668 2600 Maphdl32.exe 34 PID 2600 wrote to memory of 2668 2600 Maphdl32.exe 34 PID 2600 wrote to memory of 2668 2600 Maphdl32.exe 34 PID 2600 wrote to memory of 2668 2600 Maphdl32.exe 34 PID 2668 wrote to memory of 2784 2668 Migpeiag.exe 35 PID 2668 wrote to memory of 2784 2668 Migpeiag.exe 35 PID 2668 wrote to memory of 2784 2668 Migpeiag.exe 35 PID 2668 wrote to memory of 2784 2668 Migpeiag.exe 35 PID 2784 wrote to memory of 2884 2784 Mlgigdoh.exe 36 PID 2784 wrote to memory of 2884 2784 Mlgigdoh.exe 36 PID 2784 wrote to memory of 2884 2784 Mlgigdoh.exe 36 PID 2784 wrote to memory of 2884 2784 Mlgigdoh.exe 36 PID 2884 wrote to memory of 1744 2884 Mhnjle32.exe 37 PID 2884 wrote to memory of 1744 2884 Mhnjle32.exe 37 PID 2884 wrote to memory of 1744 2884 Mhnjle32.exe 37 PID 2884 wrote to memory of 1744 2884 Mhnjle32.exe 37 PID 1744 wrote to memory of 2292 1744 Mpjoqhah.exe 38 PID 1744 wrote to memory of 2292 1744 Mpjoqhah.exe 38 PID 1744 wrote to memory of 2292 1744 Mpjoqhah.exe 38 PID 1744 wrote to memory of 2292 1744 Mpjoqhah.exe 38 PID 2292 wrote to memory of 1544 2292 Nplkfgoe.exe 39 PID 2292 wrote to memory of 1544 2292 Nplkfgoe.exe 39 PID 2292 wrote to memory of 1544 2292 Nplkfgoe.exe 39 PID 2292 wrote to memory of 1544 2292 Nplkfgoe.exe 39 PID 1544 wrote to memory of 1612 1544 Nkaocp32.exe 40 PID 1544 wrote to memory of 1612 1544 Nkaocp32.exe 40 PID 1544 wrote to memory of 1612 1544 Nkaocp32.exe 40 PID 1544 wrote to memory of 1612 1544 Nkaocp32.exe 40 PID 1612 wrote to memory of 2268 1612 Njgldmdc.exe 41 PID 1612 wrote to memory of 2268 1612 Njgldmdc.exe 41 PID 1612 wrote to memory of 2268 1612 Njgldmdc.exe 41 PID 1612 wrote to memory of 2268 1612 Njgldmdc.exe 41 PID 2268 wrote to memory of 1152 2268 Nocemcbj.exe 42 PID 2268 wrote to memory of 1152 2268 Nocemcbj.exe 42 PID 2268 wrote to memory of 1152 2268 Nocemcbj.exe 42 PID 2268 wrote to memory of 1152 2268 Nocemcbj.exe 42 PID 1152 wrote to memory of 1072 1152 Ncancbha.exe 43 PID 1152 wrote to memory of 1072 1152 Ncancbha.exe 43 PID 1152 wrote to memory of 1072 1152 Ncancbha.exe 43 PID 1152 wrote to memory of 1072 1152 Ncancbha.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe"C:\Users\Admin\AppData\Local\Temp\6e9c1fb04c3238d0f80cb46a70105c5968a42eb944332fa5cff7ffc821d0fbe9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe33⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe34⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe35⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe39⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe40⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe42⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe43⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe47⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe48⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe50⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe52⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe54⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe56⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe57⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe59⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe60⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe61⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe62⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe66⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe67⤵PID:2384
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe69⤵PID:1704
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe70⤵PID:572
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe71⤵PID:2820
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe72⤵PID:2496
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe75⤵PID:2428
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe76⤵PID:2412
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe78⤵PID:2792
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe79⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe80⤵PID:1888
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe82⤵PID:488
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe84⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe85⤵PID:3032
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe86⤵PID:1852
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe88⤵PID:1632
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe89⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe90⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe91⤵PID:2064
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe92⤵PID:2936
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe93⤵PID:380
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe95⤵PID:1600
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe96⤵PID:2124
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe97⤵PID:996
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe98⤵PID:1400
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe99⤵PID:2104
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe101⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe102⤵PID:1688
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe103⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe106⤵PID:2732
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe107⤵PID:2728
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe108⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe109⤵PID:1696
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe111⤵PID:1464
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe112⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe113⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe114⤵PID:348
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe115⤵PID:2168
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe117⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe118⤵PID:1924
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe119⤵PID:2912
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe120⤵PID:1736
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe121⤵PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-