Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 23:14
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe
-
Size
192KB
-
MD5
a53b28b640dee0b0ced863cf2989dbea
-
SHA1
128a1140bbcf5c8507566d3fe39fb50198cb679d
-
SHA256
8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599
-
SHA512
7a97f42685a959d8f9c6ebba76878d7b9231e7f26cfb613d475c6d94de3a3d192f15f980d9f15491734ca855d4a4bb7228fa42cf87fdf191b41d1811f307c3e9
-
SSDEEP
3072:yOmJX+/SDUN98+e9r8Co3o8MdoutkTy27zU:yp+/SgN98/9g33YdoSkTl7zU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fclohg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moljgeco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbihdhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmbfiokn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekeie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnhbjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbgdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idieob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnoifjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodejohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pindcboi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahiiqafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beomhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmgggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmcnap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piknfgmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkmnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbpjfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Denlgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfmnbjcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkooeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jglkfmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adohmidb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlnpdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffbfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekgppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Halaloif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglcqio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alplfpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjomf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmheph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpomiok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkoalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajoapdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afappe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mckefmai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odhipp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkdnool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlpcbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locnlmoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfombmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofjgmdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfqjhmhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglopjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkmfkli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khlinedh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kojkeogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfiajinf.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000900000002326d-6.dat UPX behavioral2/files/0x0008000000023273-10.dat UPX behavioral2/files/0x0008000000023273-14.dat UPX behavioral2/files/0x0007000000023275-21.dat UPX behavioral2/files/0x0007000000023277-25.dat UPX behavioral2/files/0x0007000000023279-38.dat UPX behavioral2/files/0x000700000002327b-46.dat UPX behavioral2/files/0x000700000002327d-54.dat UPX behavioral2/files/0x000700000002327f-62.dat UPX behavioral2/files/0x0007000000023281-70.dat UPX behavioral2/files/0x0007000000023283-78.dat UPX behavioral2/files/0x0007000000023285-85.dat UPX behavioral2/files/0x0007000000023287-94.dat UPX behavioral2/files/0x0007000000023289-102.dat UPX behavioral2/files/0x000700000002328b-110.dat UPX behavioral2/files/0x000700000002328d-114.dat UPX behavioral2/files/0x000700000002328f-126.dat UPX behavioral2/files/0x0007000000023291-133.dat UPX behavioral2/files/0x0007000000023293-143.dat UPX behavioral2/files/0x0007000000023295-151.dat UPX behavioral2/files/0x0007000000023297-159.dat UPX behavioral2/files/0x0007000000023299-167.dat UPX behavioral2/files/0x000700000002329b-175.dat UPX behavioral2/files/0x000700000002329d-183.dat UPX behavioral2/files/0x00070000000232a0-191.dat UPX behavioral2/files/0x00070000000232a2-199.dat UPX behavioral2/files/0x00070000000232a4-206.dat UPX behavioral2/files/0x00070000000232a8-215.dat UPX behavioral2/files/0x00070000000232aa-223.dat UPX behavioral2/files/0x00070000000232ac-231.dat UPX behavioral2/files/0x00070000000232ae-239.dat UPX behavioral2/files/0x00070000000232b0-247.dat UPX behavioral2/files/0x00070000000232b2-255.dat UPX behavioral2/files/0x00070000000232b4-263.dat UPX behavioral2/files/0x00070000000232b6-265.dat UPX behavioral2/files/0x00070000000232be-289.dat UPX behavioral2/files/0x00070000000232ca-325.dat UPX behavioral2/files/0x00070000000232d2-349.dat UPX behavioral2/files/0x00070000000232d8-368.dat UPX behavioral2/files/0x00070000000232e0-397.dat UPX behavioral2/files/0x00070000000232ec-440.dat UPX behavioral2/files/0x00070000000232f2-462.dat UPX behavioral2/files/0x00070000000232f6-476.dat UPX behavioral2/files/0x00070000000232fd-496.dat UPX behavioral2/files/0x0007000000023301-510.dat UPX behavioral2/files/0x0007000000023305-526.dat UPX behavioral2/files/0x000700000002330b-547.dat UPX behavioral2/files/0x0007000000023317-585.dat UPX behavioral2/files/0x000700000002331d-603.dat UPX behavioral2/files/0x0007000000023325-627.dat UPX behavioral2/files/0x0007000000023331-663.dat UPX behavioral2/files/0x0007000000023333-670.dat UPX behavioral2/files/0x0007000000023339-690.dat UPX behavioral2/files/0x000700000002333d-708.dat UPX behavioral2/files/0x0007000000023348-736.dat UPX behavioral2/files/0x0007000000023367-845.dat UPX behavioral2/files/0x0007000000023386-931.dat UPX behavioral2/files/0x000700000002338a-945.dat UPX behavioral2/files/0x000700000002338e-959.dat UPX behavioral2/files/0x0007000000023394-979.dat UPX behavioral2/files/0x000800000002337b-1060.dat UPX behavioral2/files/0x00070000000233c7-1249.dat UPX behavioral2/files/0x00070000000233dd-1356.dat UPX behavioral2/files/0x00070000000233df-1368.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 416 Lepleocn.exe 464 Loofnccf.exe 908 Mhjhmhhd.exe 4712 Mjidgkog.exe 1588 Mbgeqmjp.exe 4324 Nbnlaldg.exe 228 Nbphglbe.exe 840 Niojoeel.exe 1012 Ocgkan32.exe 4692 Oblhcj32.exe 3928 Ocnabm32.exe 1324 Pafkgphl.exe 3112 Pjcikejg.exe 3808 Amfobp32.exe 4332 Afappe32.exe 4960 Aibibp32.exe 3864 Bigbmpco.exe 2832 Bkkhbb32.exe 5012 Bgdemb32.exe 2424 Calfpk32.exe 2572 Cpcpfg32.exe 5044 Dinael32.exe 4108 Dcibca32.exe 2160 Dckoia32.exe 3832 Dpopbepi.exe 1256 Ddmhhd32.exe 4580 Eqkondfl.exe 4088 Fclhpo32.exe 1800 Fcpakn32.exe 4492 Fgnjqm32.exe 208 Fbfkceca.exe 1648 Gcjdam32.exe 1972 Gclafmej.exe 2616 Gjhfif32.exe 2468 Hccggl32.exe 3392 Heepfn32.exe 3300 Halaloif.exe 316 Hejjanpm.exe 4068 Icachjbb.exe 5048 Ibdplaho.exe 1796 Ilmedf32.exe 932 Jbijgp32.exe 4288 Jjdokb32.exe 5108 Kbeibo32.exe 532 Kkpnga32.exe 3520 Kejloi32.exe 3508 Kbnlim32.exe 4168 Lbqinm32.exe 676 Lbcedmnl.exe 224 Lahbei32.exe 4676 Mkepineo.exe 2652 Mkjjdmaj.exe 800 Mojopk32.exe 4992 Nkeipk32.exe 4312 Nlefjnno.exe 2976 Okmpqjad.exe 3448 Ofbdncaj.exe 1628 Pkabbgol.exe 808 Qbngeadf.exe 1932 Abpcja32.exe 4720 Akihcfid.exe 2720 Aecialmb.exe 3196 Bejobk32.exe 1852 Bemlhj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lmkipncc.exe Lccdghmc.exe File created C:\Windows\SysWOW64\Feocoaai.exe Edfdop32.exe File opened for modification C:\Windows\SysWOW64\Djnfppqi.exe Dmjefkap.exe File created C:\Windows\SysWOW64\Ackkcmja.dll Bjgifhep.exe File opened for modification C:\Windows\SysWOW64\Okmpqjad.exe Nlefjnno.exe File created C:\Windows\SysWOW64\Flpbnh32.exe Fgcjea32.exe File created C:\Windows\SysWOW64\Emoaopnf.exe Dgbhgi32.exe File created C:\Windows\SysWOW64\Fpiedd32.dll Fgnjqm32.exe File opened for modification C:\Windows\SysWOW64\Oiglen32.exe Ohgokknb.exe File opened for modification C:\Windows\SysWOW64\Qdihfq32.exe Ppffec32.exe File created C:\Windows\SysWOW64\Lkmkfncf.exe Lbdgmh32.exe File created C:\Windows\SysWOW64\Aghdco32.exe Aeigilml.exe File opened for modification C:\Windows\SysWOW64\Idjdqc32.exe Ionlhlld.exe File created C:\Windows\SysWOW64\Lkjehbaa.exe Lqdakjak.exe File created C:\Windows\SysWOW64\Nmajmaoi.exe Ngeaej32.exe File created C:\Windows\SysWOW64\Ngekmf32.exe Nnmfdpni.exe File created C:\Windows\SysWOW64\Komhkn32.exe Kojkeogp.exe File created C:\Windows\SysWOW64\Bonhqnpi.exe Process not Found File created C:\Windows\SysWOW64\Baokejco.dll Fnmqegle.exe File opened for modification C:\Windows\SysWOW64\Algbfo32.exe Abnnnjfh.exe File created C:\Windows\SysWOW64\Fbcblo32.dll Pmkfjn32.exe File created C:\Windows\SysWOW64\Hpbjkgee.dll Hqkjaifk.exe File opened for modification C:\Windows\SysWOW64\Ojmgggdo.exe Ojhnlh32.exe File created C:\Windows\SysWOW64\Deqqek32.exe Dnghhqdk.exe File created C:\Windows\SysWOW64\Dogdnj32.exe Process not Found File created C:\Windows\SysWOW64\Cacfbnmc.dll Djnfppqi.exe File created C:\Windows\SysWOW64\Ijigfaol.exe Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Qnniopcm.exe Qlomemlj.exe File created C:\Windows\SysWOW64\Dmjnkn32.dll Dedceddg.exe File created C:\Windows\SysWOW64\Admhlq32.dll Mggolhaj.exe File created C:\Windows\SysWOW64\Abnnnjfh.exe Ahiiqafa.exe File created C:\Windows\SysWOW64\Jihcig32.dll Imdlgm32.exe File opened for modification C:\Windows\SysWOW64\Gimoce32.exe Ghmbib32.exe File opened for modification C:\Windows\SysWOW64\Ienlbf32.exe Iqpclh32.exe File created C:\Windows\SysWOW64\Pbhdafdd.exe Pcgdcome.exe File opened for modification C:\Windows\SysWOW64\Qjmllgjd.exe Pabknbef.exe File opened for modification C:\Windows\SysWOW64\Eigohp32.exe Empococc.exe File created C:\Windows\SysWOW64\Hlkjom32.dll Pkabbgol.exe File created C:\Windows\SysWOW64\Qaalkamf.exe Qhigbl32.exe File opened for modification C:\Windows\SysWOW64\Benijhla.exe Afmhma32.exe File created C:\Windows\SysWOW64\Ocgkan32.exe Niojoeel.exe File created C:\Windows\SysWOW64\Dbihep32.dll Mmfaafej.exe File opened for modification C:\Windows\SysWOW64\Djnaco32.exe Djkdnool.exe File created C:\Windows\SysWOW64\Kbpkdd32.exe Kgjggkqi.exe File created C:\Windows\SysWOW64\Kiejfo32.exe Knofif32.exe File created C:\Windows\SysWOW64\Kllibo32.dll Jjoibadl.exe File created C:\Windows\SysWOW64\Gnlenp32.exe Fnglcqio.exe File created C:\Windows\SysWOW64\Hmijcp32.dll Jjdokb32.exe File created C:\Windows\SysWOW64\Gqokekph.exe Gdhjpjjd.exe File created C:\Windows\SysWOW64\Ljkffm32.dll Jhdlbp32.exe File created C:\Windows\SysWOW64\Aldclhie.dll Bigbmpco.exe File opened for modification C:\Windows\SysWOW64\Lfqgjh32.exe Kimgad32.exe File opened for modification C:\Windows\SysWOW64\Qekbaf32.exe Pkencn32.exe File created C:\Windows\SysWOW64\Ppemkhaa.dll Bjpjoa32.exe File created C:\Windows\SysWOW64\Jqogfdbb.dll Ifmcmg32.exe File created C:\Windows\SysWOW64\Dceplm32.dll Cdaigi32.exe File opened for modification C:\Windows\SysWOW64\Hoobnf32.exe Hfcnicjl.exe File created C:\Windows\SysWOW64\Fncbmpcd.dll Gknkkmmj.exe File created C:\Windows\SysWOW64\Algbfo32.exe Abnnnjfh.exe File created C:\Windows\SysWOW64\Jflkmqpj.dll Nalpbf32.exe File created C:\Windows\SysWOW64\Ahmpgegh.dll Ejiqom32.exe File opened for modification C:\Windows\SysWOW64\Emgnje32.exe Ekeacmel.exe File created C:\Windows\SysWOW64\Qpikao32.exe Qpfokpoo.exe File opened for modification C:\Windows\SysWOW64\Jbmehf32.exe Idieob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8844 5624 Process not Found 1150 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdnlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegeic32.dll" Olidijjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjefkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnqfekhi.dll" Flkdpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll" Mkjjdmaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fekclnif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Benijhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgclgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iibclmkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eangjkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmkdeaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qekbaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efbllhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbool32.dll" Hoobnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljfhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkabbgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmfodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogkcihgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbnndgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boipfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcepbooa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihgnf32.dll" Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clheom32.dll" Hdpicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glenpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcanfakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gddigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihhmgaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmgdaokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbkef32.dll" Ahmlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjddinbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpagdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkgc32.dll" Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmfodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olndnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnjednnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnadddj.dll" Fihnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mggcbo32.dll" Hmlpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bihancje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eangjkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkcihgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djnfppqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbemdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlhbja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlkmfkli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocopncke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmheph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokcjngj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkgakpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglalp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjimaole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afmhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnhdjoc.dll" Egeemiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdknbko.dll" Docckfai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eahomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipdfheal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnajlid.dll" Kmhlijpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfglahbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgcjmjho.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 416 372 8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe 91 PID 372 wrote to memory of 416 372 8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe 91 PID 372 wrote to memory of 416 372 8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe 91 PID 416 wrote to memory of 464 416 Lepleocn.exe 92 PID 416 wrote to memory of 464 416 Lepleocn.exe 92 PID 416 wrote to memory of 464 416 Lepleocn.exe 92 PID 464 wrote to memory of 908 464 Loofnccf.exe 93 PID 464 wrote to memory of 908 464 Loofnccf.exe 93 PID 464 wrote to memory of 908 464 Loofnccf.exe 93 PID 908 wrote to memory of 4712 908 Mhjhmhhd.exe 94 PID 908 wrote to memory of 4712 908 Mhjhmhhd.exe 94 PID 908 wrote to memory of 4712 908 Mhjhmhhd.exe 94 PID 4712 wrote to memory of 1588 4712 Mjidgkog.exe 95 PID 4712 wrote to memory of 1588 4712 Mjidgkog.exe 95 PID 4712 wrote to memory of 1588 4712 Mjidgkog.exe 95 PID 1588 wrote to memory of 4324 1588 Mbgeqmjp.exe 96 PID 1588 wrote to memory of 4324 1588 Mbgeqmjp.exe 96 PID 1588 wrote to memory of 4324 1588 Mbgeqmjp.exe 96 PID 4324 wrote to memory of 228 4324 Nbnlaldg.exe 97 PID 4324 wrote to memory of 228 4324 Nbnlaldg.exe 97 PID 4324 wrote to memory of 228 4324 Nbnlaldg.exe 97 PID 228 wrote to memory of 840 228 Nbphglbe.exe 98 PID 228 wrote to memory of 840 228 Nbphglbe.exe 98 PID 228 wrote to memory of 840 228 Nbphglbe.exe 98 PID 840 wrote to memory of 1012 840 Niojoeel.exe 99 PID 840 wrote to memory of 1012 840 Niojoeel.exe 99 PID 840 wrote to memory of 1012 840 Niojoeel.exe 99 PID 1012 wrote to memory of 4692 1012 Ocgkan32.exe 100 PID 1012 wrote to memory of 4692 1012 Ocgkan32.exe 100 PID 1012 wrote to memory of 4692 1012 Ocgkan32.exe 100 PID 4692 wrote to memory of 3928 4692 Oblhcj32.exe 101 PID 4692 wrote to memory of 3928 4692 Oblhcj32.exe 101 PID 4692 wrote to memory of 3928 4692 Oblhcj32.exe 101 PID 3928 wrote to memory of 1324 3928 Ocnabm32.exe 102 PID 3928 wrote to memory of 1324 3928 Ocnabm32.exe 102 PID 3928 wrote to memory of 1324 3928 Ocnabm32.exe 102 PID 1324 wrote to memory of 3112 1324 Pafkgphl.exe 103 PID 1324 wrote to memory of 3112 1324 Pafkgphl.exe 103 PID 1324 wrote to memory of 3112 1324 Pafkgphl.exe 103 PID 3112 wrote to memory of 3808 3112 Pjcikejg.exe 104 PID 3112 wrote to memory of 3808 3112 Pjcikejg.exe 104 PID 3112 wrote to memory of 3808 3112 Pjcikejg.exe 104 PID 3808 wrote to memory of 4332 3808 Amfobp32.exe 105 PID 3808 wrote to memory of 4332 3808 Amfobp32.exe 105 PID 3808 wrote to memory of 4332 3808 Amfobp32.exe 105 PID 4332 wrote to memory of 4960 4332 Afappe32.exe 106 PID 4332 wrote to memory of 4960 4332 Afappe32.exe 106 PID 4332 wrote to memory of 4960 4332 Afappe32.exe 106 PID 4960 wrote to memory of 3864 4960 Aibibp32.exe 107 PID 4960 wrote to memory of 3864 4960 Aibibp32.exe 107 PID 4960 wrote to memory of 3864 4960 Aibibp32.exe 107 PID 3864 wrote to memory of 2832 3864 Bigbmpco.exe 108 PID 3864 wrote to memory of 2832 3864 Bigbmpco.exe 108 PID 3864 wrote to memory of 2832 3864 Bigbmpco.exe 108 PID 2832 wrote to memory of 5012 2832 Bkkhbb32.exe 109 PID 2832 wrote to memory of 5012 2832 Bkkhbb32.exe 109 PID 2832 wrote to memory of 5012 2832 Bkkhbb32.exe 109 PID 5012 wrote to memory of 2424 5012 Bgdemb32.exe 110 PID 5012 wrote to memory of 2424 5012 Bgdemb32.exe 110 PID 5012 wrote to memory of 2424 5012 Bgdemb32.exe 110 PID 2424 wrote to memory of 2572 2424 Calfpk32.exe 111 PID 2424 wrote to memory of 2572 2424 Calfpk32.exe 111 PID 2424 wrote to memory of 2572 2424 Calfpk32.exe 111 PID 2572 wrote to memory of 5044 2572 Cpcpfg32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe"C:\Users\Admin\AppData\Local\Temp\8cf16fe353b45691edac47f50e148600b8a85048148d11284ee832269b396599.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Nbphglbe.exeC:\Windows\system32\Nbphglbe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe23⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe24⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe25⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe26⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe27⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe28⤵PID:4408
-
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe29⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe30⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe31⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe33⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe34⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe35⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe37⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe38⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe40⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe41⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe43⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe44⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe46⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe47⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe48⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe49⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe50⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe51⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe52⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe53⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe55⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe56⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe58⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe59⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe61⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe62⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe63⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe64⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe65⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe66⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe67⤵PID:4336
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe68⤵PID:4284
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe69⤵PID:4456
-
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe71⤵PID:4928
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe72⤵PID:4888
-
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe73⤵PID:3188
-
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe74⤵PID:4064
-
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe75⤵PID:1928
-
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe76⤵PID:3104
-
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe77⤵PID:1608
-
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe78⤵PID:2416
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe79⤵PID:864
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe81⤵PID:2576
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe82⤵PID:5020
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe83⤵
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe84⤵PID:4536
-
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe85⤵PID:5128
-
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe86⤵PID:5168
-
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe87⤵PID:5216
-
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe88⤵PID:5256
-
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe89⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe90⤵PID:5328
-
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe91⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe92⤵PID:5416
-
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe93⤵PID:5464
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe94⤵PID:5508
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe96⤵PID:5592
-
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe97⤵PID:5636
-
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe99⤵PID:5740
-
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe100⤵PID:5788
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe101⤵PID:5836
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe102⤵PID:5892
-
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe103⤵PID:5940
-
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe104⤵PID:6012
-
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe105⤵PID:6120
-
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe106⤵PID:5164
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe107⤵PID:5240
-
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe108⤵PID:5312
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe109⤵PID:5384
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe110⤵PID:5452
-
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe111⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe112⤵PID:5600
-
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe113⤵PID:5672
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe114⤵PID:5772
-
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe116⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe117⤵PID:4236
-
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe118⤵PID:6040
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe119⤵PID:6000
-
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe120⤵PID:5360
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe121⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-