Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe
-
Size
352KB
-
MD5
0df78cf9ff08d4900583b1c8091ba2b0
-
SHA1
a54e63e930af11f930c5c2ef9162ab6f71f183f1
-
SHA256
668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd
-
SHA512
49c30f1106cff9a455b7cc01a8e26cf89fcc844427707ce16bf117e1c75f6f1bc2aff514cc04a07f37eb7bc02ba03bfc88a822bbfb5b221dbd2d491561abbfa7
-
SSDEEP
6144:urBC2t5oz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:CLsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahikqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhkjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1636 Epieghdk.exe 3048 Ealnephf.exe 2524 Fckjalhj.exe 2488 Fmhheqje.exe 2664 Fmjejphb.exe 2392 Gonnhhln.exe 1844 Gegfdb32.exe 2752 Glfhll32.exe 296 Gacpdbej.exe 2120 Ggpimica.exe 1440 Gphmeo32.exe 488 Hknach32.exe 1240 Hpkjko32.exe 2948 Hkpnhgge.exe 2240 Hpmgqnfl.exe 928 Hejoiedd.exe 1732 Hpocfncj.exe 3064 Hellne32.exe 844 Hodpgjha.exe 1496 Hjjddchg.exe 1796 Hogmmjfo.exe 900 Ihoafpmp.exe 2112 Ioijbj32.exe 848 Idfbkq32.exe 976 Inngcfid.exe 1780 Ihdkao32.exe 1508 Inqcif32.exe 1980 Icmlam32.exe 2596 Imfqjbli.exe 2820 Icpigm32.exe 2400 Jmhmpb32.exe 2428 Jgnamk32.exe 2052 Jmjjea32.exe 2872 Jfcnngnd.exe 2744 Jokcgmee.exe 332 Jehkodcm.exe 1840 Jonplmcb.exe 688 Jejhecaj.exe 1172 Jnclnihj.exe 1948 Kihqkagp.exe 2244 Kneicieh.exe 1964 Kcbakpdo.exe 2556 Kngfih32.exe 1304 Kcdnao32.exe 756 Kjnfniii.exe 1632 Kmmcjehm.exe 3004 Kgbggnhc.exe 2148 Kiccofna.exe 1512 Kpmlkp32.exe 2944 Kblhgk32.exe 2584 Kjcpii32.exe 2396 Kmaled32.exe 1648 Lckdanld.exe 2700 Lemaif32.exe 2636 Llfifq32.exe 2768 Lbqabkql.exe 2900 Lliflp32.exe 2100 Lafndg32.exe 2208 Lhpfqama.exe 1280 Lkncmmle.exe 2660 Lahkigca.exe 612 Lhbcfa32.exe 2996 Lollckbk.exe 1552 Lefdpe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 1636 Epieghdk.exe 1636 Epieghdk.exe 3048 Ealnephf.exe 3048 Ealnephf.exe 2524 Fckjalhj.exe 2524 Fckjalhj.exe 2488 Fmhheqje.exe 2488 Fmhheqje.exe 2664 Fmjejphb.exe 2664 Fmjejphb.exe 2392 Gonnhhln.exe 2392 Gonnhhln.exe 1844 Gegfdb32.exe 1844 Gegfdb32.exe 2752 Glfhll32.exe 2752 Glfhll32.exe 296 Gacpdbej.exe 296 Gacpdbej.exe 2120 Ggpimica.exe 2120 Ggpimica.exe 1440 Gphmeo32.exe 1440 Gphmeo32.exe 488 Hknach32.exe 488 Hknach32.exe 1240 Hpkjko32.exe 1240 Hpkjko32.exe 2948 Hkpnhgge.exe 2948 Hkpnhgge.exe 2240 Hpmgqnfl.exe 2240 Hpmgqnfl.exe 928 Hejoiedd.exe 928 Hejoiedd.exe 1732 Hpocfncj.exe 1732 Hpocfncj.exe 3064 Hellne32.exe 3064 Hellne32.exe 844 Hodpgjha.exe 844 Hodpgjha.exe 1496 Hjjddchg.exe 1496 Hjjddchg.exe 1796 Hogmmjfo.exe 1796 Hogmmjfo.exe 900 Ihoafpmp.exe 900 Ihoafpmp.exe 2112 Ioijbj32.exe 2112 Ioijbj32.exe 848 Idfbkq32.exe 848 Idfbkq32.exe 976 Inngcfid.exe 976 Inngcfid.exe 1780 Ihdkao32.exe 1780 Ihdkao32.exe 1508 Inqcif32.exe 1508 Inqcif32.exe 1980 Icmlam32.exe 1980 Icmlam32.exe 2596 Imfqjbli.exe 2596 Imfqjbli.exe 2820 Icpigm32.exe 2820 Icpigm32.exe 2400 Jmhmpb32.exe 2400 Jmhmpb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cclkfdnc.exe Cdikkg32.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jqilooij.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe File opened for modification C:\Windows\SysWOW64\Bemgilhh.exe Baakhm32.exe File created C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Mhjbjopf.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Nhllob32.exe File opened for modification C:\Windows\SysWOW64\Lhbcfa32.exe Lahkigca.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Lhefhd32.dll Flehkhai.exe File opened for modification C:\Windows\SysWOW64\Jofbag32.exe Jkjfah32.exe File opened for modification C:\Windows\SysWOW64\Kiccofna.exe Kgbggnhc.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Iapebchh.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Gnmgmbhb.exe Ghcoqh32.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Lclnemgd.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Glfhll32.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Lhbcfa32.exe File created C:\Windows\SysWOW64\Feljlnoc.dll Nhiffc32.exe File created C:\Windows\SysWOW64\Ojcecjee.exe Ogeigofa.exe File created C:\Windows\SysWOW64\Ejhlgaeh.exe Ehgppi32.exe File created C:\Windows\SysWOW64\Opdnhdpo.dll Ljibgg32.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Ngkogj32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Amfcikek.exe File created C:\Windows\SysWOW64\Lqelfddi.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Ljffag32.exe File created C:\Windows\SysWOW64\Iknqdmpf.dll Inngcfid.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Kjmbgl32.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Nkpegi32.exe File opened for modification C:\Windows\SysWOW64\Nhllob32.exe Niikceid.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Lbqabkql.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pefijfii.exe File created C:\Windows\SysWOW64\Pjehnpjo.dll Gdllkhdg.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Meijhc32.exe Mffimglk.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Niikceid.exe File created C:\Windows\SysWOW64\Pggbla32.exe Pnomcl32.exe File created C:\Windows\SysWOW64\Aadloj32.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Kaaldl32.dll Fepiimfg.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Ihjnom32.exe File opened for modification C:\Windows\SysWOW64\Kofopj32.exe Kmgbdo32.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Ljefkdjq.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Fcefji32.exe Febfomdd.exe File created C:\Windows\SysWOW64\Qjfhfnim.dll Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Migbnb32.exe Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Naimccpo.exe Nibebfpl.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Mgnfhlin.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dfffnn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmjjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befkmkob.dll" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll" Nlcnda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll" Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjdhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" Jfiale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphhenhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglegn32.dll" Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kebgia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiacd32.dll" Fncdgcqm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1636 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 28 PID 2860 wrote to memory of 1636 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 28 PID 2860 wrote to memory of 1636 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 28 PID 2860 wrote to memory of 1636 2860 668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe 28 PID 1636 wrote to memory of 3048 1636 Epieghdk.exe 29 PID 1636 wrote to memory of 3048 1636 Epieghdk.exe 29 PID 1636 wrote to memory of 3048 1636 Epieghdk.exe 29 PID 1636 wrote to memory of 3048 1636 Epieghdk.exe 29 PID 3048 wrote to memory of 2524 3048 Ealnephf.exe 30 PID 3048 wrote to memory of 2524 3048 Ealnephf.exe 30 PID 3048 wrote to memory of 2524 3048 Ealnephf.exe 30 PID 3048 wrote to memory of 2524 3048 Ealnephf.exe 30 PID 2524 wrote to memory of 2488 2524 Fckjalhj.exe 31 PID 2524 wrote to memory of 2488 2524 Fckjalhj.exe 31 PID 2524 wrote to memory of 2488 2524 Fckjalhj.exe 31 PID 2524 wrote to memory of 2488 2524 Fckjalhj.exe 31 PID 2488 wrote to memory of 2664 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2664 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2664 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2664 2488 Fmhheqje.exe 32 PID 2664 wrote to memory of 2392 2664 Fmjejphb.exe 33 PID 2664 wrote to memory of 2392 2664 Fmjejphb.exe 33 PID 2664 wrote to memory of 2392 2664 Fmjejphb.exe 33 PID 2664 wrote to memory of 2392 2664 Fmjejphb.exe 33 PID 2392 wrote to memory of 1844 2392 Gonnhhln.exe 34 PID 2392 wrote to memory of 1844 2392 Gonnhhln.exe 34 PID 2392 wrote to memory of 1844 2392 Gonnhhln.exe 34 PID 2392 wrote to memory of 1844 2392 Gonnhhln.exe 34 PID 1844 wrote to memory of 2752 1844 Gegfdb32.exe 35 PID 1844 wrote to memory of 2752 1844 Gegfdb32.exe 35 PID 1844 wrote to memory of 2752 1844 Gegfdb32.exe 35 PID 1844 wrote to memory of 2752 1844 Gegfdb32.exe 35 PID 2752 wrote to memory of 296 2752 Glfhll32.exe 36 PID 2752 wrote to memory of 296 2752 Glfhll32.exe 36 PID 2752 wrote to memory of 296 2752 Glfhll32.exe 36 PID 2752 wrote to memory of 296 2752 Glfhll32.exe 36 PID 296 wrote to memory of 2120 296 Gacpdbej.exe 37 PID 296 wrote to memory of 2120 296 Gacpdbej.exe 37 PID 296 wrote to memory of 2120 296 Gacpdbej.exe 37 PID 296 wrote to memory of 2120 296 Gacpdbej.exe 37 PID 2120 wrote to memory of 1440 2120 Ggpimica.exe 38 PID 2120 wrote to memory of 1440 2120 Ggpimica.exe 38 PID 2120 wrote to memory of 1440 2120 Ggpimica.exe 38 PID 2120 wrote to memory of 1440 2120 Ggpimica.exe 38 PID 1440 wrote to memory of 488 1440 Gphmeo32.exe 39 PID 1440 wrote to memory of 488 1440 Gphmeo32.exe 39 PID 1440 wrote to memory of 488 1440 Gphmeo32.exe 39 PID 1440 wrote to memory of 488 1440 Gphmeo32.exe 39 PID 488 wrote to memory of 1240 488 Hknach32.exe 40 PID 488 wrote to memory of 1240 488 Hknach32.exe 40 PID 488 wrote to memory of 1240 488 Hknach32.exe 40 PID 488 wrote to memory of 1240 488 Hknach32.exe 40 PID 1240 wrote to memory of 2948 1240 Hpkjko32.exe 41 PID 1240 wrote to memory of 2948 1240 Hpkjko32.exe 41 PID 1240 wrote to memory of 2948 1240 Hpkjko32.exe 41 PID 1240 wrote to memory of 2948 1240 Hpkjko32.exe 41 PID 2948 wrote to memory of 2240 2948 Hkpnhgge.exe 42 PID 2948 wrote to memory of 2240 2948 Hkpnhgge.exe 42 PID 2948 wrote to memory of 2240 2948 Hkpnhgge.exe 42 PID 2948 wrote to memory of 2240 2948 Hkpnhgge.exe 42 PID 2240 wrote to memory of 928 2240 Hpmgqnfl.exe 43 PID 2240 wrote to memory of 928 2240 Hpmgqnfl.exe 43 PID 2240 wrote to memory of 928 2240 Hpmgqnfl.exe 43 PID 2240 wrote to memory of 928 2240 Hpmgqnfl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe"C:\Users\Admin\AppData\Local\Temp\668a5ae189d3c43b63d7a5aa0e5e38c25ae4c135dc1fc91e6d124d24bd5792dd.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe33⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe36⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe38⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe39⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe40⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe41⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe43⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe44⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe46⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe53⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe54⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe55⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe58⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe60⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe61⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe64⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe65⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe66⤵PID:1244
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe67⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe68⤵PID:2804
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe69⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe70⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe71⤵PID:2704
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe73⤵PID:324
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe74⤵PID:1864
-
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe75⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe76⤵
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe77⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe78⤵PID:2060
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe81⤵PID:2968
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe83⤵PID:1232
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe84⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe85⤵PID:3008
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe86⤵PID:2288
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe87⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe88⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe89⤵PID:2448
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe92⤵PID:828
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe93⤵PID:1756
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe94⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe95⤵PID:980
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe97⤵PID:2476
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe98⤵PID:2652
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1408 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe102⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe104⤵PID:760
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe105⤵PID:1560
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe106⤵PID:2132
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe108⤵PID:1548
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe109⤵PID:2800
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe110⤵PID:672
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe111⤵PID:3016
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe112⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe113⤵PID:1956
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe114⤵PID:1652
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe115⤵PID:2544
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe116⤵PID:2184
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe117⤵PID:2728
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe118⤵PID:2960
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe119⤵PID:2432
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe120⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe121⤵
- Drops file in System32 directory
PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-