Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 10:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe
-
Size
112KB
-
MD5
4c9fb9f493f25f6f3a4abca0387ae689
-
SHA1
142f0148ef706ef7f9620ae3cff96b95a8051781
-
SHA256
f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850
-
SHA512
bff810e6896e143f23674113b4b4cfdaa6aaae48cbea9749b61b3030c2cc8e375ec8be2f5268c6e28dc7a9ee05fa2a6a9e910158b16cce3073380c4bb3baf115
-
SSDEEP
3072:9fEnTAKBMHgdiNvp8Dhzjwjhr1RhAo+ie0TZ:J8GpNowjhr1R6xie8Z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchmkkkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigafnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnfdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenakoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhejnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leammn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnlhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnolfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcoqdoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapccndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aababceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpjngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makjho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdgfelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcaiiejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafdjmkq.exe -
Executes dropped EXE 64 IoCs
pid Process 2680 Kcijeg32.exe 2536 Lmdkcl32.exe 2552 Lmfhil32.exe 2564 Leammn32.exe 2640 Lbemfbdk.exe 2408 Lgbeoibb.exe 2904 Makjho32.exe 1484 Mjcoqdoc.exe 1984 Mfjoeeeh.exe 1688 Mapccndn.exe 1172 Mikhgqbi.exe 2320 Mdpldi32.exe 1904 Medeaaej.exe 1540 Noljjglk.exe 3044 Nhdocl32.exe 2940 Nehomq32.exe 2968 Noacef32.exe 2988 Nledoj32.exe 1564 Nmfqgbmm.exe 1684 Nkjapglg.exe 1824 Odbeilbg.exe 1968 Omkjbb32.exe 972 Ocgbji32.exe 1224 Ommfga32.exe 2784 Odgodl32.exe 2076 Opnpimdf.exe 2160 Oekhacbn.exe 2248 Oemegc32.exe 2616 Poeipifl.exe 2656 Pohfehdi.exe 2440 Pkofjijm.exe 2404 Pqkobqhd.exe 392 Pjcckf32.exe 2376 Pjfpafmb.exe 1588 Qgjqjjll.exe 868 Qglmpi32.exe 1976 Qmifhq32.exe 1712 Afajafoa.exe 1744 Afdgfelo.exe 2708 Akqpom32.exe 1632 Affdle32.exe 3000 Aekqmbod.exe 2780 Aababceh.exe 1320 Bnfblgca.exe 1784 Bgnfdm32.exe 976 Bmkomchi.exe 1704 Bpjkiogm.exe 568 Bfccei32.exe 1760 Baigca32.exe 2864 Bbjdjjdn.exe 1720 Bmphhc32.exe 2584 Bcjqdmla.exe 2124 Bigimdjh.exe 2668 Bfkifhib.exe 2596 Cpnaca32.exe 2876 Cifelgmd.exe 2732 Dkfbfjdf.exe 2396 Dpcjnabn.exe 2444 Depbfhpe.exe 1084 Dpegcq32.exe 1584 Dgoopkgh.exe 1272 Dllhhaep.exe 672 Daipqhdg.exe 380 Dlndnacm.exe -
Loads dropped DLL 64 IoCs
pid Process 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 2680 Kcijeg32.exe 2680 Kcijeg32.exe 2536 Lmdkcl32.exe 2536 Lmdkcl32.exe 2552 Lmfhil32.exe 2552 Lmfhil32.exe 2564 Leammn32.exe 2564 Leammn32.exe 2640 Lbemfbdk.exe 2640 Lbemfbdk.exe 2408 Lgbeoibb.exe 2408 Lgbeoibb.exe 2904 Makjho32.exe 2904 Makjho32.exe 1484 Mjcoqdoc.exe 1484 Mjcoqdoc.exe 1984 Mfjoeeeh.exe 1984 Mfjoeeeh.exe 1688 Mapccndn.exe 1688 Mapccndn.exe 1172 Mikhgqbi.exe 1172 Mikhgqbi.exe 2320 Mdpldi32.exe 2320 Mdpldi32.exe 1904 Medeaaej.exe 1904 Medeaaej.exe 1540 Noljjglk.exe 1540 Noljjglk.exe 3044 Nhdocl32.exe 3044 Nhdocl32.exe 2940 Nehomq32.exe 2940 Nehomq32.exe 2968 Noacef32.exe 2968 Noacef32.exe 2988 Nledoj32.exe 2988 Nledoj32.exe 1564 Nmfqgbmm.exe 1564 Nmfqgbmm.exe 1684 Nkjapglg.exe 1684 Nkjapglg.exe 1824 Odbeilbg.exe 1824 Odbeilbg.exe 1968 Omkjbb32.exe 1968 Omkjbb32.exe 972 Ocgbji32.exe 972 Ocgbji32.exe 1224 Ommfga32.exe 1224 Ommfga32.exe 2784 Odgodl32.exe 2784 Odgodl32.exe 2076 Opnpimdf.exe 2076 Opnpimdf.exe 1948 Ooclji32.exe 1948 Ooclji32.exe 2248 Oemegc32.exe 2248 Oemegc32.exe 2616 Poeipifl.exe 2616 Poeipifl.exe 2656 Pohfehdi.exe 2656 Pohfehdi.exe 2440 Pkofjijm.exe 2440 Pkofjijm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhdocl32.exe Noljjglk.exe File created C:\Windows\SysWOW64\Mhlpem32.dll Noljjglk.exe File opened for modification C:\Windows\SysWOW64\Oonldcih.exe Ohcdhi32.exe File created C:\Windows\SysWOW64\Dcfmdh32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Mqnifg32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Jioopgef.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pljlbf32.exe File created C:\Windows\SysWOW64\Makjho32.exe Lgbeoibb.exe File created C:\Windows\SysWOW64\Dlnipl32.dll Mgjebg32.exe File created C:\Windows\SysWOW64\Oonldcih.exe Ohcdhi32.exe File opened for modification C:\Windows\SysWOW64\Pkifdd32.exe Pdonhj32.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Fcbecl32.exe Fdmhbplb.exe File created C:\Windows\SysWOW64\Bbejeo32.dll Medeaaej.exe File created C:\Windows\SysWOW64\Dpegcq32.exe Depbfhpe.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Niedqnen.exe File created C:\Windows\SysWOW64\Djjfkm32.dll Leammn32.exe File created C:\Windows\SysWOW64\Noljjglk.exe Medeaaej.exe File created C:\Windows\SysWOW64\Daipqhdg.exe Dllhhaep.exe File created C:\Windows\SysWOW64\Fjbafi32.exe Eolmip32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Kfebambf.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Liqoflfh.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Dhkkbmnp.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Kqkfag32.dll Odgodl32.exe File created C:\Windows\SysWOW64\Mapecq32.dll Ogiaif32.exe File created C:\Windows\SysWOW64\Panaeb32.exe Pjcmap32.exe File created C:\Windows\SysWOW64\Hgmamfed.dll Fcbecl32.exe File opened for modification C:\Windows\SysWOW64\Kcijeg32.exe f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe File created C:\Windows\SysWOW64\Mhapiheo.dll Baigca32.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Bejfao32.exe File created C:\Windows\SysWOW64\Bpgcnh32.dll Dkfbfjdf.exe File created C:\Windows\SysWOW64\Bjibgc32.dll Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Hbknkl32.exe Hhejnc32.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fdmhbplb.exe File opened for modification C:\Windows\SysWOW64\Liqoflfh.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Clojhf32.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe Clojhf32.exe File opened for modification C:\Windows\SysWOW64\Amaelomh.exe Aciqcifh.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gdmdacnn.exe File created C:\Windows\SysWOW64\Hqpagjge.dll Fnofjfhk.exe File created C:\Windows\SysWOW64\Caifjn32.exe Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Ihhcbf32.exe Ioooiack.exe File created C:\Windows\SysWOW64\Amponajh.dll Ciohqa32.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Dllhhaep.exe Dgoopkgh.exe File created C:\Windows\SysWOW64\Cfeihljf.dll Lmfhil32.exe File created C:\Windows\SysWOW64\Jnnnalph.exe Jpjngh32.exe File created C:\Windows\SysWOW64\Hahnac32.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Iikifegp.exe File created C:\Windows\SysWOW64\Eolmip32.exe Efdhpjok.exe File created C:\Windows\SysWOW64\Mnbkmo32.dll Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Lfoojj32.exe Llgjaeoj.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cagienkb.exe File created C:\Windows\SysWOW64\Figicd32.dll Pqkobqhd.exe File created C:\Windows\SysWOW64\Poedbd32.dll Daipqhdg.exe File created C:\Windows\SysWOW64\Efdhpjok.exe Edclib32.exe File created C:\Windows\SysWOW64\Acfdnihk.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Lcofio32.exe Lhiakf32.exe File opened for modification C:\Windows\SysWOW64\Oemgplgo.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Mgjebg32.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Qqfdfdee.dll Behilopf.exe File created C:\Windows\SysWOW64\Padhdm32.exe Plgolf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3244 2192 WerFault.exe 317 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcahoqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iibfajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igogan32.dll" Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjbafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaoacgen.dll" Lgbeoibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblodoke.dll" Ocgbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdpldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffphgohm.dll" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgnjl32.dll" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgccgk32.dll" Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaogad32.dll" Ndkhngdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpdod32.dll" Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feafacjb.dll" Kohnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekiphge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdelj32.dll" Hndlem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnpkflne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egflhe32.dll" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekqmbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdonaop.dll" Poeipifl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgpnd32.dll" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Ooabmbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpnk32.dll" Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efdhpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odmabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gonocmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poedbd32.dll" Daipqhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifgpnmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadphb32.dll" Makjho32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2680 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 28 PID 1500 wrote to memory of 2680 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 28 PID 1500 wrote to memory of 2680 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 28 PID 1500 wrote to memory of 2680 1500 f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe 28 PID 2680 wrote to memory of 2536 2680 Kcijeg32.exe 29 PID 2680 wrote to memory of 2536 2680 Kcijeg32.exe 29 PID 2680 wrote to memory of 2536 2680 Kcijeg32.exe 29 PID 2680 wrote to memory of 2536 2680 Kcijeg32.exe 29 PID 2536 wrote to memory of 2552 2536 Lmdkcl32.exe 30 PID 2536 wrote to memory of 2552 2536 Lmdkcl32.exe 30 PID 2536 wrote to memory of 2552 2536 Lmdkcl32.exe 30 PID 2536 wrote to memory of 2552 2536 Lmdkcl32.exe 30 PID 2552 wrote to memory of 2564 2552 Lmfhil32.exe 31 PID 2552 wrote to memory of 2564 2552 Lmfhil32.exe 31 PID 2552 wrote to memory of 2564 2552 Lmfhil32.exe 31 PID 2552 wrote to memory of 2564 2552 Lmfhil32.exe 31 PID 2564 wrote to memory of 2640 2564 Leammn32.exe 32 PID 2564 wrote to memory of 2640 2564 Leammn32.exe 32 PID 2564 wrote to memory of 2640 2564 Leammn32.exe 32 PID 2564 wrote to memory of 2640 2564 Leammn32.exe 32 PID 2640 wrote to memory of 2408 2640 Lbemfbdk.exe 33 PID 2640 wrote to memory of 2408 2640 Lbemfbdk.exe 33 PID 2640 wrote to memory of 2408 2640 Lbemfbdk.exe 33 PID 2640 wrote to memory of 2408 2640 Lbemfbdk.exe 33 PID 2408 wrote to memory of 2904 2408 Lgbeoibb.exe 34 PID 2408 wrote to memory of 2904 2408 Lgbeoibb.exe 34 PID 2408 wrote to memory of 2904 2408 Lgbeoibb.exe 34 PID 2408 wrote to memory of 2904 2408 Lgbeoibb.exe 34 PID 2904 wrote to memory of 1484 2904 Makjho32.exe 35 PID 2904 wrote to memory of 1484 2904 Makjho32.exe 35 PID 2904 wrote to memory of 1484 2904 Makjho32.exe 35 PID 2904 wrote to memory of 1484 2904 Makjho32.exe 35 PID 1484 wrote to memory of 1984 1484 Mjcoqdoc.exe 36 PID 1484 wrote to memory of 1984 1484 Mjcoqdoc.exe 36 PID 1484 wrote to memory of 1984 1484 Mjcoqdoc.exe 36 PID 1484 wrote to memory of 1984 1484 Mjcoqdoc.exe 36 PID 1984 wrote to memory of 1688 1984 Mfjoeeeh.exe 37 PID 1984 wrote to memory of 1688 1984 Mfjoeeeh.exe 37 PID 1984 wrote to memory of 1688 1984 Mfjoeeeh.exe 37 PID 1984 wrote to memory of 1688 1984 Mfjoeeeh.exe 37 PID 1688 wrote to memory of 1172 1688 Mapccndn.exe 38 PID 1688 wrote to memory of 1172 1688 Mapccndn.exe 38 PID 1688 wrote to memory of 1172 1688 Mapccndn.exe 38 PID 1688 wrote to memory of 1172 1688 Mapccndn.exe 38 PID 1172 wrote to memory of 2320 1172 Mikhgqbi.exe 39 PID 1172 wrote to memory of 2320 1172 Mikhgqbi.exe 39 PID 1172 wrote to memory of 2320 1172 Mikhgqbi.exe 39 PID 1172 wrote to memory of 2320 1172 Mikhgqbi.exe 39 PID 2320 wrote to memory of 1904 2320 Mdpldi32.exe 40 PID 2320 wrote to memory of 1904 2320 Mdpldi32.exe 40 PID 2320 wrote to memory of 1904 2320 Mdpldi32.exe 40 PID 2320 wrote to memory of 1904 2320 Mdpldi32.exe 40 PID 1904 wrote to memory of 1540 1904 Medeaaej.exe 41 PID 1904 wrote to memory of 1540 1904 Medeaaej.exe 41 PID 1904 wrote to memory of 1540 1904 Medeaaej.exe 41 PID 1904 wrote to memory of 1540 1904 Medeaaej.exe 41 PID 1540 wrote to memory of 3044 1540 Noljjglk.exe 42 PID 1540 wrote to memory of 3044 1540 Noljjglk.exe 42 PID 1540 wrote to memory of 3044 1540 Noljjglk.exe 42 PID 1540 wrote to memory of 3044 1540 Noljjglk.exe 42 PID 3044 wrote to memory of 2940 3044 Nhdocl32.exe 43 PID 3044 wrote to memory of 2940 3044 Nhdocl32.exe 43 PID 3044 wrote to memory of 2940 3044 Nhdocl32.exe 43 PID 3044 wrote to memory of 2940 3044 Nhdocl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe"C:\Users\Admin\AppData\Local\Temp\f917a07983b25cd59f9860166561c950aa756923d78f9e912ce83a4974323850.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe28⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe29⤵
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe35⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe36⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe37⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe38⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe39⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe40⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe42⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe43⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe46⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe48⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe55⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe56⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe57⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe58⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe60⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe62⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe68⤵PID:2792
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe69⤵PID:340
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe70⤵PID:2952
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe71⤵PID:2104
-
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe72⤵PID:1148
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe73⤵PID:2476
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe74⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe76⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe77⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe78⤵PID:1608
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe80⤵PID:1936
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe82⤵PID:2692
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe83⤵PID:2776
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe84⤵PID:2436
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe85⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe86⤵PID:2380
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe87⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe88⤵PID:1428
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe90⤵PID:1952
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe91⤵PID:1544
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe92⤵PID:2932
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe93⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe94⤵PID:2500
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe95⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe96⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe98⤵PID:2452
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe100⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe101⤵PID:2228
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe102⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe103⤵PID:2016
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe104⤵PID:2284
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe105⤵PID:1908
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe106⤵PID:2252
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe107⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe109⤵PID:2908
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe110⤵PID:2428
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe111⤵PID:2888
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe112⤵PID:844
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe113⤵PID:2632
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe114⤵PID:2728
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe116⤵PID:636
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe117⤵PID:2264
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe118⤵
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe119⤵PID:1388
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe120⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-