Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 01:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe
-
Size
362KB
-
MD5
fcf12ec761e351aa240d116378099060
-
SHA1
cc628e9a815e2ce988d43983fda7f01a56721906
-
SHA256
c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6
-
SHA512
4e4caa0ed04e9dafb24c27211b139492425887a2cdb520254e27c0b383e2a09fabcf661daa0e6e1b61a76b3d36a0e83eca7719ba170c87cf9f753759134e8109
-
SSDEEP
6144:dzXhttGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZxriEldlP:dzjtmuMtrQ07nGWxWSsmiMyh95r5OPGf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcdlhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Injlkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkkblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oionacqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeoidik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Melifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnknoogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jepmgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeoijidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdcdfmqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acqnnndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjljij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egdlec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iickckcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibkhak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnjaibm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Injndk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflfad32.exe -
Executes dropped EXE 64 IoCs
pid Process 2004 Kpjhkjde.exe 2600 Lmebnb32.exe 2648 Lcagpl32.exe 2612 Lphhenhc.exe 2664 Llohjo32.exe 2544 Mlaeonld.exe 2220 Mbmjah32.exe 1084 Mencccop.exe 2532 Mmihhelk.exe 1136 Nmpnhdfc.exe 1112 Nodgel32.exe 1220 Nofdklgl.exe 1788 Nhohda32.exe 2328 Oagmmgdm.exe 1668 Oeeecekc.exe 3040 Oalfhf32.exe 2132 Oqcpob32.exe 2364 Pjnamh32.exe 1416 Pgbafl32.exe 972 Pmojocel.exe 1768 Pcibkm32.exe 660 Pndpajgd.exe 2244 Qeohnd32.exe 1724 Qbbhgi32.exe 328 Aniimjbo.exe 2076 Aganeoip.exe 1600 Agdjkogm.exe 2588 Aaloddnn.exe 2756 Aaolidlk.exe 2700 Afkdakjb.exe 2748 Alhmjbhj.exe 2892 Acpdko32.exe 2780 Bilmcf32.exe 1728 Bfpnmj32.exe 1200 Bnkbam32.exe 1780 Bonoflae.exe 1188 Daejhjkj.exe 2428 Ddfcje32.exe 1992 Djclbl32.exe 1848 Ddhpod32.exe 2332 Enqdhj32.exe 1560 Ecnmpa32.exe 1172 Ejgemkbm.exe 2408 Ecpjfq32.exe 2824 Efnfbl32.exe 1912 Elhnof32.exe 2920 Edccch32.exe 2312 Eknkpbdf.exe 1528 Ebgclm32.exe 2036 Egdlec32.exe 1576 Fnndan32.exe 2768 Fdhlnhhc.exe 2712 Fblmglgm.exe 2784 Fkdaqa32.exe 2620 Fqajihle.exe 3020 Ffnbaojm.exe 2168 Fcbbjcif.exe 1604 Fjlkgn32.exe 2136 Fpicodoj.exe 2556 Gjngmmnp.exe 1040 Gpkpedmh.exe 924 Gicdnj32.exe 2688 Gejebk32.exe 2992 Ghiaof32.exe -
Loads dropped DLL 64 IoCs
pid Process 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 2004 Kpjhkjde.exe 2004 Kpjhkjde.exe 2600 Lmebnb32.exe 2600 Lmebnb32.exe 2648 Lcagpl32.exe 2648 Lcagpl32.exe 2612 Lphhenhc.exe 2612 Lphhenhc.exe 2664 Llohjo32.exe 2664 Llohjo32.exe 2544 Mlaeonld.exe 2544 Mlaeonld.exe 2220 Mbmjah32.exe 2220 Mbmjah32.exe 1084 Mencccop.exe 1084 Mencccop.exe 2532 Mmihhelk.exe 2532 Mmihhelk.exe 1136 Nmpnhdfc.exe 1136 Nmpnhdfc.exe 1112 Nodgel32.exe 1112 Nodgel32.exe 1220 Nofdklgl.exe 1220 Nofdklgl.exe 1788 Nhohda32.exe 1788 Nhohda32.exe 2328 Oagmmgdm.exe 2328 Oagmmgdm.exe 1668 Oeeecekc.exe 1668 Oeeecekc.exe 3040 Oalfhf32.exe 3040 Oalfhf32.exe 2132 Oqcpob32.exe 2132 Oqcpob32.exe 2364 Pjnamh32.exe 2364 Pjnamh32.exe 1416 Pgbafl32.exe 1416 Pgbafl32.exe 972 Pmojocel.exe 972 Pmojocel.exe 1768 Pcibkm32.exe 1768 Pcibkm32.exe 660 Pndpajgd.exe 660 Pndpajgd.exe 2244 Qeohnd32.exe 2244 Qeohnd32.exe 1724 Qbbhgi32.exe 1724 Qbbhgi32.exe 328 Aniimjbo.exe 328 Aniimjbo.exe 2076 Aganeoip.exe 2076 Aganeoip.exe 1600 Agdjkogm.exe 1600 Agdjkogm.exe 2588 Aaloddnn.exe 2588 Aaloddnn.exe 2756 Aaolidlk.exe 2756 Aaolidlk.exe 2700 Afkdakjb.exe 2700 Afkdakjb.exe 2748 Alhmjbhj.exe 2748 Alhmjbhj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nhiholof.exe Neklbppb.exe File opened for modification C:\Windows\SysWOW64\Gpidki32.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Hkbkpcpd.exe Hdefnjkj.exe File created C:\Windows\SysWOW64\Kcebfo32.dll Kgpmjf32.exe File created C:\Windows\SysWOW64\Enghee32.dll Lclgjg32.exe File opened for modification C:\Windows\SysWOW64\Pilfpqaa.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Pphkbj32.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Nkjdcp32.exe Mkggnp32.exe File created C:\Windows\SysWOW64\Boghbgla.dll Naionh32.exe File created C:\Windows\SysWOW64\Bqjfjb32.dll Oeeecekc.exe File created C:\Windows\SysWOW64\Gligjd32.exe Geoonjeg.exe File created C:\Windows\SysWOW64\Necogkbo.exe Nagbgl32.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Ikjhki32.exe File created C:\Windows\SysWOW64\Dmgoif32.exe Dcokpa32.exe File created C:\Windows\SysWOW64\Mgnedp32.dll Eifobe32.exe File created C:\Windows\SysWOW64\Bgoneo32.dll Pcqebd32.exe File created C:\Windows\SysWOW64\Cdhqpd32.dll Lnjafd32.exe File opened for modification C:\Windows\SysWOW64\Ommfga32.exe Ogcnkgoh.exe File created C:\Windows\SysWOW64\Fbjilhqa.dll Oihqgbhd.exe File created C:\Windows\SysWOW64\Qifmdk32.dll Pojbkh32.exe File opened for modification C:\Windows\SysWOW64\Jlhhndno.exe Jdaqmg32.exe File created C:\Windows\SysWOW64\Injcbk32.dll Aggiigmn.exe File created C:\Windows\SysWOW64\Aohiimmp.dll Bhjpnj32.exe File opened for modification C:\Windows\SysWOW64\Kbaglpee.exe Kglcogeo.exe File created C:\Windows\SysWOW64\Nbkkmi32.dll Cjjkpe32.exe File opened for modification C:\Windows\SysWOW64\Odnobj32.exe Ngjoif32.exe File created C:\Windows\SysWOW64\Mklago32.dll Biiiempl.exe File created C:\Windows\SysWOW64\Jpqgkpcl.exe Jkdoci32.exe File created C:\Windows\SysWOW64\Akaneplm.dll Ibckfa32.exe File created C:\Windows\SysWOW64\Pmekeg32.dll Bjpdhifk.exe File opened for modification C:\Windows\SysWOW64\Bhmmcjjd.exe Bhjpnj32.exe File created C:\Windows\SysWOW64\Jolepe32.exe Jhamckel.exe File opened for modification C:\Windows\SysWOW64\Ocohkh32.exe Oldpnn32.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Aqjdgmgd.exe File created C:\Windows\SysWOW64\Hqgggnne.dll Pehcij32.exe File opened for modification C:\Windows\SysWOW64\Goiafp32.exe Fhmldfdm.exe File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe Pndpajgd.exe File created C:\Windows\SysWOW64\Apofpf32.dll Peanbblf.exe File created C:\Windows\SysWOW64\Liboodmk.exe Kjnanhhc.exe File created C:\Windows\SysWOW64\Lefggi32.dll Bbjdjjdn.exe File opened for modification C:\Windows\SysWOW64\Cmpdgf32.exe Cedpbd32.exe File opened for modification C:\Windows\SysWOW64\Mlkjne32.exe Mccbmh32.exe File created C:\Windows\SysWOW64\Pnmjop32.dll Ccgklc32.exe File created C:\Windows\SysWOW64\Eldplnan.dll Kgdiho32.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Hmpbja32.exe File opened for modification C:\Windows\SysWOW64\Nfkapb32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Pgcmbcih.exe Pohhna32.exe File created C:\Windows\SysWOW64\Kpafapbk.exe Kdkelolf.exe File opened for modification C:\Windows\SysWOW64\Ldoimh32.exe Lneaqn32.exe File created C:\Windows\SysWOW64\Eeaiio32.dll Liqoflfh.exe File created C:\Windows\SysWOW64\Nknnnoph.exe Npiiafpa.exe File opened for modification C:\Windows\SysWOW64\Oemhjlha.exe Nldcagaq.exe File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Gckdgjeb.exe Ghacfmic.exe File created C:\Windows\SysWOW64\Iacjjacb.exe Heliepmn.exe File created C:\Windows\SysWOW64\Ikjhki32.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Hnjnifmm.dll Mndhnd32.exe File opened for modification C:\Windows\SysWOW64\Pdjljpnc.exe Peeoidik.exe File created C:\Windows\SysWOW64\Iceojc32.dll Monjcp32.exe File opened for modification C:\Windows\SysWOW64\Kkckblgq.exe Komjmk32.exe File created C:\Windows\SysWOW64\Bgepiehf.dll Qmifhq32.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ijclol32.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Lgngbmjp.exe File created C:\Windows\SysWOW64\Henmilod.dll Olbogqoe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3632 4632 WerFault.exe 979 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfdfhli.dll" Dpcjnabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjbqjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Kcdlhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqokpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nomkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plkkkh32.dll" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idcqep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldlaa32.dll" Fhmldfdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmjhgbh.dll" Aepnkjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gligjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcncpfaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibmchmc.dll" Plcied32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afajafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqcmh32.dll" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjmmm32.dll" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chgimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfdd32.dll" Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondii32.dll" Kllnhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fganph32.dll" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcpkpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlelda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll" Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdefbe32.dll" Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beodlmdk.dll" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgcpnbh.dll" Nqhepeai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afpchl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jolepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnjjp32.dll" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcpc32.dll" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmagpjhh.dll" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqfnlp32.dll" Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnmeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2004 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 28 PID 2984 wrote to memory of 2004 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 28 PID 2984 wrote to memory of 2004 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 28 PID 2984 wrote to memory of 2004 2984 c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe 28 PID 2004 wrote to memory of 2600 2004 Kpjhkjde.exe 29 PID 2004 wrote to memory of 2600 2004 Kpjhkjde.exe 29 PID 2004 wrote to memory of 2600 2004 Kpjhkjde.exe 29 PID 2004 wrote to memory of 2600 2004 Kpjhkjde.exe 29 PID 2600 wrote to memory of 2648 2600 Lmebnb32.exe 30 PID 2600 wrote to memory of 2648 2600 Lmebnb32.exe 30 PID 2600 wrote to memory of 2648 2600 Lmebnb32.exe 30 PID 2600 wrote to memory of 2648 2600 Lmebnb32.exe 30 PID 2648 wrote to memory of 2612 2648 Lcagpl32.exe 31 PID 2648 wrote to memory of 2612 2648 Lcagpl32.exe 31 PID 2648 wrote to memory of 2612 2648 Lcagpl32.exe 31 PID 2648 wrote to memory of 2612 2648 Lcagpl32.exe 31 PID 2612 wrote to memory of 2664 2612 Lphhenhc.exe 32 PID 2612 wrote to memory of 2664 2612 Lphhenhc.exe 32 PID 2612 wrote to memory of 2664 2612 Lphhenhc.exe 32 PID 2612 wrote to memory of 2664 2612 Lphhenhc.exe 32 PID 2664 wrote to memory of 2544 2664 Llohjo32.exe 33 PID 2664 wrote to memory of 2544 2664 Llohjo32.exe 33 PID 2664 wrote to memory of 2544 2664 Llohjo32.exe 33 PID 2664 wrote to memory of 2544 2664 Llohjo32.exe 33 PID 2544 wrote to memory of 2220 2544 Mlaeonld.exe 34 PID 2544 wrote to memory of 2220 2544 Mlaeonld.exe 34 PID 2544 wrote to memory of 2220 2544 Mlaeonld.exe 34 PID 2544 wrote to memory of 2220 2544 Mlaeonld.exe 34 PID 2220 wrote to memory of 1084 2220 Mbmjah32.exe 35 PID 2220 wrote to memory of 1084 2220 Mbmjah32.exe 35 PID 2220 wrote to memory of 1084 2220 Mbmjah32.exe 35 PID 2220 wrote to memory of 1084 2220 Mbmjah32.exe 35 PID 1084 wrote to memory of 2532 1084 Mencccop.exe 36 PID 1084 wrote to memory of 2532 1084 Mencccop.exe 36 PID 1084 wrote to memory of 2532 1084 Mencccop.exe 36 PID 1084 wrote to memory of 2532 1084 Mencccop.exe 36 PID 2532 wrote to memory of 1136 2532 Mmihhelk.exe 37 PID 2532 wrote to memory of 1136 2532 Mmihhelk.exe 37 PID 2532 wrote to memory of 1136 2532 Mmihhelk.exe 37 PID 2532 wrote to memory of 1136 2532 Mmihhelk.exe 37 PID 1136 wrote to memory of 1112 1136 Nmpnhdfc.exe 38 PID 1136 wrote to memory of 1112 1136 Nmpnhdfc.exe 38 PID 1136 wrote to memory of 1112 1136 Nmpnhdfc.exe 38 PID 1136 wrote to memory of 1112 1136 Nmpnhdfc.exe 38 PID 1112 wrote to memory of 1220 1112 Nodgel32.exe 39 PID 1112 wrote to memory of 1220 1112 Nodgel32.exe 39 PID 1112 wrote to memory of 1220 1112 Nodgel32.exe 39 PID 1112 wrote to memory of 1220 1112 Nodgel32.exe 39 PID 1220 wrote to memory of 1788 1220 Nofdklgl.exe 40 PID 1220 wrote to memory of 1788 1220 Nofdklgl.exe 40 PID 1220 wrote to memory of 1788 1220 Nofdklgl.exe 40 PID 1220 wrote to memory of 1788 1220 Nofdklgl.exe 40 PID 1788 wrote to memory of 2328 1788 Nhohda32.exe 41 PID 1788 wrote to memory of 2328 1788 Nhohda32.exe 41 PID 1788 wrote to memory of 2328 1788 Nhohda32.exe 41 PID 1788 wrote to memory of 2328 1788 Nhohda32.exe 41 PID 2328 wrote to memory of 1668 2328 Oagmmgdm.exe 42 PID 2328 wrote to memory of 1668 2328 Oagmmgdm.exe 42 PID 2328 wrote to memory of 1668 2328 Oagmmgdm.exe 42 PID 2328 wrote to memory of 1668 2328 Oagmmgdm.exe 42 PID 1668 wrote to memory of 3040 1668 Oeeecekc.exe 43 PID 1668 wrote to memory of 3040 1668 Oeeecekc.exe 43 PID 1668 wrote to memory of 3040 1668 Oeeecekc.exe 43 PID 1668 wrote to memory of 3040 1668 Oeeecekc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe"C:\Users\Admin\AppData\Local\Temp\c2199f6b33c0a6506923641f75fcad3ca2a21a76a57ea9948f497c97773a95c6.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe34⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe35⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe36⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe37⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe40⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe41⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe43⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe44⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe45⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe46⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe47⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe48⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe49⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe50⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe52⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe55⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe58⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe59⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe60⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe62⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe63⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe64⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe65⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe66⤵PID:1628
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe67⤵PID:2672
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe68⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe69⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe70⤵PID:968
-
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe71⤵PID:2448
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe72⤵PID:2400
-
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe73⤵PID:2388
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe74⤵PID:2524
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe75⤵PID:2468
-
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe76⤵PID:1592
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe78⤵PID:2432
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe79⤵PID:2736
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe80⤵PID:568
-
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe81⤵PID:2280
-
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe82⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe83⤵PID:2488
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe84⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe85⤵PID:1260
-
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe86⤵PID:852
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe87⤵PID:932
-
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe88⤵PID:1120
-
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe90⤵PID:1972
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe91⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe92⤵PID:948
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe93⤵PID:896
-
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe94⤵PID:3060
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe95⤵PID:332
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe97⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe98⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe99⤵PID:2344
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe100⤵PID:2348
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe101⤵PID:1124
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe102⤵PID:1852
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe103⤵PID:1828
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe104⤵PID:880
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe107⤵PID:928
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe108⤵PID:1524
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe109⤵PID:2740
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe110⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe112⤵PID:3012
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe113⤵PID:1192
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe114⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe115⤵PID:1988
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe116⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe117⤵PID:2876
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe118⤵PID:2536
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe119⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe120⤵PID:2932
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe121⤵PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-