Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe
-
Size
214KB
-
MD5
a3c98ec52f5def1a7a2aac18a4bd4851
-
SHA1
4cc7773771bede38ac82945be04239ced4084b49
-
SHA256
1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8
-
SHA512
e0482854be95eedb82e85fab5fe959a4f16255146bb6f27758c2385f33a2224a68ccd1f34a18373d317d7dc78229cf04379298f384085d9537a5270b265dba3d
-
SSDEEP
3072:V6hmcxcTm7jA+mLHe3AnDlmbGcGFDeaqIsKEYWyPVBweyFve3CFdagBk:V0xkCNxuC9a6HYW0VBLyFviCqgBk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgnokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkebjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peanbblf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancefgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnfbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgnpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnaggcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmibgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnpmfqap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkofjijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Annbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkiid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpmfqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddliip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gppipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippbnjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bibpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooaljkh.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Kmjojo32.exe 2728 Kaldcb32.exe 2484 Lanaiahq.exe 2500 Lapnnafn.exe 2488 Lfbpag32.exe 2968 Lcfqkl32.exe 520 Mooaljkh.exe 564 Mkhofjoj.exe 2664 Mholen32.exe 1964 Ngdifkpi.exe 1108 Ngfflj32.exe 2708 Npagjpcd.exe 1372 Nofdklgl.exe 2448 Nkmdpm32.exe 2224 Okdkal32.exe 2120 Odlojanh.exe 2364 Pkidlk32.exe 924 Pfbelipa.exe 1120 Pjpnbg32.exe 1960 Pfgngh32.exe 2760 Pndpajgd.exe 1188 Qgmdjp32.exe 2436 Qeaedd32.exe 1524 Qjnmlk32.exe 2108 Aecaidjl.exe 3028 Annbhi32.exe 2608 Ajecmj32.exe 2504 Amelne32.exe 1596 Bfpnmj32.exe 2560 Cbgjqo32.exe 264 Ciqcmiei.exe 108 Cegcbjkn.exe 580 Cophko32.exe 2160 Cielhh32.exe 1548 Dobdqo32.exe 1740 Dhkiid32.exe 1544 Dngabk32.exe 1956 Ddajoelp.exe 1344 Dnjngk32.exe 2228 Dhobddbf.exe 2140 Dnlkmkpn.exe 804 Djclbl32.exe 428 Ddhpod32.exe 764 Efjlgmlf.exe 1792 Egiiapci.exe 1316 Efnfbl32.exe 2696 Ekknjcfh.exe 2052 Ehoocgeb.exe 2092 Enlglnci.exe 2864 Egdlec32.exe 2716 Fnndan32.exe 2780 Fgfhjcgg.exe 2676 Fqomci32.exe 2188 Fcmiod32.exe 2552 Fqajihle.exe 2524 Fjjnan32.exe 432 Fgnokb32.exe 2660 Fmjgcipg.exe 2820 Ffcllo32.exe 880 Gicdnj32.exe 800 Gnpmfqap.exe 2536 Gppipc32.exe 1396 Gembhj32.exe 1996 Gbqbaofc.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 2672 Kmjojo32.exe 2672 Kmjojo32.exe 2728 Kaldcb32.exe 2728 Kaldcb32.exe 2484 Lanaiahq.exe 2484 Lanaiahq.exe 2500 Lapnnafn.exe 2500 Lapnnafn.exe 2488 Lfbpag32.exe 2488 Lfbpag32.exe 2968 Lcfqkl32.exe 2968 Lcfqkl32.exe 520 Mooaljkh.exe 520 Mooaljkh.exe 564 Mkhofjoj.exe 564 Mkhofjoj.exe 2664 Mholen32.exe 2664 Mholen32.exe 1964 Ngdifkpi.exe 1964 Ngdifkpi.exe 1108 Ngfflj32.exe 1108 Ngfflj32.exe 2708 Npagjpcd.exe 2708 Npagjpcd.exe 1372 Nofdklgl.exe 1372 Nofdklgl.exe 2448 Nkmdpm32.exe 2448 Nkmdpm32.exe 2224 Okdkal32.exe 2224 Okdkal32.exe 2120 Odlojanh.exe 2120 Odlojanh.exe 2364 Pkidlk32.exe 2364 Pkidlk32.exe 924 Pfbelipa.exe 924 Pfbelipa.exe 1120 Pjpnbg32.exe 1120 Pjpnbg32.exe 1960 Pfgngh32.exe 1960 Pfgngh32.exe 2760 Pndpajgd.exe 2760 Pndpajgd.exe 1188 Qgmdjp32.exe 1188 Qgmdjp32.exe 2436 Qeaedd32.exe 2436 Qeaedd32.exe 1524 Qjnmlk32.exe 1524 Qjnmlk32.exe 1720 Anlfbi32.exe 1720 Anlfbi32.exe 3028 Annbhi32.exe 3028 Annbhi32.exe 2608 Ajecmj32.exe 2608 Ajecmj32.exe 2504 Amelne32.exe 2504 Amelne32.exe 1596 Bfpnmj32.exe 1596 Bfpnmj32.exe 2560 Cbgjqo32.exe 2560 Cbgjqo32.exe 264 Ciqcmiei.exe 264 Ciqcmiei.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ippbdn32.dll Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Pcbncfjd.exe Oanefo32.exe File created C:\Windows\SysWOW64\Cblfdg32.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Inlkik32.exe Idgglb32.exe File created C:\Windows\SysWOW64\Kgkpngqm.dll Gbqbaofc.exe File created C:\Windows\SysWOW64\Mmlkmc32.dll Cbepdhgc.exe File opened for modification C:\Windows\SysWOW64\Difnaqih.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Jngafd32.dll Ffaaoh32.exe File created C:\Windows\SysWOW64\Njdqka32.exe Ndkhngdd.exe File created C:\Windows\SysWOW64\Okhlbmkc.dll Jkebjf32.exe File created C:\Windows\SysWOW64\Figfejbj.dll Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lanaiahq.exe File created C:\Windows\SysWOW64\Jmhnkfpa.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Kgfoie32.exe Knnkpobc.exe File opened for modification C:\Windows\SysWOW64\Ooclji32.exe Ocllehcj.exe File created C:\Windows\SysWOW64\Dahifbpk.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Jlphbbbg.exe Jlnklcej.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Gnpmfqap.exe Gicdnj32.exe File created C:\Windows\SysWOW64\Naalga32.exe Nhgkil32.exe File created C:\Windows\SysWOW64\Fofpoo32.exe Fcmben32.exe File created C:\Windows\SysWOW64\Giipab32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Naejdn32.dll Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Nkmdpm32.exe File opened for modification C:\Windows\SysWOW64\Cpkmcldj.exe Cfcijf32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Acfmcc32.exe File created C:\Windows\SysWOW64\Aobnniji.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Fnndan32.exe Egdlec32.exe File created C:\Windows\SysWOW64\Gbqbaofc.exe Gembhj32.exe File created C:\Windows\SysWOW64\Anolkh32.exe Amkbnp32.exe File created C:\Windows\SysWOW64\Cbpjfb32.dll Gpcoib32.exe File created C:\Windows\SysWOW64\Ccbpgj32.dll Gbdhjm32.exe File created C:\Windows\SysWOW64\Okjnobhq.dll Hnbopmnm.exe File created C:\Windows\SysWOW64\Abegfa32.exe Agpcihcf.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Mholen32.exe File created C:\Windows\SysWOW64\Aciqcifh.exe Aknlofim.exe File created C:\Windows\SysWOW64\Abfnpg32.exe Qmifhq32.exe File opened for modification C:\Windows\SysWOW64\Njpgpbpf.exe Mlkjne32.exe File created C:\Windows\SysWOW64\Cmhglq32.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Bepejfpc.dll Iaonhm32.exe File created C:\Windows\SysWOW64\Mnaggcej.exe Mclcijfd.exe File created C:\Windows\SysWOW64\Jajala32.exe Jpiedieo.exe File created C:\Windows\SysWOW64\Cdfddadf.dll Eldglp32.exe File created C:\Windows\SysWOW64\Pecgea32.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Gpoqpi32.dll Ddnfop32.exe File created C:\Windows\SysWOW64\Gmbfggdo.exe Ggfnopfg.exe File opened for modification C:\Windows\SysWOW64\Gpcoib32.exe Giiglhjb.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Gncldi32.exe Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gneijien.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Ehoocgeb.exe Ekknjcfh.exe File created C:\Windows\SysWOW64\Qknjgb32.dll Gjlgfaco.exe File opened for modification C:\Windows\SysWOW64\Abegfa32.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Eddeladm.exe Ecbhdi32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Mkhofjoj.exe File created C:\Windows\SysWOW64\Pniqhlqh.dll Plmpblnb.exe File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Bikppe32.dll Jgncfcaa.exe File created C:\Windows\SysWOW64\Lfpeeqig.exe Lneaqn32.exe File opened for modification C:\Windows\SysWOW64\Cblfdg32.exe Cehfkb32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbemfbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhqpd32.dll" Lbemfbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll" Lanaiahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edobgb32.dll" Nkmdpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acqnnndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejonffm.dll" Gnpmfqap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhlbmkc.dll" Jkebjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pahogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkihdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfgfng.dll" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblhki32.dll" Mbbfep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmbcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alacdcjm.dll" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heakcjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iflmjihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbncjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpoqpi32.dll" Ddnfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojpahgg.dll" Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlbfien.dll" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhlhdl.dll" Fcmben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" Cileqlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mclcijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcemimp.dll" Gildahhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahbekjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciqcmiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqnpei32.dll" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniqhlqh.dll" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipnmn32.dll" Jbefcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiffkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mimemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgfoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekknjcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcldhnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ippbnjni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cofnjj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2672 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 28 PID 2100 wrote to memory of 2672 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 28 PID 2100 wrote to memory of 2672 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 28 PID 2100 wrote to memory of 2672 2100 1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe 28 PID 2672 wrote to memory of 2728 2672 Kmjojo32.exe 29 PID 2672 wrote to memory of 2728 2672 Kmjojo32.exe 29 PID 2672 wrote to memory of 2728 2672 Kmjojo32.exe 29 PID 2672 wrote to memory of 2728 2672 Kmjojo32.exe 29 PID 2728 wrote to memory of 2484 2728 Kaldcb32.exe 30 PID 2728 wrote to memory of 2484 2728 Kaldcb32.exe 30 PID 2728 wrote to memory of 2484 2728 Kaldcb32.exe 30 PID 2728 wrote to memory of 2484 2728 Kaldcb32.exe 30 PID 2484 wrote to memory of 2500 2484 Lanaiahq.exe 31 PID 2484 wrote to memory of 2500 2484 Lanaiahq.exe 31 PID 2484 wrote to memory of 2500 2484 Lanaiahq.exe 31 PID 2484 wrote to memory of 2500 2484 Lanaiahq.exe 31 PID 2500 wrote to memory of 2488 2500 Lapnnafn.exe 32 PID 2500 wrote to memory of 2488 2500 Lapnnafn.exe 32 PID 2500 wrote to memory of 2488 2500 Lapnnafn.exe 32 PID 2500 wrote to memory of 2488 2500 Lapnnafn.exe 32 PID 2488 wrote to memory of 2968 2488 Lfbpag32.exe 33 PID 2488 wrote to memory of 2968 2488 Lfbpag32.exe 33 PID 2488 wrote to memory of 2968 2488 Lfbpag32.exe 33 PID 2488 wrote to memory of 2968 2488 Lfbpag32.exe 33 PID 2968 wrote to memory of 520 2968 Lcfqkl32.exe 34 PID 2968 wrote to memory of 520 2968 Lcfqkl32.exe 34 PID 2968 wrote to memory of 520 2968 Lcfqkl32.exe 34 PID 2968 wrote to memory of 520 2968 Lcfqkl32.exe 34 PID 520 wrote to memory of 564 520 Mooaljkh.exe 35 PID 520 wrote to memory of 564 520 Mooaljkh.exe 35 PID 520 wrote to memory of 564 520 Mooaljkh.exe 35 PID 520 wrote to memory of 564 520 Mooaljkh.exe 35 PID 564 wrote to memory of 2664 564 Mkhofjoj.exe 36 PID 564 wrote to memory of 2664 564 Mkhofjoj.exe 36 PID 564 wrote to memory of 2664 564 Mkhofjoj.exe 36 PID 564 wrote to memory of 2664 564 Mkhofjoj.exe 36 PID 2664 wrote to memory of 1964 2664 Mholen32.exe 37 PID 2664 wrote to memory of 1964 2664 Mholen32.exe 37 PID 2664 wrote to memory of 1964 2664 Mholen32.exe 37 PID 2664 wrote to memory of 1964 2664 Mholen32.exe 37 PID 1964 wrote to memory of 1108 1964 Ngdifkpi.exe 38 PID 1964 wrote to memory of 1108 1964 Ngdifkpi.exe 38 PID 1964 wrote to memory of 1108 1964 Ngdifkpi.exe 38 PID 1964 wrote to memory of 1108 1964 Ngdifkpi.exe 38 PID 1108 wrote to memory of 2708 1108 Ngfflj32.exe 39 PID 1108 wrote to memory of 2708 1108 Ngfflj32.exe 39 PID 1108 wrote to memory of 2708 1108 Ngfflj32.exe 39 PID 1108 wrote to memory of 2708 1108 Ngfflj32.exe 39 PID 2708 wrote to memory of 1372 2708 Npagjpcd.exe 40 PID 2708 wrote to memory of 1372 2708 Npagjpcd.exe 40 PID 2708 wrote to memory of 1372 2708 Npagjpcd.exe 40 PID 2708 wrote to memory of 1372 2708 Npagjpcd.exe 40 PID 1372 wrote to memory of 2448 1372 Nofdklgl.exe 41 PID 1372 wrote to memory of 2448 1372 Nofdklgl.exe 41 PID 1372 wrote to memory of 2448 1372 Nofdklgl.exe 41 PID 1372 wrote to memory of 2448 1372 Nofdklgl.exe 41 PID 2448 wrote to memory of 2224 2448 Nkmdpm32.exe 42 PID 2448 wrote to memory of 2224 2448 Nkmdpm32.exe 42 PID 2448 wrote to memory of 2224 2448 Nkmdpm32.exe 42 PID 2448 wrote to memory of 2224 2448 Nkmdpm32.exe 42 PID 2224 wrote to memory of 2120 2224 Okdkal32.exe 43 PID 2224 wrote to memory of 2120 2224 Okdkal32.exe 43 PID 2224 wrote to memory of 2120 2224 Okdkal32.exe 43 PID 2224 wrote to memory of 2120 2224 Okdkal32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe"C:\Users\Admin\AppData\Local\Temp\1078668912e4d241404cc1b084cda1767cc092f3afc89b36dfc5bf8f2631edb8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe26⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe27⤵
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe34⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe35⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe36⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe37⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe41⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe42⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe43⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe44⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe45⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe46⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe47⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe50⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe54⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe55⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe60⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe61⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe67⤵PID:2332
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe68⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe69⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:300 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe71⤵PID:1092
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe72⤵PID:1912
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe73⤵PID:2156
-
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe74⤵PID:2212
-
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe76⤵PID:2624
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe77⤵PID:2612
-
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe78⤵PID:1656
-
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe79⤵PID:944
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe82⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe83⤵PID:308
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe84⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe85⤵PID:2068
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe86⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe88⤵PID:1924
-
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe89⤵PID:1876
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe91⤵PID:964
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe92⤵PID:2904
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe95⤵PID:2856
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe96⤵PID:2032
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe97⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe98⤵PID:2540
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe99⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe100⤵PID:2836
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe101⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe102⤵PID:1968
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe105⤵PID:2324
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe106⤵PID:2304
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe107⤵PID:2420
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe108⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe109⤵PID:2428
-
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe112⤵PID:1624
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe113⤵PID:2532
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe114⤵PID:3000
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe115⤵PID:1500
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe116⤵PID:2200
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe117⤵PID:1176
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe119⤵PID:2240
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe120⤵PID:1928
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe121⤵PID:236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-