Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe
-
Size
62KB
-
MD5
242c42cdb9164a5457794071d22b9c76
-
SHA1
6f5d8c1e151fb176cef0eaf847f9e7af9e66fff9
-
SHA256
1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b
-
SHA512
c5e6055f88526db58f7c70c355458bcfc7133360482a8fd4b200e5df66ae8066e36b50a2207a9d6120a5fe3626931cc565028637e1103e52eb0160b18b26100e
-
SSDEEP
1536:sjEMajylXpRnkX4F6e1dcXEWNBAplnTnbfijVJJCynve8Cy:r0XpRkw6e1FlTn7iJJJCKve8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkdonic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofecpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Lmkfei32.exe 2668 Ldenbcge.exe 2796 Libgjj32.exe 2664 Lplogdmj.exe 2028 Mcjkcplm.exe 2016 Midcpj32.exe 108 Mlcple32.exe 1364 Maphdl32.exe 2128 Mlelaeqk.exe 2080 Mochnppo.exe 2132 Mlgigdoh.exe 2084 Mofecpnl.exe 2928 Mhnjle32.exe 2184 Mohbip32.exe 2064 Mpjoqhah.exe 880 Naikkk32.exe 1596 Ncjgbcoi.exe 2072 Nkaocp32.exe 840 Npnhlg32.exe 696 Ncmdhb32.exe 1016 Nnbhek32.exe 3052 Nocemcbj.exe 2976 Njiijlbp.exe 1948 Nhlifi32.exe 824 Njkfpl32.exe 2580 Nmjblg32.exe 2672 Nccjhafn.exe 2704 Nbfjdn32.exe 2564 Okoomd32.exe 2524 Onmkio32.exe 2896 Odgcfijj.exe 992 Obkdonic.exe 2512 Oqndkj32.exe 1020 Okchhc32.exe 1556 Oqqapjnk.exe 796 Ocomlemo.exe 1424 Ondajnme.exe 1280 Oqcnfjli.exe 2912 Oenifh32.exe 1896 Ogmfbd32.exe 572 Ofpfnqjp.exe 628 Ojkboo32.exe 2768 Pminkk32.exe 1108 Pccfge32.exe 3020 Pgobhcac.exe 1228 Pipopl32.exe 340 Pmlkpjpj.exe 1928 Paggai32.exe 2836 Pbiciana.exe 2544 Pfdpip32.exe 2592 Piblek32.exe 2612 Plahag32.exe 2588 Ppmdbe32.exe 2444 Pchpbded.exe 1548 Pfflopdh.exe 1460 Piehkkcl.exe 1676 Pmqdkj32.exe 1848 Plcdgfbo.exe 2244 Pbmmcq32.exe 844 Pfiidobe.exe 2916 Pigeqkai.exe 2292 Phjelg32.exe 2820 Ppamme32.exe 1788 Pabjem32.exe -
Loads dropped DLL 64 IoCs
pid Process 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 2632 Lmkfei32.exe 2632 Lmkfei32.exe 2668 Ldenbcge.exe 2668 Ldenbcge.exe 2796 Libgjj32.exe 2796 Libgjj32.exe 2664 Lplogdmj.exe 2664 Lplogdmj.exe 2028 Mcjkcplm.exe 2028 Mcjkcplm.exe 2016 Midcpj32.exe 2016 Midcpj32.exe 108 Mlcple32.exe 108 Mlcple32.exe 1364 Maphdl32.exe 1364 Maphdl32.exe 2128 Mlelaeqk.exe 2128 Mlelaeqk.exe 2080 Mochnppo.exe 2080 Mochnppo.exe 2132 Mlgigdoh.exe 2132 Mlgigdoh.exe 2084 Mofecpnl.exe 2084 Mofecpnl.exe 2928 Mhnjle32.exe 2928 Mhnjle32.exe 2184 Mohbip32.exe 2184 Mohbip32.exe 2064 Mpjoqhah.exe 2064 Mpjoqhah.exe 880 Naikkk32.exe 880 Naikkk32.exe 1596 Ncjgbcoi.exe 1596 Ncjgbcoi.exe 2072 Nkaocp32.exe 2072 Nkaocp32.exe 840 Npnhlg32.exe 840 Npnhlg32.exe 696 Ncmdhb32.exe 696 Ncmdhb32.exe 1016 Nnbhek32.exe 1016 Nnbhek32.exe 3052 Nocemcbj.exe 3052 Nocemcbj.exe 2976 Njiijlbp.exe 2976 Njiijlbp.exe 1948 Nhlifi32.exe 1948 Nhlifi32.exe 824 Njkfpl32.exe 824 Njkfpl32.exe 2580 Nmjblg32.exe 2580 Nmjblg32.exe 2672 Nccjhafn.exe 2672 Nccjhafn.exe 2704 Nbfjdn32.exe 2704 Nbfjdn32.exe 2564 Okoomd32.exe 2564 Okoomd32.exe 2524 Onmkio32.exe 2524 Onmkio32.exe 2896 Odgcfijj.exe 2896 Odgcfijj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpeofk32.exe Cljcelan.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cjndop32.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Pnnclg32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hdfflm32.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hellne32.exe File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe Pccfge32.exe File created C:\Windows\SysWOW64\Abmibdlh.exe Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Abmibdlh.exe Apomfh32.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Oenifh32.exe Oqcnfjli.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Kqmoql32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Jkdalhhc.dll Boiccdnf.exe File created C:\Windows\SysWOW64\Cjndop32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Pfdpip32.exe Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Afmonbqk.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Fhhcgj32.exe Fejgko32.exe File created C:\Windows\SysWOW64\Jagbha32.dll Mpjoqhah.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Nhlifi32.exe Njiijlbp.exe File created C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Ncjgbcoi.exe Naikkk32.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Djpmccqq.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Ogmfbd32.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cljcelan.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Faagpp32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Bjhjlg32.dll Mochnppo.exe File created C:\Windows\SysWOW64\Fncann32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Adeplhib.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aplpai32.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Feeiob32.exe File created C:\Windows\SysWOW64\Lmkfei32.exe 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ondajnme.exe Ocomlemo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3980 3940 WerFault.exe 289 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbmqhgj.dll" Midcpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljcelan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlelaeqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomkin32.dll" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" Aiinen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjlg32.dll" Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmdhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcbqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midcpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" Ebbgid32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2632 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 28 PID 1644 wrote to memory of 2632 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 28 PID 1644 wrote to memory of 2632 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 28 PID 1644 wrote to memory of 2632 1644 1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe 28 PID 2632 wrote to memory of 2668 2632 Lmkfei32.exe 29 PID 2632 wrote to memory of 2668 2632 Lmkfei32.exe 29 PID 2632 wrote to memory of 2668 2632 Lmkfei32.exe 29 PID 2632 wrote to memory of 2668 2632 Lmkfei32.exe 29 PID 2668 wrote to memory of 2796 2668 Ldenbcge.exe 30 PID 2668 wrote to memory of 2796 2668 Ldenbcge.exe 30 PID 2668 wrote to memory of 2796 2668 Ldenbcge.exe 30 PID 2668 wrote to memory of 2796 2668 Ldenbcge.exe 30 PID 2796 wrote to memory of 2664 2796 Libgjj32.exe 31 PID 2796 wrote to memory of 2664 2796 Libgjj32.exe 31 PID 2796 wrote to memory of 2664 2796 Libgjj32.exe 31 PID 2796 wrote to memory of 2664 2796 Libgjj32.exe 31 PID 2664 wrote to memory of 2028 2664 Lplogdmj.exe 32 PID 2664 wrote to memory of 2028 2664 Lplogdmj.exe 32 PID 2664 wrote to memory of 2028 2664 Lplogdmj.exe 32 PID 2664 wrote to memory of 2028 2664 Lplogdmj.exe 32 PID 2028 wrote to memory of 2016 2028 Mcjkcplm.exe 33 PID 2028 wrote to memory of 2016 2028 Mcjkcplm.exe 33 PID 2028 wrote to memory of 2016 2028 Mcjkcplm.exe 33 PID 2028 wrote to memory of 2016 2028 Mcjkcplm.exe 33 PID 2016 wrote to memory of 108 2016 Midcpj32.exe 34 PID 2016 wrote to memory of 108 2016 Midcpj32.exe 34 PID 2016 wrote to memory of 108 2016 Midcpj32.exe 34 PID 2016 wrote to memory of 108 2016 Midcpj32.exe 34 PID 108 wrote to memory of 1364 108 Mlcple32.exe 35 PID 108 wrote to memory of 1364 108 Mlcple32.exe 35 PID 108 wrote to memory of 1364 108 Mlcple32.exe 35 PID 108 wrote to memory of 1364 108 Mlcple32.exe 35 PID 1364 wrote to memory of 2128 1364 Maphdl32.exe 36 PID 1364 wrote to memory of 2128 1364 Maphdl32.exe 36 PID 1364 wrote to memory of 2128 1364 Maphdl32.exe 36 PID 1364 wrote to memory of 2128 1364 Maphdl32.exe 36 PID 2128 wrote to memory of 2080 2128 Mlelaeqk.exe 37 PID 2128 wrote to memory of 2080 2128 Mlelaeqk.exe 37 PID 2128 wrote to memory of 2080 2128 Mlelaeqk.exe 37 PID 2128 wrote to memory of 2080 2128 Mlelaeqk.exe 37 PID 2080 wrote to memory of 2132 2080 Mochnppo.exe 38 PID 2080 wrote to memory of 2132 2080 Mochnppo.exe 38 PID 2080 wrote to memory of 2132 2080 Mochnppo.exe 38 PID 2080 wrote to memory of 2132 2080 Mochnppo.exe 38 PID 2132 wrote to memory of 2084 2132 Mlgigdoh.exe 39 PID 2132 wrote to memory of 2084 2132 Mlgigdoh.exe 39 PID 2132 wrote to memory of 2084 2132 Mlgigdoh.exe 39 PID 2132 wrote to memory of 2084 2132 Mlgigdoh.exe 39 PID 2084 wrote to memory of 2928 2084 Mofecpnl.exe 40 PID 2084 wrote to memory of 2928 2084 Mofecpnl.exe 40 PID 2084 wrote to memory of 2928 2084 Mofecpnl.exe 40 PID 2084 wrote to memory of 2928 2084 Mofecpnl.exe 40 PID 2928 wrote to memory of 2184 2928 Mhnjle32.exe 41 PID 2928 wrote to memory of 2184 2928 Mhnjle32.exe 41 PID 2928 wrote to memory of 2184 2928 Mhnjle32.exe 41 PID 2928 wrote to memory of 2184 2928 Mhnjle32.exe 41 PID 2184 wrote to memory of 2064 2184 Mohbip32.exe 42 PID 2184 wrote to memory of 2064 2184 Mohbip32.exe 42 PID 2184 wrote to memory of 2064 2184 Mohbip32.exe 42 PID 2184 wrote to memory of 2064 2184 Mohbip32.exe 42 PID 2064 wrote to memory of 880 2064 Mpjoqhah.exe 43 PID 2064 wrote to memory of 880 2064 Mpjoqhah.exe 43 PID 2064 wrote to memory of 880 2064 Mpjoqhah.exe 43 PID 2064 wrote to memory of 880 2064 Mpjoqhah.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe"C:\Users\Admin\AppData\Local\Temp\1af6d98d78deaee2a088308c1eb34ea5b7f06a4536e4037f8655ad6430c2ef5b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe34⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe35⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe42⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe44⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe46⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe48⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe52⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe53⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe54⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe55⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe56⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe58⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe59⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe60⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe65⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe67⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe68⤵PID:1300
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe69⤵PID:2380
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe70⤵PID:2804
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe72⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe74⤵PID:2708
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe75⤵PID:2508
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe76⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe78⤵
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe79⤵PID:1912
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe81⤵PID:1420
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe82⤵PID:2220
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe83⤵PID:480
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe84⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe85⤵PID:2008
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe86⤵PID:2224
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe87⤵PID:2368
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe88⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe89⤵PID:1560
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe90⤵PID:2680
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe91⤵PID:2688
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe93⤵PID:2060
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe97⤵PID:1412
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe98⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe99⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe100⤵PID:1544
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe101⤵PID:576
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe102⤵PID:1704
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe104⤵PID:556
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe105⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe106⤵PID:2388
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe107⤵PID:2696
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe108⤵PID:1528
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe109⤵PID:2628
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe110⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe111⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe112⤵PID:2216
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:804 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe114⤵PID:848
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe116⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe118⤵PID:1984
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe119⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe120⤵PID:756
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-