Analysis
-
max time kernel
149s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 18:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe
-
Size
456KB
-
MD5
b204fb33789190068d3ca7cb171b6b97
-
SHA1
b42a3fa620933a72b2dd0528c620aea5a5e8dd46
-
SHA256
0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16
-
SHA512
c549f587697f97bec7ca50114c3b05aaf889eee7e21054534b533730bd2614ce3a6556f834ba39a8e3e2f632f0a8d4f63d74d3f7625e06cb6d8f9dafc006408e
-
SSDEEP
12288:1jPwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:hPwFfDy/phgeczlqczZd7LFB3oFHoGn+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepihndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkjnmje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkibbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihenoef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhipcbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogldfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epflbbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeakllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaeqeljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgpfdoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogldfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anigaeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilggefh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epflbbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkflii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhkdgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajidnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlgodgnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfkidh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijddokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfmmaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldbbbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcehpbdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giolpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pneiaidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohkdkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khdhmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agikmeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehpoaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhodgebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmboqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcmojia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpaqdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockhpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcbpbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aediaoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibgho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifchhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjdhpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leebcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leebcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgknf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgknf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnedpl32.exe -
Executes dropped EXE 64 IoCs
pid Process 888 Ojhdmgkl.exe 2132 Ogldfl32.exe 2736 Onhihepp.exe 2656 Ofcnmh32.exe 2628 Pneiaidn.exe 3052 Pnhegi32.exe 672 Qgeckn32.exe 320 Amdhidqk.exe 2524 Afojgiei.exe 2828 Anjnllbd.exe 1772 Bdkpob32.exe 1964 Boadlk32.exe 844 Bfliqmjg.exe 2408 Cmkkhfmn.exe 1860 Clphjc32.exe 1404 Cdpfiekl.exe 1120 Djokgk32.exe 1740 Dgclpp32.exe 1696 Djddbkck.exe 3016 Dpnmoe32.exe 1316 Dbaflm32.exe 2484 Ekjjebed.exe 1532 Edbonh32.exe 588 Ebfpglkn.exe 3068 Enmplm32.exe 2224 Edieng32.exe 2760 Emdjbi32.exe 2328 Ecnbpcje.exe 2832 Fpecddpi.exe 2752 Fcehpbdm.exe 2696 Fhgnie32.exe 3060 Gncblo32.exe 2008 Gdpkdf32.exe 3032 Gmipmlan.exe 2052 Gfadeaho.exe 388 Gaghcjhd.exe 1996 Gpledf32.exe 2280 Hidjml32.exe 756 Hiffbl32.exe 1692 Hdlkpd32.exe 1376 Hlgodgnk.exe 2488 Hepdml32.exe 1324 Hpehje32.exe 612 Hinlck32.exe 1628 Hbfalpab.exe 896 Iomaaa32.exe 2348 Idjjih32.exe 1604 Ioonfaed.exe 2764 Ihgcof32.exe 1096 Indkgm32.exe 2204 Igmppcpm.exe 1572 Ilihij32.exe 2796 Ijmibn32.exe 2324 Jojaje32.exe 2520 Jjpehn32.exe 2944 Jpjndh32.exe 940 Jakjlpif.exe 2188 Jhebij32.exe 572 Jficbn32.exe 2916 Jhgonj32.exe 2108 Jndgfqlh.exe 2196 Jdnpck32.exe 1624 Jbbpmo32.exe 2476 Kgoief32.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 888 Ojhdmgkl.exe 888 Ojhdmgkl.exe 2132 Ogldfl32.exe 2132 Ogldfl32.exe 2736 Onhihepp.exe 2736 Onhihepp.exe 2656 Ofcnmh32.exe 2656 Ofcnmh32.exe 2628 Pneiaidn.exe 2628 Pneiaidn.exe 3052 Pnhegi32.exe 3052 Pnhegi32.exe 672 Qgeckn32.exe 672 Qgeckn32.exe 320 Amdhidqk.exe 320 Amdhidqk.exe 2524 Afojgiei.exe 2524 Afojgiei.exe 2828 Anjnllbd.exe 2828 Anjnllbd.exe 1772 Bdkpob32.exe 1772 Bdkpob32.exe 1964 Boadlk32.exe 1964 Boadlk32.exe 844 Bfliqmjg.exe 844 Bfliqmjg.exe 2408 Cmkkhfmn.exe 2408 Cmkkhfmn.exe 1860 Clphjc32.exe 1860 Clphjc32.exe 1404 Cdpfiekl.exe 1404 Cdpfiekl.exe 1120 Djokgk32.exe 1120 Djokgk32.exe 1740 Dgclpp32.exe 1740 Dgclpp32.exe 1696 Djddbkck.exe 1696 Djddbkck.exe 3016 Dpnmoe32.exe 3016 Dpnmoe32.exe 1316 Dbaflm32.exe 1316 Dbaflm32.exe 2484 Ekjjebed.exe 2484 Ekjjebed.exe 1532 Edbonh32.exe 1532 Edbonh32.exe 588 Ebfpglkn.exe 588 Ebfpglkn.exe 2568 Ejcaanfg.exe 2568 Ejcaanfg.exe 2224 Edieng32.exe 2224 Edieng32.exe 2760 Emdjbi32.exe 2760 Emdjbi32.exe 2328 Ecnbpcje.exe 2328 Ecnbpcje.exe 2832 Fpecddpi.exe 2832 Fpecddpi.exe 2752 Fcehpbdm.exe 2752 Fcehpbdm.exe 2696 Fhgnie32.exe 2696 Fhgnie32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Indkgm32.exe Ihgcof32.exe File opened for modification C:\Windows\SysWOW64\Dcdlpklh.exe Dilggefh.exe File opened for modification C:\Windows\SysWOW64\Gbeakllj.exe Gjjlfjoo.exe File created C:\Windows\SysWOW64\Njdcmn32.dll Pjdeaohb.exe File created C:\Windows\SysWOW64\Pkjkdfjk.exe Pfmclold.exe File opened for modification C:\Windows\SysWOW64\Lanpmn32.exe Ljdgqc32.exe File created C:\Windows\SysWOW64\Gaghcjhd.exe Gfadeaho.exe File created C:\Windows\SysWOW64\Ljdgqc32.exe Lbibla32.exe File created C:\Windows\SysWOW64\Jpmgid32.dll Nmlcbafa.exe File created C:\Windows\SysWOW64\Glpbiaqg.exe Gbgnpl32.exe File created C:\Windows\SysWOW64\Ahhhgh32.exe Agikmeeg.exe File opened for modification C:\Windows\SysWOW64\Eilfoapg.exe Emeejpjc.exe File created C:\Windows\SysWOW64\Fhpfpkog.dll Ccikghel.exe File opened for modification C:\Windows\SysWOW64\Ofcnmh32.exe Onhihepp.exe File created C:\Windows\SysWOW64\Hieegjdf.dll Pcajpjoi.exe File created C:\Windows\SysWOW64\Cdmbiojc.exe Cgibpj32.exe File created C:\Windows\SysWOW64\Gflcplhh.exe Gcmgdpid.exe File created C:\Windows\SysWOW64\Gceghn32.exe Gccjbo32.exe File opened for modification C:\Windows\SysWOW64\Pnedpl32.exe Pcppbc32.exe File created C:\Windows\SysWOW64\Nfopoail.dll Agmehd32.exe File created C:\Windows\SysWOW64\Gealfddm.dll Pdlmnm32.exe File created C:\Windows\SysWOW64\Cgibpj32.exe Cffejk32.exe File created C:\Windows\SysWOW64\Lanpmn32.exe Ljdgqc32.exe File created C:\Windows\SysWOW64\Idligq32.exe Ijddokdo.exe File created C:\Windows\SysWOW64\Nioplnhf.dll Kpgpfdoj.exe File created C:\Windows\SysWOW64\Bfldopno.exe Bihdfkoe.exe File opened for modification C:\Windows\SysWOW64\Fobodn32.exe Eckopm32.exe File opened for modification C:\Windows\SysWOW64\Pfmclold.exe Pkgonf32.exe File created C:\Windows\SysWOW64\Gncblo32.exe Fhgnie32.exe File created C:\Windows\SysWOW64\Ciekbj32.dll Igmppcpm.exe File created C:\Windows\SysWOW64\Haoggh32.exe Hehgbg32.exe File created C:\Windows\SysWOW64\Ejgkkf32.dll Bickkl32.exe File opened for modification C:\Windows\SysWOW64\Hfnomgqe.exe Hncjiecj.exe File created C:\Windows\SysWOW64\Mhjnniic.dll Mibgho32.exe File created C:\Windows\SysWOW64\Ikndhp32.dll Pgkjji32.exe File created C:\Windows\SysWOW64\Dhlelc32.dll Llefld32.exe File opened for modification C:\Windows\SysWOW64\Lgfmmaem.exe Ljbmdmfc.exe File created C:\Windows\SysWOW64\Bnajicja.dll Mkmlbc32.exe File created C:\Windows\SysWOW64\Gfadeaho.exe Gmipmlan.exe File created C:\Windows\SysWOW64\Lgaaiian.exe Lpfmefdc.exe File created C:\Windows\SysWOW64\Ehemnf32.dll Dpqlmm32.exe File created C:\Windows\SysWOW64\Ljbmdmfc.exe Lhaqld32.exe File created C:\Windows\SysWOW64\Gdhimfaj.dll Ojhdmgkl.exe File created C:\Windows\SysWOW64\Ioopon32.dll Kbdmboqk.exe File opened for modification C:\Windows\SysWOW64\Kigkmmql.exe Kcjcefbd.exe File created C:\Windows\SysWOW64\Jfpgid32.dll Qkolil32.exe File opened for modification C:\Windows\SysWOW64\Gpdhiaoi.exe Gflcplhh.exe File opened for modification C:\Windows\SysWOW64\Amdkam32.exe Aclfigao.exe File opened for modification C:\Windows\SysWOW64\Jaklei32.exe Jiphpf32.exe File created C:\Windows\SysWOW64\Opcjphoj.dll Olclimif.exe File created C:\Windows\SysWOW64\Gpdhiaoi.exe Gflcplhh.exe File created C:\Windows\SysWOW64\Mqckaf32.exe Mcokhaho.exe File created C:\Windows\SysWOW64\Cddgbp32.dll Mafoal32.exe File created C:\Windows\SysWOW64\Iecmji32.dll Hjdhpg32.exe File opened for modification C:\Windows\SysWOW64\Ijokcl32.exe Hebckd32.exe File created C:\Windows\SysWOW64\Hcpphd32.dll Idligq32.exe File created C:\Windows\SysWOW64\Jdoblckh.exe Jkfncn32.exe File created C:\Windows\SysWOW64\Ahhqda32.dll Gqajfmpb.exe File created C:\Windows\SysWOW64\Imomkp32.exe Icgibkki.exe File opened for modification C:\Windows\SysWOW64\Amdhidqk.exe Qgeckn32.exe File created C:\Windows\SysWOW64\Dbaflm32.exe Dpnmoe32.exe File created C:\Windows\SysWOW64\Doblhg32.dll Fphgpnhm.exe File created C:\Windows\SysWOW64\Klcofleb.dll Gmhkkn32.exe File created C:\Windows\SysWOW64\Nblmfl32.dll Kigkmmql.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2656 3068 WerFault.exe 392 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giolpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdmoj32.dll" Bbnlia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdalg32.dll" Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjjlh32.dll" Ljbmdmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmbjd32.dll" Nfbmnpfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fliefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnlgjof.dll" Eckopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phdiglap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjkdfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqbaqccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagknhgp.dll" Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olclimif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpbiaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggjmhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiiapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnidmi32.dll" Ahhhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pneiaidn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbefen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cecnflpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkojjgfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgbgine.dll" Jllggbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgfmmaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mncijanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhog32.dll" Eoeiniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nioplnhf.dll" Kpgpfdoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmolll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namjglek.dll" Hebckd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqajfmpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejnqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdlkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeejpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnogmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbdljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmpmcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djddbkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdlkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjeckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moelgh32.dll" Fnnbfjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcokhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecggmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfmefdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngonpgqg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 888 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 29 PID 2124 wrote to memory of 888 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 29 PID 2124 wrote to memory of 888 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 29 PID 2124 wrote to memory of 888 2124 0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe 29 PID 888 wrote to memory of 2132 888 Ojhdmgkl.exe 30 PID 888 wrote to memory of 2132 888 Ojhdmgkl.exe 30 PID 888 wrote to memory of 2132 888 Ojhdmgkl.exe 30 PID 888 wrote to memory of 2132 888 Ojhdmgkl.exe 30 PID 2132 wrote to memory of 2736 2132 Ogldfl32.exe 31 PID 2132 wrote to memory of 2736 2132 Ogldfl32.exe 31 PID 2132 wrote to memory of 2736 2132 Ogldfl32.exe 31 PID 2132 wrote to memory of 2736 2132 Ogldfl32.exe 31 PID 2736 wrote to memory of 2656 2736 Onhihepp.exe 32 PID 2736 wrote to memory of 2656 2736 Onhihepp.exe 32 PID 2736 wrote to memory of 2656 2736 Onhihepp.exe 32 PID 2736 wrote to memory of 2656 2736 Onhihepp.exe 32 PID 2656 wrote to memory of 2628 2656 Ofcnmh32.exe 33 PID 2656 wrote to memory of 2628 2656 Ofcnmh32.exe 33 PID 2656 wrote to memory of 2628 2656 Ofcnmh32.exe 33 PID 2656 wrote to memory of 2628 2656 Ofcnmh32.exe 33 PID 2628 wrote to memory of 3052 2628 Pneiaidn.exe 34 PID 2628 wrote to memory of 3052 2628 Pneiaidn.exe 34 PID 2628 wrote to memory of 3052 2628 Pneiaidn.exe 34 PID 2628 wrote to memory of 3052 2628 Pneiaidn.exe 34 PID 3052 wrote to memory of 672 3052 Pnhegi32.exe 35 PID 3052 wrote to memory of 672 3052 Pnhegi32.exe 35 PID 3052 wrote to memory of 672 3052 Pnhegi32.exe 35 PID 3052 wrote to memory of 672 3052 Pnhegi32.exe 35 PID 672 wrote to memory of 320 672 Qgeckn32.exe 36 PID 672 wrote to memory of 320 672 Qgeckn32.exe 36 PID 672 wrote to memory of 320 672 Qgeckn32.exe 36 PID 672 wrote to memory of 320 672 Qgeckn32.exe 36 PID 320 wrote to memory of 2524 320 Amdhidqk.exe 37 PID 320 wrote to memory of 2524 320 Amdhidqk.exe 37 PID 320 wrote to memory of 2524 320 Amdhidqk.exe 37 PID 320 wrote to memory of 2524 320 Amdhidqk.exe 37 PID 2524 wrote to memory of 2828 2524 Afojgiei.exe 38 PID 2524 wrote to memory of 2828 2524 Afojgiei.exe 38 PID 2524 wrote to memory of 2828 2524 Afojgiei.exe 38 PID 2524 wrote to memory of 2828 2524 Afojgiei.exe 38 PID 2828 wrote to memory of 1772 2828 Anjnllbd.exe 39 PID 2828 wrote to memory of 1772 2828 Anjnllbd.exe 39 PID 2828 wrote to memory of 1772 2828 Anjnllbd.exe 39 PID 2828 wrote to memory of 1772 2828 Anjnllbd.exe 39 PID 1772 wrote to memory of 1964 1772 Bdkpob32.exe 40 PID 1772 wrote to memory of 1964 1772 Bdkpob32.exe 40 PID 1772 wrote to memory of 1964 1772 Bdkpob32.exe 40 PID 1772 wrote to memory of 1964 1772 Bdkpob32.exe 40 PID 1964 wrote to memory of 844 1964 Boadlk32.exe 41 PID 1964 wrote to memory of 844 1964 Boadlk32.exe 41 PID 1964 wrote to memory of 844 1964 Boadlk32.exe 41 PID 1964 wrote to memory of 844 1964 Boadlk32.exe 41 PID 844 wrote to memory of 2408 844 Bfliqmjg.exe 42 PID 844 wrote to memory of 2408 844 Bfliqmjg.exe 42 PID 844 wrote to memory of 2408 844 Bfliqmjg.exe 42 PID 844 wrote to memory of 2408 844 Bfliqmjg.exe 42 PID 2408 wrote to memory of 1860 2408 Cmkkhfmn.exe 43 PID 2408 wrote to memory of 1860 2408 Cmkkhfmn.exe 43 PID 2408 wrote to memory of 1860 2408 Cmkkhfmn.exe 43 PID 2408 wrote to memory of 1860 2408 Cmkkhfmn.exe 43 PID 1860 wrote to memory of 1404 1860 Clphjc32.exe 44 PID 1860 wrote to memory of 1404 1860 Clphjc32.exe 44 PID 1860 wrote to memory of 1404 1860 Clphjc32.exe 44 PID 1860 wrote to memory of 1404 1860 Clphjc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe"C:\Users\Admin\AppData\Local\Temp\0fe24facfbfeac55ffa9b3ad8748216b7031c13ff4a30b929e0c64e053236c16.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Qgeckn32.exeC:\Windows\system32\Qgeckn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Dgclpp32.exeC:\Windows\system32\Dgclpp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe27⤵
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Edieng32.exeC:\Windows\system32\Edieng32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Fpecddpi.exeC:\Windows\system32\Fpecddpi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe34⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe35⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Gaghcjhd.exeC:\Windows\system32\Gaghcjhd.exe38⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Gpledf32.exeC:\Windows\system32\Gpledf32.exe39⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Hidjml32.exeC:\Windows\system32\Hidjml32.exe40⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe41⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe44⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Hpehje32.exeC:\Windows\system32\Hpehje32.exe45⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe46⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Hbfalpab.exeC:\Windows\system32\Hbfalpab.exe47⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Iomaaa32.exeC:\Windows\system32\Iomaaa32.exe48⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe49⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ioonfaed.exeC:\Windows\system32\Ioonfaed.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ihgcof32.exeC:\Windows\system32\Ihgcof32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Igmppcpm.exeC:\Windows\system32\Igmppcpm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ilihij32.exeC:\Windows\system32\Ilihij32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ijmibn32.exeC:\Windows\system32\Ijmibn32.exe55⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jojaje32.exeC:\Windows\system32\Jojaje32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Jjpehn32.exeC:\Windows\system32\Jjpehn32.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Jhebij32.exeC:\Windows\system32\Jhebij32.exe60⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Jficbn32.exeC:\Windows\system32\Jficbn32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Jhgonj32.exeC:\Windows\system32\Jhgonj32.exe62⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe63⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Jdnpck32.exeC:\Windows\system32\Jdnpck32.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kgoief32.exeC:\Windows\system32\Kgoief32.exe66⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Kbdmboqk.exeC:\Windows\system32\Kbdmboqk.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Knmjmodm.exeC:\Windows\system32\Knmjmodm.exe68⤵PID:2720
-
C:\Windows\SysWOW64\Kcjcefbd.exeC:\Windows\system32\Kcjcefbd.exe69⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Kigkmmql.exeC:\Windows\system32\Kigkmmql.exe70⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Kjfhgp32.exeC:\Windows\system32\Kjfhgp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:368 -
C:\Windows\SysWOW64\Kkhdohnm.exeC:\Windows\system32\Kkhdohnm.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Lepihndm.exeC:\Windows\system32\Lepihndm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Lpfmefdc.exeC:\Windows\system32\Lpfmefdc.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Lgaaiian.exeC:\Windows\system32\Lgaaiian.exe75⤵PID:396
-
C:\Windows\SysWOW64\Leebcm32.exeC:\Windows\system32\Leebcm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Lbibla32.exeC:\Windows\system32\Lbibla32.exe77⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Ljdgqc32.exeC:\Windows\system32\Ljdgqc32.exe78⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Lanpmn32.exeC:\Windows\system32\Lanpmn32.exe79⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Lfkhed32.exeC:\Windows\system32\Lfkhed32.exe80⤵PID:1500
-
C:\Windows\SysWOW64\Mpcmojia.exeC:\Windows\system32\Mpcmojia.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Mjialchg.exeC:\Windows\system32\Mjialchg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Mpeidjfo.exeC:\Windows\system32\Mpeidjfo.exe83⤵PID:2928
-
C:\Windows\SysWOW64\Mfpaqdnk.exeC:\Windows\system32\Mfpaqdnk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe85⤵PID:2352
-
C:\Windows\SysWOW64\Medobp32.exeC:\Windows\system32\Medobp32.exe86⤵PID:1596
-
C:\Windows\SysWOW64\Mbiokdam.exeC:\Windows\system32\Mbiokdam.exe87⤵PID:2884
-
C:\Windows\SysWOW64\Mibgho32.exeC:\Windows\system32\Mibgho32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Mbkladpj.exeC:\Windows\system32\Mbkladpj.exe89⤵PID:2264
-
C:\Windows\SysWOW64\Niednn32.exeC:\Windows\system32\Niednn32.exe90⤵PID:2276
-
C:\Windows\SysWOW64\Nkfpefme.exeC:\Windows\system32\Nkfpefme.exe91⤵PID:2536
-
C:\Windows\SysWOW64\Napibq32.exeC:\Windows\system32\Napibq32.exe92⤵PID:2228
-
C:\Windows\SysWOW64\Nhjaok32.exeC:\Windows\system32\Nhjaok32.exe93⤵PID:112
-
C:\Windows\SysWOW64\Nmgiga32.exeC:\Windows\system32\Nmgiga32.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Ngonpgqg.exeC:\Windows\system32\Ngonpgqg.exe95⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Ngajeg32.exeC:\Windows\system32\Ngajeg32.exe96⤵PID:2260
-
C:\Windows\SysWOW64\Nmlcbafa.exeC:\Windows\system32\Nmlcbafa.exe97⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Ndekok32.exeC:\Windows\system32\Ndekok32.exe98⤵PID:1524
-
C:\Windows\SysWOW64\Olapcm32.exeC:\Windows\system32\Olapcm32.exe99⤵PID:1560
-
C:\Windows\SysWOW64\Ockhpgbf.exeC:\Windows\system32\Ockhpgbf.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Olclimif.exeC:\Windows\system32\Olclimif.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pqlhbo32.exeC:\Windows\system32\Pqlhbo32.exe102⤵PID:944
-
C:\Windows\SysWOW64\Pdlmnm32.exeC:\Windows\system32\Pdlmnm32.exe103⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Pgkjji32.exeC:\Windows\system32\Pgkjji32.exe104⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pcajpjoi.exeC:\Windows\system32\Pcajpjoi.exe105⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Pjlbld32.exeC:\Windows\system32\Pjlbld32.exe106⤵PID:824
-
C:\Windows\SysWOW64\Qohkdkdn.exeC:\Windows\system32\Qohkdkdn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Qkolil32.exeC:\Windows\system32\Qkolil32.exe108⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Anpekggc.exeC:\Windows\system32\Anpekggc.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Aieihpgi.exeC:\Windows\system32\Aieihpgi.exe110⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Aooaej32.exeC:\Windows\system32\Aooaej32.exe111⤵PID:1756
-
C:\Windows\SysWOW64\Aihenoef.exeC:\Windows\system32\Aihenoef.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Aacjba32.exeC:\Windows\system32\Aacjba32.exe113⤵PID:2936
-
C:\Windows\SysWOW64\Akhopj32.exeC:\Windows\system32\Akhopj32.exe114⤵PID:1060
-
C:\Windows\SysWOW64\Aaegha32.exeC:\Windows\system32\Aaegha32.exe115⤵PID:1588
-
C:\Windows\SysWOW64\Anigaeoh.exeC:\Windows\system32\Anigaeoh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe117⤵PID:1504
-
C:\Windows\SysWOW64\Bfgikgjq.exeC:\Windows\system32\Bfgikgjq.exe118⤵PID:2732
-
C:\Windows\SysWOW64\Bfifqg32.exeC:\Windows\system32\Bfifqg32.exe119⤵PID:1260
-
C:\Windows\SysWOW64\Bmcnmapk.exeC:\Windows\system32\Bmcnmapk.exe120⤵PID:1616
-
C:\Windows\SysWOW64\Benbbcmf.exeC:\Windows\system32\Benbbcmf.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-