Analysis
-
max time kernel
21s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe
-
Size
250KB
-
MD5
ab4dd0c6242f42ad79bb2126a78437b3
-
SHA1
e872371722e3ecd4a979591b1edb9b298c5d54f9
-
SHA256
95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a
-
SHA512
237e88970f49d01813c95b65cf124cff3303d88591e8c561e73704515e68305fa96ea9d0ecd6d7cdbd414d98445f5f7b544b9aca87d866a6a77b1461efcca4fd
-
SSDEEP
6144:o5z6avCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:oc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmgmbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkdeggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 Mlelaeqk.exe 1072 Mabejlob.exe 2596 Mdqafgnf.exe 2728 Mnieom32.exe 2488 Madapkmp.exe 2508 Mhnjle32.exe 2528 Magnek32.exe 2168 Mhqfbebj.exe 2760 Mgcgmb32.exe 2180 Mkobnqan.exe 1548 Nnnojlpa.exe 2776 Nplkfgoe.exe 2920 Ndjdlffl.exe 2964 Ncmdhb32.exe 1876 Nocemcbj.exe 676 Ngkmnacm.exe 1460 Ncancbha.exe 780 Nfpjomgd.exe 1128 Njkfpl32.exe 2904 Njkfpl32.exe 2644 Nhnfkigh.exe 344 Nmjblg32.exe 1124 Nohnhc32.exe 1088 Nccjhafn.exe 972 Odegpj32.exe 1448 Omloag32.exe 1996 Oojknblb.exe 2832 Ogfpbeim.exe 3004 Onphoo32.exe 2784 Oghlgdgk.exe 2924 Ojficpfn.exe 1528 Obnqem32.exe 1636 Ocomlemo.exe 2912 Okfencna.exe 1896 Ondajnme.exe 1892 Omgaek32.exe 2772 Oqcnfjli.exe 2808 Ogmfbd32.exe 2792 Ofpfnqjp.exe 3064 Pminkk32.exe 2500 Paejki32.exe 2800 Pgobhcac.exe 1284 Pfbccp32.exe 292 Pmlkpjpj.exe 932 Pmlkpjpj.exe 2712 Ppjglfon.exe 1964 Ppjglfon.exe 2364 Pcfcmd32.exe 1204 Pbiciana.exe 1648 Pfdpip32.exe 2264 Pjpkjond.exe 1696 Piblek32.exe 632 Pmnhfjmg.exe 1476 Ppmdbe32.exe 2552 Pchpbded.exe 2620 Pbkpna32.exe 2496 Pfflopdh.exe 2844 Peiljl32.exe 2836 Piehkkcl.exe 2184 Pbmmcq32.exe 2512 Pelipl32.exe 936 Pigeqkai.exe 1796 Ppamme32.exe 1300 Pbpjiphi.exe -
Loads dropped DLL 64 IoCs
pid Process 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 2368 Mlelaeqk.exe 2368 Mlelaeqk.exe 1072 Mabejlob.exe 1072 Mabejlob.exe 2596 Mdqafgnf.exe 2596 Mdqafgnf.exe 2728 Mnieom32.exe 2728 Mnieom32.exe 2488 Madapkmp.exe 2488 Madapkmp.exe 2508 Mhnjle32.exe 2508 Mhnjle32.exe 2528 Magnek32.exe 2528 Magnek32.exe 2168 Mhqfbebj.exe 2168 Mhqfbebj.exe 2760 Mgcgmb32.exe 2760 Mgcgmb32.exe 2180 Mkobnqan.exe 2180 Mkobnqan.exe 1548 Nnnojlpa.exe 1548 Nnnojlpa.exe 2776 Nplkfgoe.exe 2776 Nplkfgoe.exe 2920 Ndjdlffl.exe 2920 Ndjdlffl.exe 2964 Ncmdhb32.exe 2964 Ncmdhb32.exe 1876 Nocemcbj.exe 1876 Nocemcbj.exe 676 Ngkmnacm.exe 676 Ngkmnacm.exe 1460 Ncancbha.exe 1460 Ncancbha.exe 780 Nfpjomgd.exe 780 Nfpjomgd.exe 1128 Njkfpl32.exe 1128 Njkfpl32.exe 2904 Njkfpl32.exe 2904 Njkfpl32.exe 2644 Nhnfkigh.exe 2644 Nhnfkigh.exe 344 Nmjblg32.exe 344 Nmjblg32.exe 1124 Nohnhc32.exe 1124 Nohnhc32.exe 1088 Nccjhafn.exe 1088 Nccjhafn.exe 972 Odegpj32.exe 972 Odegpj32.exe 1448 Omloag32.exe 1448 Omloag32.exe 1996 Oojknblb.exe 1996 Oojknblb.exe 2832 Ogfpbeim.exe 2832 Ogfpbeim.exe 3004 Onphoo32.exe 3004 Onphoo32.exe 2784 Oghlgdgk.exe 2784 Oghlgdgk.exe 2924 Ojficpfn.exe 2924 Ojficpfn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndkakief.dll Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Haiccald.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Kmjojo32.exe Kebgia32.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ebbgid32.exe File created C:\Windows\SysWOW64\Opiehf32.dll Cgcmlcja.exe File opened for modification C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File created C:\Windows\SysWOW64\Gnhqpo32.dll Ijdqna32.exe File created C:\Windows\SysWOW64\Anllbdkl.dll Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Npagjpcd.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jmocpado.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Cgejac32.exe File created C:\Windows\SysWOW64\Knlafm32.dll Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Pciifc32.exe Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Elmigj32.exe File created C:\Windows\SysWOW64\Gcmjhbal.dll Ebinic32.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Cpnojioo.exe Caknol32.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Ljmlbfhi.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Jcmafj32.exe Jqnejn32.exe File opened for modification C:\Windows\SysWOW64\Legmbd32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Lpekon32.exe File opened for modification C:\Windows\SysWOW64\Igihbknb.exe Idklfpon.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jejhecaj.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jbnhng32.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Kolpjf32.dll Pkndaa32.exe File created C:\Windows\SysWOW64\Afcklihm.dll Iompkh32.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Ddgjdk32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Hapicp32.exe Hoamgd32.exe File opened for modification C:\Windows\SysWOW64\Jocflgga.exe Ileiplhn.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Doobajme.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Efncicpm.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Hmbpmapf.exe Hkcdafqb.exe File created C:\Windows\SysWOW64\Ndhipoob.exe Nplmop32.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nnennj32.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Pcfcmd32.exe Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Bhlhkl32.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ohfeog32.exe File created C:\Windows\SysWOW64\Gokkjm32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8948 8888 WerFault.exe 902 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkpna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leljop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpiak32.dll" Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbikjlnd.dll" Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbna32.dll" Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcidhml.dll" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" Hkcdafqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdgnl32.dll" Ncmdhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Oqmmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhqfbebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbhgojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbaileio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2368 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 28 PID 1420 wrote to memory of 2368 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 28 PID 1420 wrote to memory of 2368 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 28 PID 1420 wrote to memory of 2368 1420 95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe 28 PID 2368 wrote to memory of 1072 2368 Mlelaeqk.exe 29 PID 2368 wrote to memory of 1072 2368 Mlelaeqk.exe 29 PID 2368 wrote to memory of 1072 2368 Mlelaeqk.exe 29 PID 2368 wrote to memory of 1072 2368 Mlelaeqk.exe 29 PID 1072 wrote to memory of 2596 1072 Mabejlob.exe 30 PID 1072 wrote to memory of 2596 1072 Mabejlob.exe 30 PID 1072 wrote to memory of 2596 1072 Mabejlob.exe 30 PID 1072 wrote to memory of 2596 1072 Mabejlob.exe 30 PID 2596 wrote to memory of 2728 2596 Mdqafgnf.exe 31 PID 2596 wrote to memory of 2728 2596 Mdqafgnf.exe 31 PID 2596 wrote to memory of 2728 2596 Mdqafgnf.exe 31 PID 2596 wrote to memory of 2728 2596 Mdqafgnf.exe 31 PID 2728 wrote to memory of 2488 2728 Mnieom32.exe 32 PID 2728 wrote to memory of 2488 2728 Mnieom32.exe 32 PID 2728 wrote to memory of 2488 2728 Mnieom32.exe 32 PID 2728 wrote to memory of 2488 2728 Mnieom32.exe 32 PID 2488 wrote to memory of 2508 2488 Madapkmp.exe 33 PID 2488 wrote to memory of 2508 2488 Madapkmp.exe 33 PID 2488 wrote to memory of 2508 2488 Madapkmp.exe 33 PID 2488 wrote to memory of 2508 2488 Madapkmp.exe 33 PID 2508 wrote to memory of 2528 2508 Mhnjle32.exe 34 PID 2508 wrote to memory of 2528 2508 Mhnjle32.exe 34 PID 2508 wrote to memory of 2528 2508 Mhnjle32.exe 34 PID 2508 wrote to memory of 2528 2508 Mhnjle32.exe 34 PID 2528 wrote to memory of 2168 2528 Magnek32.exe 35 PID 2528 wrote to memory of 2168 2528 Magnek32.exe 35 PID 2528 wrote to memory of 2168 2528 Magnek32.exe 35 PID 2528 wrote to memory of 2168 2528 Magnek32.exe 35 PID 2168 wrote to memory of 2760 2168 Mhqfbebj.exe 36 PID 2168 wrote to memory of 2760 2168 Mhqfbebj.exe 36 PID 2168 wrote to memory of 2760 2168 Mhqfbebj.exe 36 PID 2168 wrote to memory of 2760 2168 Mhqfbebj.exe 36 PID 2760 wrote to memory of 2180 2760 Mgcgmb32.exe 37 PID 2760 wrote to memory of 2180 2760 Mgcgmb32.exe 37 PID 2760 wrote to memory of 2180 2760 Mgcgmb32.exe 37 PID 2760 wrote to memory of 2180 2760 Mgcgmb32.exe 37 PID 2180 wrote to memory of 1548 2180 Mkobnqan.exe 38 PID 2180 wrote to memory of 1548 2180 Mkobnqan.exe 38 PID 2180 wrote to memory of 1548 2180 Mkobnqan.exe 38 PID 2180 wrote to memory of 1548 2180 Mkobnqan.exe 38 PID 1548 wrote to memory of 2776 1548 Nnnojlpa.exe 39 PID 1548 wrote to memory of 2776 1548 Nnnojlpa.exe 39 PID 1548 wrote to memory of 2776 1548 Nnnojlpa.exe 39 PID 1548 wrote to memory of 2776 1548 Nnnojlpa.exe 39 PID 2776 wrote to memory of 2920 2776 Nplkfgoe.exe 40 PID 2776 wrote to memory of 2920 2776 Nplkfgoe.exe 40 PID 2776 wrote to memory of 2920 2776 Nplkfgoe.exe 40 PID 2776 wrote to memory of 2920 2776 Nplkfgoe.exe 40 PID 2920 wrote to memory of 2964 2920 Ndjdlffl.exe 41 PID 2920 wrote to memory of 2964 2920 Ndjdlffl.exe 41 PID 2920 wrote to memory of 2964 2920 Ndjdlffl.exe 41 PID 2920 wrote to memory of 2964 2920 Ndjdlffl.exe 41 PID 2964 wrote to memory of 1876 2964 Ncmdhb32.exe 42 PID 2964 wrote to memory of 1876 2964 Ncmdhb32.exe 42 PID 2964 wrote to memory of 1876 2964 Ncmdhb32.exe 42 PID 2964 wrote to memory of 1876 2964 Ncmdhb32.exe 42 PID 1876 wrote to memory of 676 1876 Nocemcbj.exe 43 PID 1876 wrote to memory of 676 1876 Nocemcbj.exe 43 PID 1876 wrote to memory of 676 1876 Nocemcbj.exe 43 PID 1876 wrote to memory of 676 1876 Nocemcbj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe"C:\Users\Admin\AppData\Local\Temp\95a0eba289beeba52c91afda983a4936bc649857fe52c9b46f03aaa8f40d445a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe33⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe35⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe36⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe37⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe39⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe40⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe41⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe42⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe43⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe44⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe45⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe46⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe47⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe49⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe50⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe51⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe52⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe53⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe54⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe55⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe59⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe61⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe62⤵PID:2788
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe64⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe65⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe67⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe68⤵PID:1108
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe69⤵PID:1940
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe70⤵PID:1924
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe71⤵PID:2236
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe73⤵PID:1268
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe74⤵PID:2408
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe75⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe76⤵
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe77⤵PID:1760
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe78⤵PID:2684
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe79⤵PID:2476
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe80⤵PID:2524
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe81⤵PID:1960
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe82⤵PID:884
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe83⤵PID:2492
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe84⤵
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe85⤵PID:2952
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe86⤵PID:2440
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe87⤵PID:2428
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe88⤵PID:2272
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe89⤵PID:920
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe90⤵PID:1604
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe91⤵PID:2840
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe92⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe93⤵PID:1176
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe95⤵PID:1776
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe96⤵PID:2720
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe97⤵PID:2260
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe98⤵PID:2468
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe99⤵PID:2560
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe101⤵PID:940
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe102⤵PID:1716
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe105⤵PID:1828
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe107⤵PID:328
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe108⤵PID:1240
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe109⤵PID:768
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe110⤵PID:2016
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe111⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe112⤵PID:1016
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe113⤵PID:2900
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe114⤵PID:1456
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe115⤵PID:828
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe116⤵PID:1356
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe117⤵PID:2292
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe118⤵PID:2044
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe119⤵PID:2288
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe120⤵PID:1756
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe121⤵
- Modifies registry class
PID:1304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-