Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
-
Size
76KB
-
MD5
d338498d69b36997f59f02d6bc049316
-
SHA1
410fbaab33a12d3d7ce214d997f77e2655af206c
-
SHA256
6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3
-
SHA512
b247d8b2885496dfd47da5519c82bf50adde10748cf94dd1e701a59b25b23bafdce43f06c9840a0a63b305a103ccaa88f6afac8c467175287f1de27b8ff0a44e
-
SSDEEP
1536:K8IweEKi7tE35hRdUBKmcX7TOoSHioQV+/eCeyvCQ:Owe9i7m37fUkmcXOrHrk+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdipqbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhng32.exe -
Executes dropped EXE 64 IoCs
pid Process 2092 Pipopl32.exe 2772 Pbiciana.exe 2952 Piblek32.exe 2248 Pbkpna32.exe 2556 Pmqdkj32.exe 2588 Pnbacbac.exe 1004 Pfiidobe.exe 2712 Pbpjiphi.exe 1492 Penfelgm.exe 1592 Qjknnbed.exe 1836 Qbbfopeg.exe 1544 Qjmkcbcb.exe 1436 Qnigda32.exe 2896 Afdlhchf.exe 2012 Aajpelhl.exe 528 Aajpelhl.exe 568 Ampqjm32.exe 1764 Adjigg32.exe 1104 Ajdadamj.exe 2244 Alenki32.exe 2216 Admemg32.exe 1452 Amejeljk.exe 1964 Apcfahio.exe 680 Ahokfj32.exe 1604 Boiccdnf.exe 1876 Bagpopmj.exe 1624 Blmdlhmp.exe 2116 Bbflib32.exe 2800 Bdhhqk32.exe 2948 Balijo32.exe 2680 Bhfagipa.exe 2568 Bpafkknm.exe 3032 Bhhnli32.exe 2484 Bnefdp32.exe 2844 Baqbenep.exe 2436 Ckignd32.exe 1872 Cpeofk32.exe 1616 Cjndop32.exe 1496 Cphlljge.exe 1252 Chcqpmep.exe 2924 Clomqk32.exe 2268 Cpjiajeb.exe 548 Cbkeib32.exe 1392 Cjbmjplb.exe 2476 Claifkkf.exe 1080 Ckdjbh32.exe 772 Copfbfjj.exe 952 Cbnbobin.exe 2396 Cfinoq32.exe 1960 Chhjkl32.exe 1488 Ckffgg32.exe 1908 Cndbcc32.exe 2636 Dbpodagk.exe 2700 Ddokpmfo.exe 2752 Dhjgal32.exe 2552 Dodonf32.exe 3044 Dbbkja32.exe 2728 Dqelenlc.exe 2312 Dgodbh32.exe 744 Dkkpbgli.exe 1832 Dnilobkm.exe 792 Dbehoa32.exe 3024 Dcfdgiid.exe 1824 Dgaqgh32.exe -
Loads dropped DLL 64 IoCs
pid Process 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 2092 Pipopl32.exe 2092 Pipopl32.exe 2772 Pbiciana.exe 2772 Pbiciana.exe 2952 Piblek32.exe 2952 Piblek32.exe 2248 Pbkpna32.exe 2248 Pbkpna32.exe 2556 Pmqdkj32.exe 2556 Pmqdkj32.exe 2588 Pnbacbac.exe 2588 Pnbacbac.exe 1004 Pfiidobe.exe 1004 Pfiidobe.exe 2712 Pbpjiphi.exe 2712 Pbpjiphi.exe 1492 Penfelgm.exe 1492 Penfelgm.exe 1592 Qjknnbed.exe 1592 Qjknnbed.exe 1836 Qbbfopeg.exe 1836 Qbbfopeg.exe 1544 Qjmkcbcb.exe 1544 Qjmkcbcb.exe 1436 Qnigda32.exe 1436 Qnigda32.exe 2896 Afdlhchf.exe 2896 Afdlhchf.exe 2012 Aajpelhl.exe 2012 Aajpelhl.exe 528 Aajpelhl.exe 528 Aajpelhl.exe 568 Ampqjm32.exe 568 Ampqjm32.exe 1764 Adjigg32.exe 1764 Adjigg32.exe 1104 Ajdadamj.exe 1104 Ajdadamj.exe 2244 Alenki32.exe 2244 Alenki32.exe 2216 Admemg32.exe 2216 Admemg32.exe 1452 Amejeljk.exe 1452 Amejeljk.exe 1964 Apcfahio.exe 1964 Apcfahio.exe 680 Ahokfj32.exe 680 Ahokfj32.exe 1604 Boiccdnf.exe 1604 Boiccdnf.exe 1876 Bagpopmj.exe 1876 Bagpopmj.exe 1624 Blmdlhmp.exe 1624 Blmdlhmp.exe 2116 Bbflib32.exe 2116 Bbflib32.exe 2800 Bdhhqk32.exe 2800 Bdhhqk32.exe 2948 Balijo32.exe 2948 Balijo32.exe 2680 Bhfagipa.exe 2680 Bhfagipa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hlngpjlj.exe Hipkdnmf.exe File created C:\Windows\SysWOW64\Ggpimica.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Kklcab32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Pipopl32.exe 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Efppoc32.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dfffnn32.exe File opened for modification C:\Windows\SysWOW64\Hdnepk32.exe Hpbiommg.exe File created C:\Windows\SysWOW64\Mlaeonld.exe Mmneda32.exe File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dccagcgk.exe File created C:\Windows\SysWOW64\Iompkh32.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Nodgel32.exe Nmbknddp.exe File opened for modification C:\Windows\SysWOW64\Ennaieib.exe Eloemi32.exe File created C:\Windows\SysWOW64\Abmbhn32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Ajjmcaea.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Agkfljge.dll Hkcdafqb.exe File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File created C:\Windows\SysWOW64\Ggeiabkc.dll Gpqpjj32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Jmjjea32.exe Jjlnif32.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Mjbkcgmo.dll Jkmcfhkc.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Ojolhk32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Edkcojga.exe File created C:\Windows\SysWOW64\Fglipi32.exe Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Jfiale32.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Mmldme32.exe Mholen32.exe File created C:\Windows\SysWOW64\Okikfagn.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Ddigjkid.exe Dfffnn32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ijeghgoh.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Jdpndnei.exe Jfnnha32.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Ijeghgoh.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jkdpanhg.exe File created C:\Windows\SysWOW64\Efaibbij.exe Egoife32.exe File opened for modification C:\Windows\SysWOW64\Ioolqh32.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Bbdoqc32.dll 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe File created C:\Windows\SysWOW64\Oonafa32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Gmpgio32.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qfahhm32.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Iianmb32.dll Ijbdha32.exe File opened for modification C:\Windows\SysWOW64\Ebbgid32.exe Ecpgmhai.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Ioolqh32.exe Ilqpdm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6228 7128 WerFault.exe 708 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbpbjelg.dll" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll" Mhjbjopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklemhne.dll" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Icmlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjpocnf.dll" Gfjhgdck.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 992 wrote to memory of 2092 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 28 PID 992 wrote to memory of 2092 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 28 PID 992 wrote to memory of 2092 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 28 PID 992 wrote to memory of 2092 992 6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe 28 PID 2092 wrote to memory of 2772 2092 Pipopl32.exe 29 PID 2092 wrote to memory of 2772 2092 Pipopl32.exe 29 PID 2092 wrote to memory of 2772 2092 Pipopl32.exe 29 PID 2092 wrote to memory of 2772 2092 Pipopl32.exe 29 PID 2772 wrote to memory of 2952 2772 Pbiciana.exe 30 PID 2772 wrote to memory of 2952 2772 Pbiciana.exe 30 PID 2772 wrote to memory of 2952 2772 Pbiciana.exe 30 PID 2772 wrote to memory of 2952 2772 Pbiciana.exe 30 PID 2952 wrote to memory of 2248 2952 Piblek32.exe 31 PID 2952 wrote to memory of 2248 2952 Piblek32.exe 31 PID 2952 wrote to memory of 2248 2952 Piblek32.exe 31 PID 2952 wrote to memory of 2248 2952 Piblek32.exe 31 PID 2248 wrote to memory of 2556 2248 Pbkpna32.exe 32 PID 2248 wrote to memory of 2556 2248 Pbkpna32.exe 32 PID 2248 wrote to memory of 2556 2248 Pbkpna32.exe 32 PID 2248 wrote to memory of 2556 2248 Pbkpna32.exe 32 PID 2556 wrote to memory of 2588 2556 Pmqdkj32.exe 33 PID 2556 wrote to memory of 2588 2556 Pmqdkj32.exe 33 PID 2556 wrote to memory of 2588 2556 Pmqdkj32.exe 33 PID 2556 wrote to memory of 2588 2556 Pmqdkj32.exe 33 PID 2588 wrote to memory of 1004 2588 Pnbacbac.exe 34 PID 2588 wrote to memory of 1004 2588 Pnbacbac.exe 34 PID 2588 wrote to memory of 1004 2588 Pnbacbac.exe 34 PID 2588 wrote to memory of 1004 2588 Pnbacbac.exe 34 PID 1004 wrote to memory of 2712 1004 Pfiidobe.exe 35 PID 1004 wrote to memory of 2712 1004 Pfiidobe.exe 35 PID 1004 wrote to memory of 2712 1004 Pfiidobe.exe 35 PID 1004 wrote to memory of 2712 1004 Pfiidobe.exe 35 PID 2712 wrote to memory of 1492 2712 Pbpjiphi.exe 36 PID 2712 wrote to memory of 1492 2712 Pbpjiphi.exe 36 PID 2712 wrote to memory of 1492 2712 Pbpjiphi.exe 36 PID 2712 wrote to memory of 1492 2712 Pbpjiphi.exe 36 PID 1492 wrote to memory of 1592 1492 Penfelgm.exe 37 PID 1492 wrote to memory of 1592 1492 Penfelgm.exe 37 PID 1492 wrote to memory of 1592 1492 Penfelgm.exe 37 PID 1492 wrote to memory of 1592 1492 Penfelgm.exe 37 PID 1592 wrote to memory of 1836 1592 Qjknnbed.exe 38 PID 1592 wrote to memory of 1836 1592 Qjknnbed.exe 38 PID 1592 wrote to memory of 1836 1592 Qjknnbed.exe 38 PID 1592 wrote to memory of 1836 1592 Qjknnbed.exe 38 PID 1836 wrote to memory of 1544 1836 Qbbfopeg.exe 39 PID 1836 wrote to memory of 1544 1836 Qbbfopeg.exe 39 PID 1836 wrote to memory of 1544 1836 Qbbfopeg.exe 39 PID 1836 wrote to memory of 1544 1836 Qbbfopeg.exe 39 PID 1544 wrote to memory of 1436 1544 Qjmkcbcb.exe 40 PID 1544 wrote to memory of 1436 1544 Qjmkcbcb.exe 40 PID 1544 wrote to memory of 1436 1544 Qjmkcbcb.exe 40 PID 1544 wrote to memory of 1436 1544 Qjmkcbcb.exe 40 PID 1436 wrote to memory of 2896 1436 Qnigda32.exe 41 PID 1436 wrote to memory of 2896 1436 Qnigda32.exe 41 PID 1436 wrote to memory of 2896 1436 Qnigda32.exe 41 PID 1436 wrote to memory of 2896 1436 Qnigda32.exe 41 PID 2896 wrote to memory of 2012 2896 Afdlhchf.exe 42 PID 2896 wrote to memory of 2012 2896 Afdlhchf.exe 42 PID 2896 wrote to memory of 2012 2896 Afdlhchf.exe 42 PID 2896 wrote to memory of 2012 2896 Afdlhchf.exe 42 PID 2012 wrote to memory of 528 2012 Aajpelhl.exe 43 PID 2012 wrote to memory of 528 2012 Aajpelhl.exe 43 PID 2012 wrote to memory of 528 2012 Aajpelhl.exe 43 PID 2012 wrote to memory of 528 2012 Aajpelhl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe"C:\Users\Admin\AppData\Local\Temp\6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe33⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe36⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe37⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe38⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe40⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe41⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe42⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe45⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe46⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe47⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe48⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe49⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe50⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe52⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe53⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe54⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe58⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe59⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe61⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe62⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe63⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe65⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe66⤵PID:976
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe67⤵PID:592
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe68⤵PID:1084
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe69⤵PID:1304
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe71⤵PID:2296
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe72⤵PID:1864
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe73⤵PID:2640
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe74⤵PID:2664
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe75⤵PID:2536
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe76⤵PID:1724
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe77⤵PID:2740
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe78⤵PID:2812
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe79⤵PID:1780
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe80⤵PID:1164
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe81⤵PID:1936
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe82⤵PID:1660
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe85⤵PID:336
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe87⤵PID:2936
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe88⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe89⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe90⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe92⤵PID:2004
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe93⤵PID:1716
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe94⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe95⤵PID:2152
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe96⤵PID:872
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe98⤵PID:2016
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe99⤵PID:1772
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe101⤵PID:1696
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe102⤵PID:760
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe103⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe104⤵PID:2280
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe105⤵PID:3056
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe106⤵PID:2516
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe107⤵PID:2804
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe108⤵PID:2168
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe109⤵PID:2860
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe111⤵PID:1336
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe112⤵PID:480
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe113⤵PID:1408
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe114⤵PID:1068
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe116⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe117⤵PID:2796
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe118⤵PID:2824
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe119⤵PID:1924
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe120⤵PID:2852
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe121⤵
- Drops file in System32 directory
PID:268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-