Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 22:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe
-
Size
128KB
-
MD5
48ea8ed77170cec87342804469e3c6eb
-
SHA1
096fd8b3a8559a5dcf219f3dcc85553be2eb3a35
-
SHA256
6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87
-
SHA512
73327eaa54bebb1f7c69de3c11a2225b20e6251af4527f49c979fa4f5aa2aee51d539acbadd8e4536f3fbb18b1dc8cbf3512dc0ef42a5c402607274bcacd63be
-
SSDEEP
3072:PP2tYcfriyaa3iyjor7ITho8eYlj9pui6yYPaI7DehizrVtN:n2tYcfrthaU23Mpui6yYPaIGc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgmcmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onecbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqbecp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoajel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnndan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noogpfjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igijkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnkakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcefjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohfehdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqkobqhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkpeci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebcmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clooiddm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjdjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdhif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palepb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgoji32.exe -
Executes dropped EXE 64 IoCs
pid Process 2092 Jfekcg32.exe 2564 Jnqphi32.exe 2496 Jgidao32.exe 2360 Jbnhng32.exe 2348 Kgkafo32.exe 1364 Kgnnln32.exe 1964 Kafbec32.exe 2068 Kfbkmk32.exe 2060 Kpkofpgq.exe 2108 Kmopod32.exe 320 Kblhgk32.exe 1916 Lpphap32.exe 2372 Lmcijcbe.exe 2056 Leonofpp.exe 3052 Lliflp32.exe 1696 Llkbap32.exe 2980 Lbeknj32.exe 2864 Llnofpcg.exe 844 Lollckbk.exe 964 Lajhofao.exe 2876 Mhdplq32.exe 876 Mkclhl32.exe 1992 Mhgmapfi.exe 1844 Maoajf32.exe 1152 Mbpnanch.exe 892 Mpdnkb32.exe 2520 Mcbjgn32.exe 2948 Mcegmm32.exe 2532 Meccii32.exe 2596 Najdnj32.exe 2388 Nialog32.exe 2344 Nehmdhja.exe 1856 Nlbeqb32.exe 1656 Nhiffc32.exe 1480 Nkgbbo32.exe 2296 Naajoinb.exe 1636 Nkiogn32.exe 2308 Nacgdhlp.exe 1296 Ojolhk32.exe 1436 Ocgpappk.exe 3056 Ojahnj32.exe 3068 Oqkqkdne.exe 656 Ofhick32.exe 612 Oopnlacm.exe 1444 Ofjfhk32.exe 1572 Oikojfgk.exe 1516 Onhgbmfb.exe 2884 Pdaoog32.exe 1980 Pgplkb32.exe 2196 Pogclp32.exe 2172 Pqhpdhcc.exe 2416 Pedleg32.exe 2440 Pgbhabjp.exe 2468 Pkndaa32.exe 2472 Pqkmjh32.exe 2408 Pefijfii.exe 2292 Pkpagq32.exe 2304 Pnomcl32.exe 1476 Pclfkc32.exe 380 Pggbla32.exe 1528 Pmdjdh32.exe 2276 Pgioaa32.exe 2652 Pikkiijf.exe 2576 Qmfgjh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 2092 Jfekcg32.exe 2092 Jfekcg32.exe 2564 Jnqphi32.exe 2564 Jnqphi32.exe 2496 Jgidao32.exe 2496 Jgidao32.exe 2360 Jbnhng32.exe 2360 Jbnhng32.exe 2348 Kgkafo32.exe 2348 Kgkafo32.exe 1364 Kgnnln32.exe 1364 Kgnnln32.exe 1964 Kafbec32.exe 1964 Kafbec32.exe 2068 Kfbkmk32.exe 2068 Kfbkmk32.exe 2060 Kpkofpgq.exe 2060 Kpkofpgq.exe 2108 Kmopod32.exe 2108 Kmopod32.exe 320 Kblhgk32.exe 320 Kblhgk32.exe 1916 Lpphap32.exe 1916 Lpphap32.exe 2372 Lmcijcbe.exe 2372 Lmcijcbe.exe 2056 Leonofpp.exe 2056 Leonofpp.exe 3052 Lliflp32.exe 3052 Lliflp32.exe 1696 Llkbap32.exe 1696 Llkbap32.exe 2980 Lbeknj32.exe 2980 Lbeknj32.exe 2864 Llnofpcg.exe 2864 Llnofpcg.exe 844 Lollckbk.exe 844 Lollckbk.exe 964 Lajhofao.exe 964 Lajhofao.exe 2876 Mhdplq32.exe 2876 Mhdplq32.exe 876 Mkclhl32.exe 876 Mkclhl32.exe 1992 Mhgmapfi.exe 1992 Mhgmapfi.exe 1844 Maoajf32.exe 1844 Maoajf32.exe 1152 Mbpnanch.exe 1152 Mbpnanch.exe 892 Mpdnkb32.exe 892 Mpdnkb32.exe 2520 Mcbjgn32.exe 2520 Mcbjgn32.exe 2948 Mcegmm32.exe 2948 Mcegmm32.exe 2532 Meccii32.exe 2532 Meccii32.exe 2596 Najdnj32.exe 2596 Najdnj32.exe 2388 Nialog32.exe 2388 Nialog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pikkiijf.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Dpjgifpa.exe Djqoll32.exe File created C:\Windows\SysWOW64\Pmmgmc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Fcjcfe32.exe File created C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Kmikde32.dll Kbdklf32.exe File opened for modification C:\Windows\SysWOW64\Hjqqap32.exe Hfedqagp.exe File created C:\Windows\SysWOW64\Badnhbce.exe Bmibgd32.exe File created C:\Windows\SysWOW64\Cbepdhgc.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Gifclb32.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Acmhepko.exe File created C:\Windows\SysWOW64\Gehhmkko.exe Gcglec32.exe File created C:\Windows\SysWOW64\Bmbemb32.exe Bekmle32.exe File opened for modification C:\Windows\SysWOW64\Gnkmqkbi.exe Fgadda32.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Process not Found File created C:\Windows\SysWOW64\Aajbne32.exe Anlfbi32.exe File opened for modification C:\Windows\SysWOW64\Pggdejno.exe Pclhdl32.exe File created C:\Windows\SysWOW64\Bpqain32.exe Bmbemb32.exe File opened for modification C:\Windows\SysWOW64\Gmbfggdo.exe Gnpflj32.exe File created C:\Windows\SysWOW64\Mcckcbgp.exe Process not Found File created C:\Windows\SysWOW64\Jnqphi32.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Gmhfmm32.dll Nledoj32.exe File created C:\Windows\SysWOW64\Blibjh32.dll Bpqain32.exe File created C:\Windows\SysWOW64\Bodmepdn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Anlfbi32.exe Aganeoip.exe File created C:\Windows\SysWOW64\Fffefjmi.exe Eolmip32.exe File created C:\Windows\SysWOW64\Jdhgnf32.exe Jjbbpmgo.exe File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Process not Found File created C:\Windows\SysWOW64\Lmfhil32.exe Leopgo32.exe File created C:\Windows\SysWOW64\Ilfjegqq.dll Ocjophem.exe File created C:\Windows\SysWOW64\Lgkhdddo.exe Lcomce32.exe File opened for modification C:\Windows\SysWOW64\Piekcd32.exe Pbkbgjcc.exe File created C:\Windows\SysWOW64\Ninmfc32.dll Eclbcj32.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aidnohbk.exe File created C:\Windows\SysWOW64\Akaneplm.dll Iaelanmg.exe File opened for modification C:\Windows\SysWOW64\Khabghdl.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Ljieppcb.exe Lgkhdddo.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Hqfaldbo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ompefj32.exe Process not Found File created C:\Windows\SysWOW64\Fkdhkd32.dll Process not Found File created C:\Windows\SysWOW64\Hdihmjpf.dll Alegac32.exe File created C:\Windows\SysWOW64\Pngphgbf.exe Pjldghjm.exe File created C:\Windows\SysWOW64\Kjbbmk32.dll Lmdkcl32.exe File created C:\Windows\SysWOW64\Obmhdd32.dll Pclfkc32.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Nhohda32.exe Nilhhdga.exe File opened for modification C:\Windows\SysWOW64\Hpkldg32.exe Hnjplo32.exe File opened for modification C:\Windows\SysWOW64\Hlafnbal.exe Hibjbgbh.exe File opened for modification C:\Windows\SysWOW64\Mngjeamd.exe Mlhnifmq.exe File created C:\Windows\SysWOW64\Jhgnia32.dll Efcfga32.exe File created C:\Windows\SysWOW64\Edeomgho.dll Process not Found File created C:\Windows\SysWOW64\Ihbqdh32.exe Iecdhm32.exe File opened for modification C:\Windows\SysWOW64\Jlklnjoh.exe Jjmpbopd.exe File created C:\Windows\SysWOW64\Nplbqgdb.dll Mgjebg32.exe File created C:\Windows\SysWOW64\Pkbeiaoi.dll Ecpjfq32.exe File created C:\Windows\SysWOW64\Pdddkijo.dll Akcldl32.exe File opened for modification C:\Windows\SysWOW64\Cmpdgf32.exe Ckahkk32.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cldooj32.exe File created C:\Windows\SysWOW64\Gmdadnkh.exe Gdllkhdg.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Eanenbmi.¾ll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll" Eibbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoaelb.dll" Hmomml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnndbd32.dll" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dahifbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlmgnqj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Oopnlacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Homclekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiakgcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hifmbmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lipecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acekjjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eccpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljkomfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjapamid.dll" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbfik32.dll" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnmmikh.dll" Opplolac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqmci32.dll" Fjdnlhco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abkhkgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdojinhb.dll" Ljieppcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onpjghhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amcpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfedqagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnjafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlahng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leonofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhdplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmadbjkk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2092 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 28 PID 2008 wrote to memory of 2092 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 28 PID 2008 wrote to memory of 2092 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 28 PID 2008 wrote to memory of 2092 2008 6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe 28 PID 2092 wrote to memory of 2564 2092 Jfekcg32.exe 29 PID 2092 wrote to memory of 2564 2092 Jfekcg32.exe 29 PID 2092 wrote to memory of 2564 2092 Jfekcg32.exe 29 PID 2092 wrote to memory of 2564 2092 Jfekcg32.exe 29 PID 2564 wrote to memory of 2496 2564 Jnqphi32.exe 30 PID 2564 wrote to memory of 2496 2564 Jnqphi32.exe 30 PID 2564 wrote to memory of 2496 2564 Jnqphi32.exe 30 PID 2564 wrote to memory of 2496 2564 Jnqphi32.exe 30 PID 2496 wrote to memory of 2360 2496 Jgidao32.exe 31 PID 2496 wrote to memory of 2360 2496 Jgidao32.exe 31 PID 2496 wrote to memory of 2360 2496 Jgidao32.exe 31 PID 2496 wrote to memory of 2360 2496 Jgidao32.exe 31 PID 2360 wrote to memory of 2348 2360 Jbnhng32.exe 32 PID 2360 wrote to memory of 2348 2360 Jbnhng32.exe 32 PID 2360 wrote to memory of 2348 2360 Jbnhng32.exe 32 PID 2360 wrote to memory of 2348 2360 Jbnhng32.exe 32 PID 2348 wrote to memory of 1364 2348 Kgkafo32.exe 33 PID 2348 wrote to memory of 1364 2348 Kgkafo32.exe 33 PID 2348 wrote to memory of 1364 2348 Kgkafo32.exe 33 PID 2348 wrote to memory of 1364 2348 Kgkafo32.exe 33 PID 1364 wrote to memory of 1964 1364 Kgnnln32.exe 34 PID 1364 wrote to memory of 1964 1364 Kgnnln32.exe 34 PID 1364 wrote to memory of 1964 1364 Kgnnln32.exe 34 PID 1364 wrote to memory of 1964 1364 Kgnnln32.exe 34 PID 1964 wrote to memory of 2068 1964 Kafbec32.exe 35 PID 1964 wrote to memory of 2068 1964 Kafbec32.exe 35 PID 1964 wrote to memory of 2068 1964 Kafbec32.exe 35 PID 1964 wrote to memory of 2068 1964 Kafbec32.exe 35 PID 2068 wrote to memory of 2060 2068 Kfbkmk32.exe 36 PID 2068 wrote to memory of 2060 2068 Kfbkmk32.exe 36 PID 2068 wrote to memory of 2060 2068 Kfbkmk32.exe 36 PID 2068 wrote to memory of 2060 2068 Kfbkmk32.exe 36 PID 2060 wrote to memory of 2108 2060 Kpkofpgq.exe 37 PID 2060 wrote to memory of 2108 2060 Kpkofpgq.exe 37 PID 2060 wrote to memory of 2108 2060 Kpkofpgq.exe 37 PID 2060 wrote to memory of 2108 2060 Kpkofpgq.exe 37 PID 2108 wrote to memory of 320 2108 Kmopod32.exe 38 PID 2108 wrote to memory of 320 2108 Kmopod32.exe 38 PID 2108 wrote to memory of 320 2108 Kmopod32.exe 38 PID 2108 wrote to memory of 320 2108 Kmopod32.exe 38 PID 320 wrote to memory of 1916 320 Kblhgk32.exe 39 PID 320 wrote to memory of 1916 320 Kblhgk32.exe 39 PID 320 wrote to memory of 1916 320 Kblhgk32.exe 39 PID 320 wrote to memory of 1916 320 Kblhgk32.exe 39 PID 1916 wrote to memory of 2372 1916 Lpphap32.exe 40 PID 1916 wrote to memory of 2372 1916 Lpphap32.exe 40 PID 1916 wrote to memory of 2372 1916 Lpphap32.exe 40 PID 1916 wrote to memory of 2372 1916 Lpphap32.exe 40 PID 2372 wrote to memory of 2056 2372 Lmcijcbe.exe 41 PID 2372 wrote to memory of 2056 2372 Lmcijcbe.exe 41 PID 2372 wrote to memory of 2056 2372 Lmcijcbe.exe 41 PID 2372 wrote to memory of 2056 2372 Lmcijcbe.exe 41 PID 2056 wrote to memory of 3052 2056 Leonofpp.exe 42 PID 2056 wrote to memory of 3052 2056 Leonofpp.exe 42 PID 2056 wrote to memory of 3052 2056 Leonofpp.exe 42 PID 2056 wrote to memory of 3052 2056 Leonofpp.exe 42 PID 3052 wrote to memory of 1696 3052 Lliflp32.exe 43 PID 3052 wrote to memory of 1696 3052 Lliflp32.exe 43 PID 3052 wrote to memory of 1696 3052 Lliflp32.exe 43 PID 3052 wrote to memory of 1696 3052 Lliflp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe"C:\Users\Admin\AppData\Local\Temp\6eb6169c1e25c14a96af72b1f8e314f2f30c0681093847e4831384b721656f87.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe33⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe35⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe36⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe37⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe38⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe39⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe40⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe41⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe42⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe43⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe44⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe48⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe50⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe51⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe52⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe53⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe54⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe55⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe56⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe57⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe58⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe59⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe61⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe64⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe65⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe66⤵PID:2208
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe67⤵PID:3036
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe68⤵PID:2912
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe69⤵PID:1852
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe70⤵PID:904
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe71⤵PID:2004
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe72⤵PID:992
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe73⤵PID:1248
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe75⤵PID:2448
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe76⤵PID:2792
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe77⤵PID:1948
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe78⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe79⤵PID:2116
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe80⤵PID:1968
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe81⤵PID:2312
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe82⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe83⤵PID:2268
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe84⤵PID:1000
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe85⤵PID:960
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe86⤵PID:1752
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe87⤵PID:1208
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe88⤵PID:2552
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe90⤵PID:2332
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe91⤵PID:2436
-
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe92⤵PID:1984
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe93⤵PID:2112
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe94⤵PID:348
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe95⤵PID:1684
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe96⤵PID:2316
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe97⤵PID:1772
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe99⤵PID:1300
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe101⤵PID:1960
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe102⤵PID:896
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe103⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe104⤵PID:836
-
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe105⤵PID:2536
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe106⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe107⤵PID:2456
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe108⤵PID:1556
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe109⤵PID:768
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe110⤵PID:680
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe111⤵PID:1320
-
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe112⤵PID:2684
-
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe113⤵PID:916
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe114⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe115⤵PID:3028
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe116⤵PID:2152
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe117⤵PID:2124
-
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe118⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe119⤵PID:2988
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe120⤵PID:852
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe121⤵PID:336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-