Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 01:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe
-
Size
73KB
-
MD5
669efab38d884934fd9069d971100c44
-
SHA1
d4a7793330cf8d0987a222e1d00d57ac71309bd2
-
SHA256
8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8
-
SHA512
f869f0800948047c46db46ed8f452f0cfb5b484d255e6179a508873ed3dbb0a2b4746c7ee428cbbf944350c31b2d2da546173f4617eca32b02491b2532afcfaf
-
SSDEEP
1536:+iUwCOJ46ij/3dl4/gicTBbyMjuyBj+Qawk5YMkhohBM:wZG2OKuigwwUAM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcplien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpacogjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efcomkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfpbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Makkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljipmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohgomgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enqdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiqpigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblmglgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepfnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajfgnjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciopdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmbme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigma32.exe -
Executes dropped EXE 64 IoCs
pid Process 2800 Hdnepk32.exe 2712 Hdqbekcm.exe 2852 Inifnq32.exe 2768 Icfofg32.exe 2776 Iompkh32.exe 2672 Iheddndj.exe 2980 Iamimc32.exe 320 Ikfmfi32.exe 2816 Ifkacb32.exe 1036 Ileiplhn.exe 1788 Jfnnha32.exe 1396 Jkjfah32.exe 1112 Jnicmdli.exe 2372 Jkmcfhkc.exe 2060 Jcmafj32.exe 1208 Kocbkk32.exe 3012 Kofopj32.exe 1920 Kfpgmdog.exe 1556 Kmjojo32.exe 1044 Kbfhbeek.exe 1480 Kpjhkjde.exe 636 Kegqdqbl.exe 2140 Kjdilgpc.exe 1260 Ljffag32.exe 1512 Lapnnafn.exe 2220 Labkdack.exe 1992 Lfpclh32.exe 2708 Lphhenhc.exe 2508 Llohjo32.exe 2524 Lfdmggnm.exe 3056 Libicbma.exe 1240 Mooaljkh.exe 2520 Mbmjah32.exe 2804 Mhjbjopf.exe 592 Modkfi32.exe 2020 Mdacop32.exe 388 Mmihhelk.exe 1696 Moidahcn.exe 1680 Ngdifkpi.exe 1516 Nplmop32.exe 2400 Nmpnhdfc.exe 2868 Ndjfeo32.exe 2036 Ngibaj32.exe 2144 Nmbknddp.exe 3068 Ngkogj32.exe 1932 Niikceid.exe 704 Npccpo32.exe 1644 Nadpgggp.exe 2268 Nhohda32.exe 2228 Ocdmaj32.exe 2148 Ohaeia32.exe 3064 Ocfigjlp.exe 3024 Ohcaoajg.exe 2724 Okanklik.exe 2416 Oegbheiq.exe 2576 Oghopm32.exe 2480 Onbgmg32.exe 2412 Ohhkjp32.exe 2680 Okfgfl32.exe 2864 Ocalkn32.exe 628 Pbnoliap.exe 2972 Qflhbhgg.exe 2124 Qodlkm32.exe 2516 Qqeicede.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 2800 Hdnepk32.exe 2800 Hdnepk32.exe 2712 Hdqbekcm.exe 2712 Hdqbekcm.exe 2852 Inifnq32.exe 2852 Inifnq32.exe 2768 Icfofg32.exe 2768 Icfofg32.exe 2776 Iompkh32.exe 2776 Iompkh32.exe 2672 Iheddndj.exe 2672 Iheddndj.exe 2980 Iamimc32.exe 2980 Iamimc32.exe 320 Ikfmfi32.exe 320 Ikfmfi32.exe 2816 Ifkacb32.exe 2816 Ifkacb32.exe 1036 Ileiplhn.exe 1036 Ileiplhn.exe 1788 Jfnnha32.exe 1788 Jfnnha32.exe 1396 Jkjfah32.exe 1396 Jkjfah32.exe 1112 Jnicmdli.exe 1112 Jnicmdli.exe 2372 Jkmcfhkc.exe 2372 Jkmcfhkc.exe 2060 Jcmafj32.exe 2060 Jcmafj32.exe 1208 Kocbkk32.exe 1208 Kocbkk32.exe 3012 Kofopj32.exe 3012 Kofopj32.exe 1920 Kfpgmdog.exe 1920 Kfpgmdog.exe 1556 Kmjojo32.exe 1556 Kmjojo32.exe 1044 Kbfhbeek.exe 1044 Kbfhbeek.exe 1480 Kpjhkjde.exe 1480 Kpjhkjde.exe 636 Kegqdqbl.exe 636 Kegqdqbl.exe 2140 Kjdilgpc.exe 2140 Kjdilgpc.exe 1260 Ljffag32.exe 1260 Ljffag32.exe 1512 Lapnnafn.exe 1512 Lapnnafn.exe 2220 Labkdack.exe 2220 Labkdack.exe 1992 Lfpclh32.exe 1992 Lfpclh32.exe 2708 Lphhenhc.exe 2708 Lphhenhc.exe 2508 Llohjo32.exe 2508 Llohjo32.exe 2524 Lfdmggnm.exe 2524 Lfdmggnm.exe 3056 Libicbma.exe 3056 Libicbma.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nehomq32.exe Nplfdj32.exe File opened for modification C:\Windows\SysWOW64\Ehjqgjmp.exe Eoblnd32.exe File created C:\Windows\SysWOW64\Hgeahj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mifkfhpa.exe Process not Found File created C:\Windows\SysWOW64\Glgpghnp.dll Process not Found File created C:\Windows\SysWOW64\Ldbofgme.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Belhfdmi.dll Hiclkp32.exe File opened for modification C:\Windows\SysWOW64\Obgnhkkh.exe Ohbikbkb.exe File created C:\Windows\SysWOW64\Jibpghbk.exe Process not Found File created C:\Windows\SysWOW64\Cdkkcp32.exe Process not Found File created C:\Windows\SysWOW64\Ddbdimmi.dll Process not Found File created C:\Windows\SysWOW64\Hhjjcdeh.dll Process not Found File created C:\Windows\SysWOW64\Pajeanhf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clmbddgp.exe Cgpjlnhh.exe File created C:\Windows\SysWOW64\Pciddedl.exe Plolgk32.exe File created C:\Windows\SysWOW64\Olpilg32.exe Oaghki32.exe File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Ifpcchai.exe File created C:\Windows\SysWOW64\Gelafcdj.dll Codbqonk.exe File created C:\Windows\SysWOW64\Mpdhdajp.dll Ingmmn32.exe File opened for modification C:\Windows\SysWOW64\Jcikog32.exe Jajocl32.exe File opened for modification C:\Windows\SysWOW64\Kmjojo32.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Ieomef32.exe Hpbdmo32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bdcifi32.exe File created C:\Windows\SysWOW64\Lmjcge32.dll Epnhpglg.exe File opened for modification C:\Windows\SysWOW64\Leikbd32.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Lljipmdl.exe Ldbaopdj.exe File opened for modification C:\Windows\SysWOW64\Klfmijae.exe Kjepaa32.exe File created C:\Windows\SysWOW64\Fbofhpaj.dll Process not Found File created C:\Windows\SysWOW64\Inkffhjh.dll Gmlablaa.exe File created C:\Windows\SysWOW64\Macjgadf.exe Mkibjgli.exe File created C:\Windows\SysWOW64\Nhhqfb32.exe Process not Found File created C:\Windows\SysWOW64\Hfegij32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Icdcllpc.exe Imjkpb32.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lfbdci32.exe File opened for modification C:\Windows\SysWOW64\Aphcppmo.exe Ahqkocmm.exe File created C:\Windows\SysWOW64\Pijqkpie.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ohaeia32.exe Ocdmaj32.exe File created C:\Windows\SysWOW64\Obhipb32.dll Ghajacmo.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Process not Found File created C:\Windows\SysWOW64\Cdfgmnpa.exe Process not Found File created C:\Windows\SysWOW64\Pjmjdnop.exe Process not Found File created C:\Windows\SysWOW64\Dcfmdh32.dll Pciddedl.exe File created C:\Windows\SysWOW64\Hqfaldbo.exe Ggnmbn32.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Alnalh32.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mmogmjmn.exe File created C:\Windows\SysWOW64\Hoelacdp.dll Process not Found File created C:\Windows\SysWOW64\Kglcogeo.exe Jhamckel.exe File created C:\Windows\SysWOW64\Kjfkcopd.dll Phlclgfc.exe File created C:\Windows\SysWOW64\Bahelebm.exe Process not Found File created C:\Windows\SysWOW64\Clmoej32.dll Lmgalkcf.exe File opened for modification C:\Windows\SysWOW64\Nknkeg32.exe Nddcimag.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Ileiplhn.exe File opened for modification C:\Windows\SysWOW64\Bheaiekc.exe Bchhqo32.exe File created C:\Windows\SysWOW64\Nkdpmn32.exe Process not Found File created C:\Windows\SysWOW64\Mlfibh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kmmebm32.exe Kgpmjf32.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fnmjpk32.exe Process not Found File created C:\Windows\SysWOW64\Kkkhmadd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jpnkep32.exe Process not Found File created C:\Windows\SysWOW64\Icipkhcj.dll Process not Found File created C:\Windows\SysWOW64\Eelloqic.dll Cgpjlnhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6832 6396 Process not Found 1595 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphmpc32.dll" Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpfnpij.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmppehkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macjgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmqapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifpcchai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpidki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkebafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doabjbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmaed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegbheiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekpheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Makkcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfdjdfc.dll" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgnhkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmkeb32.dll" Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkimmgco.dll" Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geoghd32.dll" Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmlce32.dll" Halcmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2800 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 28 PID 1688 wrote to memory of 2800 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 28 PID 1688 wrote to memory of 2800 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 28 PID 1688 wrote to memory of 2800 1688 8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe 28 PID 2800 wrote to memory of 2712 2800 Hdnepk32.exe 29 PID 2800 wrote to memory of 2712 2800 Hdnepk32.exe 29 PID 2800 wrote to memory of 2712 2800 Hdnepk32.exe 29 PID 2800 wrote to memory of 2712 2800 Hdnepk32.exe 29 PID 2712 wrote to memory of 2852 2712 Hdqbekcm.exe 30 PID 2712 wrote to memory of 2852 2712 Hdqbekcm.exe 30 PID 2712 wrote to memory of 2852 2712 Hdqbekcm.exe 30 PID 2712 wrote to memory of 2852 2712 Hdqbekcm.exe 30 PID 2852 wrote to memory of 2768 2852 Inifnq32.exe 31 PID 2852 wrote to memory of 2768 2852 Inifnq32.exe 31 PID 2852 wrote to memory of 2768 2852 Inifnq32.exe 31 PID 2852 wrote to memory of 2768 2852 Inifnq32.exe 31 PID 2768 wrote to memory of 2776 2768 Icfofg32.exe 32 PID 2768 wrote to memory of 2776 2768 Icfofg32.exe 32 PID 2768 wrote to memory of 2776 2768 Icfofg32.exe 32 PID 2768 wrote to memory of 2776 2768 Icfofg32.exe 32 PID 2776 wrote to memory of 2672 2776 Iompkh32.exe 33 PID 2776 wrote to memory of 2672 2776 Iompkh32.exe 33 PID 2776 wrote to memory of 2672 2776 Iompkh32.exe 33 PID 2776 wrote to memory of 2672 2776 Iompkh32.exe 33 PID 2672 wrote to memory of 2980 2672 Iheddndj.exe 34 PID 2672 wrote to memory of 2980 2672 Iheddndj.exe 34 PID 2672 wrote to memory of 2980 2672 Iheddndj.exe 34 PID 2672 wrote to memory of 2980 2672 Iheddndj.exe 34 PID 2980 wrote to memory of 320 2980 Iamimc32.exe 35 PID 2980 wrote to memory of 320 2980 Iamimc32.exe 35 PID 2980 wrote to memory of 320 2980 Iamimc32.exe 35 PID 2980 wrote to memory of 320 2980 Iamimc32.exe 35 PID 320 wrote to memory of 2816 320 Ikfmfi32.exe 36 PID 320 wrote to memory of 2816 320 Ikfmfi32.exe 36 PID 320 wrote to memory of 2816 320 Ikfmfi32.exe 36 PID 320 wrote to memory of 2816 320 Ikfmfi32.exe 36 PID 2816 wrote to memory of 1036 2816 Ifkacb32.exe 37 PID 2816 wrote to memory of 1036 2816 Ifkacb32.exe 37 PID 2816 wrote to memory of 1036 2816 Ifkacb32.exe 37 PID 2816 wrote to memory of 1036 2816 Ifkacb32.exe 37 PID 1036 wrote to memory of 1788 1036 Ileiplhn.exe 38 PID 1036 wrote to memory of 1788 1036 Ileiplhn.exe 38 PID 1036 wrote to memory of 1788 1036 Ileiplhn.exe 38 PID 1036 wrote to memory of 1788 1036 Ileiplhn.exe 38 PID 1788 wrote to memory of 1396 1788 Jfnnha32.exe 39 PID 1788 wrote to memory of 1396 1788 Jfnnha32.exe 39 PID 1788 wrote to memory of 1396 1788 Jfnnha32.exe 39 PID 1788 wrote to memory of 1396 1788 Jfnnha32.exe 39 PID 1396 wrote to memory of 1112 1396 Jkjfah32.exe 40 PID 1396 wrote to memory of 1112 1396 Jkjfah32.exe 40 PID 1396 wrote to memory of 1112 1396 Jkjfah32.exe 40 PID 1396 wrote to memory of 1112 1396 Jkjfah32.exe 40 PID 1112 wrote to memory of 2372 1112 Jnicmdli.exe 41 PID 1112 wrote to memory of 2372 1112 Jnicmdli.exe 41 PID 1112 wrote to memory of 2372 1112 Jnicmdli.exe 41 PID 1112 wrote to memory of 2372 1112 Jnicmdli.exe 41 PID 2372 wrote to memory of 2060 2372 Jkmcfhkc.exe 42 PID 2372 wrote to memory of 2060 2372 Jkmcfhkc.exe 42 PID 2372 wrote to memory of 2060 2372 Jkmcfhkc.exe 42 PID 2372 wrote to memory of 2060 2372 Jkmcfhkc.exe 42 PID 2060 wrote to memory of 1208 2060 Jcmafj32.exe 43 PID 2060 wrote to memory of 1208 2060 Jcmafj32.exe 43 PID 2060 wrote to memory of 1208 2060 Jcmafj32.exe 43 PID 2060 wrote to memory of 1208 2060 Jcmafj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe"C:\Users\Admin\AppData\Local\Temp\8c87b1e2fd09eef6660f3701e383a036f53e5bfdfc19c33fe3d1f36c9832f4d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe33⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe34⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe35⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe36⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe37⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe38⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe40⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe42⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe44⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe45⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe46⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe47⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe49⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe50⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe52⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe53⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe55⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe58⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe59⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe60⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe61⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe62⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe63⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe64⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe65⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe66⤵PID:112
-
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe67⤵PID:1952
-
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe68⤵PID:1936
-
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe69⤵PID:1740
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe70⤵PID:1420
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe71⤵PID:2700
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe72⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe73⤵PID:2108
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe74⤵PID:588
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe76⤵PID:2504
-
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe78⤵PID:2092
-
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe79⤵PID:1040
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe80⤵PID:2028
-
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe81⤵PID:1852
-
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe82⤵PID:2172
-
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe83⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe84⤵PID:904
-
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe85⤵PID:2232
-
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe86⤵PID:2856
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe87⤵PID:1584
-
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe88⤵PID:1540
-
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe89⤵PID:2472
-
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe90⤵PID:3036
-
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe91⤵PID:2496
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe92⤵PID:2792
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe93⤵PID:1612
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe94⤵PID:2016
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe95⤵PID:1060
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe96⤵PID:2668
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe97⤵PID:1032
-
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe98⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe99⤵PID:2040
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe100⤵PID:1672
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe101⤵PID:1328
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe102⤵PID:576
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe103⤵PID:1384
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe104⤵PID:1864
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe105⤵PID:2784
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe106⤵PID:2280
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe107⤵PID:2556
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe108⤵PID:2732
-
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe109⤵PID:2096
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe111⤵PID:544
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe112⤵PID:1916
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe113⤵PID:2996
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe114⤵PID:776
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe115⤵PID:1580
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe117⤵PID:1508
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe118⤵PID:2976
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe119⤵PID:1984
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe120⤵PID:876
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe121⤵PID:1284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-