Analysis
-
max time kernel
139s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe
-
Size
128KB
-
MD5
690fa23cb0bb85932ffc27e36639758d
-
SHA1
c22d0945d7eff8f0a7e23674641087549030e424
-
SHA256
d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf
-
SHA512
ecff6af2129d7fe82db2df45f6a24e08f425d68d5225e4087d1b9d7cc32289ece9933ed54ed00048e74cf40819ec1e1bc656dd1bacfced7028e7cd34ac89183a
-
SSDEEP
3072:OHbs4YT0q6LCJC/emBw4f9nwBeR9pui6yYPaI7DehizrVtN:M7qqCM/I+nwU/pui6yYPaIGc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdpomfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjlgiqbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfmmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhcdaibd.exe -
Executes dropped EXE 64 IoCs
pid Process 1900 Kipnfged.exe 1716 Komfnnck.exe 2596 Kibjkgca.exe 2556 Kjcgco32.exe 2668 Kanopipl.exe 2588 Kdlkld32.exe 2516 Lkfciogm.exe 2252 Laplei32.exe 2520 Lfmdnp32.exe 1708 Lodlom32.exe 2688 Ldqegd32.exe 2968 Lgoacojo.exe 1456 Lmiipi32.exe 2068 Lbfahp32.exe 1104 Lkmjin32.exe 2032 Lmkfei32.exe 752 Ldenbcge.exe 1476 Lgdjnofi.exe 1296 Lmnbkinf.exe 768 Llqcfe32.exe 2400 Loooca32.exe 1564 Mgfgdn32.exe 112 Meigpkka.exe 1200 Mlcple32.exe 3052 Mcmhiojk.exe 1704 Mekdekin.exe 2184 Migpeiag.exe 2128 Mcodno32.exe 2656 Menakj32.exe 2708 Mhlmgf32.exe 2480 Mnieom32.exe 1960 Mdcnlglc.exe 1616 Mgajhbkg.exe 1728 Mohbip32.exe 2820 Mdejaf32.exe 1304 Mhqfbebj.exe 2632 Nnnojlpa.exe 2752 Ndgggf32.exe 1532 Njdpomfe.exe 2392 Nlblkhei.exe 1264 Ncmdhb32.exe 2228 Nghphaeo.exe 764 Njgldmdc.exe 1512 Nleiqhcg.exe 1132 Ncoamb32.exe 2680 Nfmmin32.exe 620 Nqcagfim.exe 1192 Ncancbha.exe 2120 Njkfpl32.exe 1824 Nmjblg32.exe 1956 Nohnhc32.exe 2296 Nbfjdn32.exe 2896 Ofbfdmeb.exe 2692 Ohqbqhde.exe 2508 Oojknblb.exe 2824 Onmkio32.exe 2240 Ofdcjm32.exe 1108 Odgcfijj.exe 2440 Ogfpbeim.exe 2864 Okalbc32.exe 1652 Onphoo32.exe 3012 Oqndkj32.exe 1948 Odjpkihg.exe 600 Oghlgdgk.exe -
Loads dropped DLL 64 IoCs
pid Process 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 1900 Kipnfged.exe 1900 Kipnfged.exe 1716 Komfnnck.exe 1716 Komfnnck.exe 2596 Kibjkgca.exe 2596 Kibjkgca.exe 2556 Kjcgco32.exe 2556 Kjcgco32.exe 2668 Kanopipl.exe 2668 Kanopipl.exe 2588 Kdlkld32.exe 2588 Kdlkld32.exe 2516 Lkfciogm.exe 2516 Lkfciogm.exe 2252 Laplei32.exe 2252 Laplei32.exe 2520 Lfmdnp32.exe 2520 Lfmdnp32.exe 1708 Lodlom32.exe 1708 Lodlom32.exe 2688 Ldqegd32.exe 2688 Ldqegd32.exe 2968 Lgoacojo.exe 2968 Lgoacojo.exe 1456 Lmiipi32.exe 1456 Lmiipi32.exe 2068 Lbfahp32.exe 2068 Lbfahp32.exe 1104 Lkmjin32.exe 1104 Lkmjin32.exe 2032 Lmkfei32.exe 2032 Lmkfei32.exe 752 Ldenbcge.exe 752 Ldenbcge.exe 1476 Lgdjnofi.exe 1476 Lgdjnofi.exe 1296 Lmnbkinf.exe 1296 Lmnbkinf.exe 768 Llqcfe32.exe 768 Llqcfe32.exe 2400 Loooca32.exe 2400 Loooca32.exe 1564 Mgfgdn32.exe 1564 Mgfgdn32.exe 112 Meigpkka.exe 112 Meigpkka.exe 1200 Mlcple32.exe 1200 Mlcple32.exe 3052 Mcmhiojk.exe 3052 Mcmhiojk.exe 1704 Mekdekin.exe 1704 Mekdekin.exe 2184 Migpeiag.exe 2184 Migpeiag.exe 2128 Mcodno32.exe 2128 Mcodno32.exe 2656 Menakj32.exe 2656 Menakj32.exe 2708 Mhlmgf32.exe 2708 Mhlmgf32.exe 2480 Mnieom32.exe 2480 Mnieom32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nleiqhcg.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Lbfahp32.exe Lmiipi32.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Odjpkihg.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Ppmdbe32.exe File created C:\Windows\SysWOW64\Pofgpn32.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Cphlljge.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Faagpp32.exe File created C:\Windows\SysWOW64\Medfkpfc.dll Pgobhcac.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Ldqegd32.exe Lodlom32.exe File opened for modification C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Adeplhib.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Fehjeo32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Lndipl32.dll Laplei32.exe File created C:\Windows\SysWOW64\Lgdjnofi.exe Ldenbcge.exe File created C:\Windows\SysWOW64\Hbfdaihk.dll Pccfge32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ajphib32.exe File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Clomqk32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Iklefg32.dll Afiecb32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Pnnclg32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Khklki32.dll Mdcnlglc.exe File created C:\Windows\SysWOW64\Jhcbom32.dll Nqcagfim.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Aiedjneg.exe File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dnlidb32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Kcehqcli.dll Ldqegd32.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gangic32.exe File created C:\Windows\SysWOW64\Kanopipl.exe Kjcgco32.exe File created C:\Windows\SysWOW64\Njdpomfe.exe Ndgggf32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Efppoc32.exe File created C:\Windows\SysWOW64\Eloemi32.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Pgobhcac.exe Pccfge32.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Ecmkghcl.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Kagdplnm.dll Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Njdpomfe.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bhfagipa.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Onphoo32.exe Okalbc32.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File created C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Mekdekin.exe Mcmhiojk.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Copfbfjj.exe Chemfl32.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File opened for modification C:\Windows\SysWOW64\Ncoamb32.exe Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Dbehoa32.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Eilpeooq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4196 4172 WerFault.exe 337 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcmhiojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdooajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmiipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnakg32.dll" Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfecaop.dll" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doffod32.dll" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Copfbfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgbmh32.dll" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Pmqdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Migpeiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfcak32.dll" Njkfpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cljcelan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mohbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihmc32.dll" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bpafkknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifclcknc.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aplpai32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 1900 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 28 PID 756 wrote to memory of 1900 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 28 PID 756 wrote to memory of 1900 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 28 PID 756 wrote to memory of 1900 756 d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe 28 PID 1900 wrote to memory of 1716 1900 Kipnfged.exe 29 PID 1900 wrote to memory of 1716 1900 Kipnfged.exe 29 PID 1900 wrote to memory of 1716 1900 Kipnfged.exe 29 PID 1900 wrote to memory of 1716 1900 Kipnfged.exe 29 PID 1716 wrote to memory of 2596 1716 Komfnnck.exe 30 PID 1716 wrote to memory of 2596 1716 Komfnnck.exe 30 PID 1716 wrote to memory of 2596 1716 Komfnnck.exe 30 PID 1716 wrote to memory of 2596 1716 Komfnnck.exe 30 PID 2596 wrote to memory of 2556 2596 Kibjkgca.exe 31 PID 2596 wrote to memory of 2556 2596 Kibjkgca.exe 31 PID 2596 wrote to memory of 2556 2596 Kibjkgca.exe 31 PID 2596 wrote to memory of 2556 2596 Kibjkgca.exe 31 PID 2556 wrote to memory of 2668 2556 Kjcgco32.exe 32 PID 2556 wrote to memory of 2668 2556 Kjcgco32.exe 32 PID 2556 wrote to memory of 2668 2556 Kjcgco32.exe 32 PID 2556 wrote to memory of 2668 2556 Kjcgco32.exe 32 PID 2668 wrote to memory of 2588 2668 Kanopipl.exe 33 PID 2668 wrote to memory of 2588 2668 Kanopipl.exe 33 PID 2668 wrote to memory of 2588 2668 Kanopipl.exe 33 PID 2668 wrote to memory of 2588 2668 Kanopipl.exe 33 PID 2588 wrote to memory of 2516 2588 Kdlkld32.exe 34 PID 2588 wrote to memory of 2516 2588 Kdlkld32.exe 34 PID 2588 wrote to memory of 2516 2588 Kdlkld32.exe 34 PID 2588 wrote to memory of 2516 2588 Kdlkld32.exe 34 PID 2516 wrote to memory of 2252 2516 Lkfciogm.exe 35 PID 2516 wrote to memory of 2252 2516 Lkfciogm.exe 35 PID 2516 wrote to memory of 2252 2516 Lkfciogm.exe 35 PID 2516 wrote to memory of 2252 2516 Lkfciogm.exe 35 PID 2252 wrote to memory of 2520 2252 Laplei32.exe 36 PID 2252 wrote to memory of 2520 2252 Laplei32.exe 36 PID 2252 wrote to memory of 2520 2252 Laplei32.exe 36 PID 2252 wrote to memory of 2520 2252 Laplei32.exe 36 PID 2520 wrote to memory of 1708 2520 Lfmdnp32.exe 37 PID 2520 wrote to memory of 1708 2520 Lfmdnp32.exe 37 PID 2520 wrote to memory of 1708 2520 Lfmdnp32.exe 37 PID 2520 wrote to memory of 1708 2520 Lfmdnp32.exe 37 PID 1708 wrote to memory of 2688 1708 Lodlom32.exe 38 PID 1708 wrote to memory of 2688 1708 Lodlom32.exe 38 PID 1708 wrote to memory of 2688 1708 Lodlom32.exe 38 PID 1708 wrote to memory of 2688 1708 Lodlom32.exe 38 PID 2688 wrote to memory of 2968 2688 Ldqegd32.exe 39 PID 2688 wrote to memory of 2968 2688 Ldqegd32.exe 39 PID 2688 wrote to memory of 2968 2688 Ldqegd32.exe 39 PID 2688 wrote to memory of 2968 2688 Ldqegd32.exe 39 PID 2968 wrote to memory of 1456 2968 Lgoacojo.exe 40 PID 2968 wrote to memory of 1456 2968 Lgoacojo.exe 40 PID 2968 wrote to memory of 1456 2968 Lgoacojo.exe 40 PID 2968 wrote to memory of 1456 2968 Lgoacojo.exe 40 PID 1456 wrote to memory of 2068 1456 Lmiipi32.exe 41 PID 1456 wrote to memory of 2068 1456 Lmiipi32.exe 41 PID 1456 wrote to memory of 2068 1456 Lmiipi32.exe 41 PID 1456 wrote to memory of 2068 1456 Lmiipi32.exe 41 PID 2068 wrote to memory of 1104 2068 Lbfahp32.exe 42 PID 2068 wrote to memory of 1104 2068 Lbfahp32.exe 42 PID 2068 wrote to memory of 1104 2068 Lbfahp32.exe 42 PID 2068 wrote to memory of 1104 2068 Lbfahp32.exe 42 PID 1104 wrote to memory of 2032 1104 Lkmjin32.exe 43 PID 1104 wrote to memory of 2032 1104 Lkmjin32.exe 43 PID 1104 wrote to memory of 2032 1104 Lkmjin32.exe 43 PID 1104 wrote to memory of 2032 1104 Lkmjin32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe"C:\Users\Admin\AppData\Local\Temp\d0ad32e596627d0f50d7f27382065f2f0b214abdcbcf5e182e6c593258b4cdcf.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe34⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe37⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe38⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe41⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe42⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe46⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe54⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe55⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe56⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe58⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe60⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe62⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe63⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe65⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe66⤵PID:588
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe67⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe68⤵PID:1680
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe69⤵PID:1688
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe70⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe71⤵PID:1664
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe72⤵PID:3040
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe73⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe74⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe75⤵PID:2572
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe76⤵PID:320
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe77⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe78⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe79⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe80⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe83⤵PID:448
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe84⤵PID:988
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe85⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe86⤵PID:2344
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe88⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe89⤵PID:2464
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe91⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe93⤵PID:2848
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe94⤵PID:2036
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe95⤵PID:944
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe96⤵PID:380
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe99⤵PID:2916
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe100⤵PID:2100
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe101⤵PID:1880
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe102⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe103⤵PID:2576
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe104⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe105⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe106⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe107⤵PID:1952
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe111⤵PID:912
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe113⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe114⤵PID:2640
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe115⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe116⤵PID:2148
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe121⤵
- Modifies registry class
PID:1840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-