Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 01:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe
-
Size
318KB
-
MD5
d855f144a9252cf811b47ecc62290b71
-
SHA1
efacd7786d2bbd229f2281178c8f21461aa2770c
-
SHA256
adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4
-
SHA512
5b3b733e621dc3dddbe9952060cf4ddeebec2a2138857c45472c0c889c0dd6298157677b25a28f61fdd703c9d3bdfb823fda5ef4bb4ec5c401076c9d3e284a54
-
SSDEEP
6144:X+JbRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:X+1O4wFHoS04wFHoSrZx8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liplnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekhfgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magnek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbdha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjakmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpcbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakbjibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe -
Executes dropped EXE 64 IoCs
pid Process 616 Kebepion.exe 2520 Knjiin32.exe 2676 Komfnnck.exe 2744 Kakbjibo.exe 2588 Lhggmchi.exe 2464 Lkfciogm.exe 2920 Lekhfgfc.exe 2476 Lkhpnnej.exe 2652 Lodlom32.exe 1956 Lmkfei32.exe 1780 Lpjbad32.exe 664 Loooca32.exe 1688 Maphdl32.exe 2816 Migpeiag.exe 1420 Mhnjle32.exe 1748 Magnek32.exe 1280 Ngfcca32.exe 2968 Npnhlg32.exe 1216 Nfkpdn32.exe 3064 Nleiqhcg.exe 944 Nofabc32.exe 2936 Nccjhafn.exe 2888 Odegpj32.exe 612 Obigjnkf.exe 1864 Okalbc32.exe 1536 Oiellh32.exe 2996 Ojficpfn.exe 2684 Ondajnme.exe 2716 Oqcnfjli.exe 2540 Paejki32.exe 2448 Pcfcmd32.exe 2528 Pfdpip32.exe 2912 Piblek32.exe 2656 Ppoqge32.exe 1932 Pndniaop.exe 2188 Pijbfj32.exe 1244 Qnfjna32.exe 2316 Qnigda32.exe 1904 Qecoqk32.exe 1520 Ajphib32.exe 2220 Amndem32.exe 1788 Affhncfc.exe 840 Ampqjm32.exe 824 Afiecb32.exe 2668 Aigaon32.exe 2904 Apajlhka.exe 2932 Abpfhcje.exe 2124 Aiinen32.exe 2356 Aoffmd32.exe 344 Aepojo32.exe 1488 Aljgfioc.exe 1564 Boiccdnf.exe 2828 Bagpopmj.exe 2756 Bhahlj32.exe 2748 Bkodhe32.exe 3004 Beehencq.exe 2344 Bhcdaibd.exe 352 Bkaqmeah.exe 1592 Balijo32.exe 2208 Bghabf32.exe 280 Bopicc32.exe 1556 Banepo32.exe 1608 Bjijdadm.exe 788 Bdooajdc.exe -
Loads dropped DLL 64 IoCs
pid Process 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 616 Kebepion.exe 616 Kebepion.exe 2520 Knjiin32.exe 2520 Knjiin32.exe 2676 Komfnnck.exe 2676 Komfnnck.exe 2744 Kakbjibo.exe 2744 Kakbjibo.exe 2588 Lhggmchi.exe 2588 Lhggmchi.exe 2464 Lkfciogm.exe 2464 Lkfciogm.exe 2920 Lekhfgfc.exe 2920 Lekhfgfc.exe 2476 Lkhpnnej.exe 2476 Lkhpnnej.exe 2652 Lodlom32.exe 2652 Lodlom32.exe 1956 Lmkfei32.exe 1956 Lmkfei32.exe 1780 Lpjbad32.exe 1780 Lpjbad32.exe 664 Loooca32.exe 664 Loooca32.exe 1688 Maphdl32.exe 1688 Maphdl32.exe 2816 Migpeiag.exe 2816 Migpeiag.exe 1420 Mhnjle32.exe 1420 Mhnjle32.exe 1748 Magnek32.exe 1748 Magnek32.exe 1280 Ngfcca32.exe 1280 Ngfcca32.exe 2968 Npnhlg32.exe 2968 Npnhlg32.exe 1216 Nfkpdn32.exe 1216 Nfkpdn32.exe 3064 Nleiqhcg.exe 3064 Nleiqhcg.exe 944 Nofabc32.exe 944 Nofabc32.exe 2936 Nccjhafn.exe 2936 Nccjhafn.exe 2888 Odegpj32.exe 2888 Odegpj32.exe 612 Obigjnkf.exe 612 Obigjnkf.exe 1864 Okalbc32.exe 1864 Okalbc32.exe 1536 Oiellh32.exe 1536 Oiellh32.exe 2996 Ojficpfn.exe 2996 Ojficpfn.exe 2684 Ondajnme.exe 2684 Ondajnme.exe 2716 Oqcnfjli.exe 2716 Oqcnfjli.exe 2540 Paejki32.exe 2540 Paejki32.exe 2448 Pcfcmd32.exe 2448 Pcfcmd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Pienahqb.dll Abpfhcje.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Mbmjah32.exe Mhhfdo32.exe File created C:\Windows\SysWOW64\Fnqkpajk.dll Mdacop32.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Afiecb32.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Eqdajkkb.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Khpnecca.dll Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Enkece32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pcnbablo.exe File opened for modification C:\Windows\SysWOW64\Homclekn.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Jghmfhmb.exe Jqnejn32.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ohfeog32.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Hloopaak.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File created C:\Windows\SysWOW64\Onmjak32.dll Ofelmloo.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Liplnc32.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hapicp32.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mlmlecec.exe File created C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Mhhfdo32.exe Meijhc32.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lldlqakb.exe File created C:\Windows\SysWOW64\Obcccl32.exe Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Ealnephf.exe Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Ojolhk32.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Dkmmhf32.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Qkophk32.dll Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Ijgdngmf.exe Igihbknb.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File created C:\Windows\SysWOW64\Bopicc32.exe Bghabf32.exe File created C:\Windows\SysWOW64\Mjbkcgmo.dll Jgagfi32.exe File opened for modification C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Dccagcgk.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Cghggc32.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Caknol32.exe File created C:\Windows\SysWOW64\Fekpnn32.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Ebhepm32.dll Ngfcca32.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Mgnfhlin.exe Mdpjlajk.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Eojnkg32.exe File created C:\Windows\SysWOW64\Oaajloig.dll Mhloponc.exe File opened for modification C:\Windows\SysWOW64\Cpeofk32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Mpdcoomf.dll Chpmpg32.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qfokbnip.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Afcenm32.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Lphhenhc.exe Linphc32.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Clcflkic.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5616 5700 WerFault.exe 565 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondajnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgobd32.dll" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odegpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll" Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebepion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjiin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlobf32.dll" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiakjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadminnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndbcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpqdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fiihdlpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igakgfpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfijnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddmpnf.dll" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Ahgnke32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 616 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 28 PID 2156 wrote to memory of 616 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 28 PID 2156 wrote to memory of 616 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 28 PID 2156 wrote to memory of 616 2156 adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe 28 PID 616 wrote to memory of 2520 616 Kebepion.exe 29 PID 616 wrote to memory of 2520 616 Kebepion.exe 29 PID 616 wrote to memory of 2520 616 Kebepion.exe 29 PID 616 wrote to memory of 2520 616 Kebepion.exe 29 PID 2520 wrote to memory of 2676 2520 Knjiin32.exe 30 PID 2520 wrote to memory of 2676 2520 Knjiin32.exe 30 PID 2520 wrote to memory of 2676 2520 Knjiin32.exe 30 PID 2520 wrote to memory of 2676 2520 Knjiin32.exe 30 PID 2676 wrote to memory of 2744 2676 Komfnnck.exe 31 PID 2676 wrote to memory of 2744 2676 Komfnnck.exe 31 PID 2676 wrote to memory of 2744 2676 Komfnnck.exe 31 PID 2676 wrote to memory of 2744 2676 Komfnnck.exe 31 PID 2744 wrote to memory of 2588 2744 Kakbjibo.exe 32 PID 2744 wrote to memory of 2588 2744 Kakbjibo.exe 32 PID 2744 wrote to memory of 2588 2744 Kakbjibo.exe 32 PID 2744 wrote to memory of 2588 2744 Kakbjibo.exe 32 PID 2588 wrote to memory of 2464 2588 Lhggmchi.exe 33 PID 2588 wrote to memory of 2464 2588 Lhggmchi.exe 33 PID 2588 wrote to memory of 2464 2588 Lhggmchi.exe 33 PID 2588 wrote to memory of 2464 2588 Lhggmchi.exe 33 PID 2464 wrote to memory of 2920 2464 Lkfciogm.exe 34 PID 2464 wrote to memory of 2920 2464 Lkfciogm.exe 34 PID 2464 wrote to memory of 2920 2464 Lkfciogm.exe 34 PID 2464 wrote to memory of 2920 2464 Lkfciogm.exe 34 PID 2920 wrote to memory of 2476 2920 Lekhfgfc.exe 35 PID 2920 wrote to memory of 2476 2920 Lekhfgfc.exe 35 PID 2920 wrote to memory of 2476 2920 Lekhfgfc.exe 35 PID 2920 wrote to memory of 2476 2920 Lekhfgfc.exe 35 PID 2476 wrote to memory of 2652 2476 Lkhpnnej.exe 36 PID 2476 wrote to memory of 2652 2476 Lkhpnnej.exe 36 PID 2476 wrote to memory of 2652 2476 Lkhpnnej.exe 36 PID 2476 wrote to memory of 2652 2476 Lkhpnnej.exe 36 PID 2652 wrote to memory of 1956 2652 Lodlom32.exe 37 PID 2652 wrote to memory of 1956 2652 Lodlom32.exe 37 PID 2652 wrote to memory of 1956 2652 Lodlom32.exe 37 PID 2652 wrote to memory of 1956 2652 Lodlom32.exe 37 PID 1956 wrote to memory of 1780 1956 Lmkfei32.exe 38 PID 1956 wrote to memory of 1780 1956 Lmkfei32.exe 38 PID 1956 wrote to memory of 1780 1956 Lmkfei32.exe 38 PID 1956 wrote to memory of 1780 1956 Lmkfei32.exe 38 PID 1780 wrote to memory of 664 1780 Lpjbad32.exe 39 PID 1780 wrote to memory of 664 1780 Lpjbad32.exe 39 PID 1780 wrote to memory of 664 1780 Lpjbad32.exe 39 PID 1780 wrote to memory of 664 1780 Lpjbad32.exe 39 PID 664 wrote to memory of 1688 664 Loooca32.exe 40 PID 664 wrote to memory of 1688 664 Loooca32.exe 40 PID 664 wrote to memory of 1688 664 Loooca32.exe 40 PID 664 wrote to memory of 1688 664 Loooca32.exe 40 PID 1688 wrote to memory of 2816 1688 Maphdl32.exe 41 PID 1688 wrote to memory of 2816 1688 Maphdl32.exe 41 PID 1688 wrote to memory of 2816 1688 Maphdl32.exe 41 PID 1688 wrote to memory of 2816 1688 Maphdl32.exe 41 PID 2816 wrote to memory of 1420 2816 Migpeiag.exe 42 PID 2816 wrote to memory of 1420 2816 Migpeiag.exe 42 PID 2816 wrote to memory of 1420 2816 Migpeiag.exe 42 PID 2816 wrote to memory of 1420 2816 Migpeiag.exe 42 PID 1420 wrote to memory of 1748 1420 Mhnjle32.exe 43 PID 1420 wrote to memory of 1748 1420 Mhnjle32.exe 43 PID 1420 wrote to memory of 1748 1420 Mhnjle32.exe 43 PID 1420 wrote to memory of 1748 1420 Mhnjle32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe"C:\Users\Admin\AppData\Local\Temp\adbf42f73ce297909bdfeeaf817c0a9e3e94ffa1adc62740aea0252ff68d63c4.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe33⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe34⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe36⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe38⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe41⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe43⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe46⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe47⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe50⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe51⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe60⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe62⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe63⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe64⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe65⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe66⤵
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe67⤵PID:1100
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe68⤵PID:1700
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe69⤵PID:1704
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe70⤵PID:2880
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe71⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe72⤵PID:1916
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe73⤵PID:2120
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe74⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe75⤵PID:2224
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe77⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe78⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe79⤵PID:2628
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe81⤵PID:1892
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe82⤵PID:2496
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe83⤵PID:2308
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe86⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe87⤵PID:384
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe88⤵PID:1056
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe89⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe90⤵PID:1140
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe91⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe92⤵PID:1872
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe93⤵PID:2884
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe95⤵PID:848
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe96⤵PID:2108
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe98⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe99⤵PID:2672
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe100⤵PID:2704
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe101⤵PID:2104
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe102⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe103⤵PID:2440
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe104⤵PID:1888
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe105⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe106⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe107⤵PID:2792
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe108⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe110⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe111⤵PID:3000
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe112⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe113⤵PID:908
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe114⤵PID:792
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe115⤵PID:1424
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe116⤵PID:1924
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe117⤵PID:2300
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe118⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe120⤵PID:2416
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe121⤵PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-