Analysis
-
max time kernel
116s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e745386e5cc3ddfb988313d0434c010N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
6e745386e5cc3ddfb988313d0434c010N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
6e745386e5cc3ddfb988313d0434c010N.exe
-
Size
45KB
-
MD5
6e745386e5cc3ddfb988313d0434c010
-
SHA1
34eec81d96c97a0c08a1d0d9ba50cdab08b24bf4
-
SHA256
498d54397fb75513b612579b81691f9ae70966615731b79d59f5c4e1d47ac451
-
SHA512
2598dcd4b5f60bf6789f5eb55e10835f4261607dbede7ce0ca1f351008ffab53384a94c3df44631b157ff60bd84ebf253850e336259eb0670698a77af59df41e
-
SSDEEP
768:WsJMWeGCAN078bdi1PKFf2/jVprD7Lba6KTorlXLm/TMXrnA1QNy7Ns/1H5q:WT9ANg8Ff2/ZZD7Lba67bgWTwF7U0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Accobock.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekeak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbpbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accobock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ialpfeno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmidq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkojjgfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ianmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfdcckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcgjlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghebpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Minika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheeqgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnicgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cboljemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcoafcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibglhhdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaonfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmamne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hleegpgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomghchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goidmibg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddcqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgodchen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbjbdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiioanpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhodgebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjhejph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhehlag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomdfjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecaeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njklioqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlcoage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkdhohk.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Lkgmdbja.exe 1508 Lmhjlj32.exe 2724 Ldpbmg32.exe 2700 Ljljenoi.exe 2876 Lgpkobnb.exe 2892 Ljogknmf.exe 2696 Lmmcgilj.exe 1208 Liddljan.exe 2204 Lkbphfab.exe 2640 Lekeak32.exe 2560 Lmbmbi32.exe 2944 Mboekp32.exe 2044 Mgkncfdc.exe 1004 Mbabpodi.exe 796 Mikjmi32.exe 2380 Mbcofobg.exe 2372 Meakbjaj.exe 2112 Mjocja32.exe 2460 Mmmpfm32.exe 1592 Medggj32.exe 1940 Mhbdce32.exe 1532 Mnllppfh.exe 2208 Mpnhhh32.exe 2076 Mheqie32.exe 984 Nifmqm32.exe 2036 Nmaialjp.exe 2780 Ndlanf32.exe 3012 Nmdfglhm.exe 2736 Npbbcgga.exe 2740 Nlibhhme.exe 2636 Npdohg32.exe 2056 Nbckeb32.exe 2504 Nimcallo.exe 2240 Nkqlodpk.exe 1912 Obhdpaqm.exe 2432 Olpiig32.exe 2912 Omaepoml.exe 2068 Oamaan32.exe 2672 Okefjcle.exe 548 Odnjbibf.exe 2028 Okhboc32.exe 2080 Opdkgj32.exe 1068 Occgce32.exe 992 Onhkan32.exe 1968 Odbcnh32.exe 1616 Plnhbk32.exe 752 Pcgqoech.exe 2220 Pefmkpbl.exe 660 Phdiglap.exe 2760 Plpehj32.exe 2864 Pcjmdd32.exe 2712 Pehiqp32.exe 2588 Plbbmjhf.exe 756 Pkebig32.exe 2436 Paojeafn.exe 600 Pekffp32.exe 2968 Pldobjec.exe 2816 Pockoeeg.exe 2480 Pnfkjb32.exe 3028 Pfmclold.exe 1972 Pdpcgl32.exe 3032 Pgnpcg32.exe 2140 Pkjkdfjk.exe 328 Pnhhpaio.exe -
Loads dropped DLL 64 IoCs
pid Process 448 6e745386e5cc3ddfb988313d0434c010N.exe 448 6e745386e5cc3ddfb988313d0434c010N.exe 2032 Lkgmdbja.exe 2032 Lkgmdbja.exe 1508 Lmhjlj32.exe 1508 Lmhjlj32.exe 2724 Ldpbmg32.exe 2724 Ldpbmg32.exe 2700 Ljljenoi.exe 2700 Ljljenoi.exe 2876 Lgpkobnb.exe 2876 Lgpkobnb.exe 2892 Ljogknmf.exe 2892 Ljogknmf.exe 2696 Lmmcgilj.exe 2696 Lmmcgilj.exe 1208 Liddljan.exe 1208 Liddljan.exe 2204 Lkbphfab.exe 2204 Lkbphfab.exe 2640 Lekeak32.exe 2640 Lekeak32.exe 2560 Lmbmbi32.exe 2560 Lmbmbi32.exe 2944 Mboekp32.exe 2944 Mboekp32.exe 2044 Mgkncfdc.exe 2044 Mgkncfdc.exe 1004 Mbabpodi.exe 1004 Mbabpodi.exe 796 Mikjmi32.exe 796 Mikjmi32.exe 2380 Mbcofobg.exe 2380 Mbcofobg.exe 2372 Meakbjaj.exe 2372 Meakbjaj.exe 2112 Mjocja32.exe 2112 Mjocja32.exe 2460 Mmmpfm32.exe 2460 Mmmpfm32.exe 1592 Medggj32.exe 1592 Medggj32.exe 1940 Mhbdce32.exe 1940 Mhbdce32.exe 1532 Mnllppfh.exe 1532 Mnllppfh.exe 2208 Mpnhhh32.exe 2208 Mpnhhh32.exe 2076 Mheqie32.exe 2076 Mheqie32.exe 984 Nifmqm32.exe 984 Nifmqm32.exe 2036 Nmaialjp.exe 2036 Nmaialjp.exe 2780 Ndlanf32.exe 2780 Ndlanf32.exe 3012 Nmdfglhm.exe 3012 Nmdfglhm.exe 2736 Npbbcgga.exe 2736 Npbbcgga.exe 2740 Nlibhhme.exe 2740 Nlibhhme.exe 2636 Npdohg32.exe 2636 Npdohg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Heaapgkc.dll Djolbp32.exe File opened for modification C:\Windows\SysWOW64\Dpanffhn.exe Dlebeg32.exe File created C:\Windows\SysWOW64\Aejncedk.exe Aaobcg32.exe File created C:\Windows\SysWOW64\Ongckh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Giiibqdp.exe Gbpaef32.exe File created C:\Windows\SysWOW64\Cibaefmm.dll Fieiephm.exe File opened for modification C:\Windows\SysWOW64\Imgjfe32.exe Ibafhmph.exe File created C:\Windows\SysWOW64\Okhboc32.exe Odnjbibf.exe File opened for modification C:\Windows\SysWOW64\Fdicfbpl.exe Fbkgjgqi.exe File opened for modification C:\Windows\SysWOW64\Gemham32.exe Process not Found File created C:\Windows\SysWOW64\Gjcgdi32.dll Process not Found File created C:\Windows\SysWOW64\Fbbbcjoi.dll Process not Found File created C:\Windows\SysWOW64\Aoqjhiie.exe Ambnlmja.exe File created C:\Windows\SysWOW64\Bjamhh32.exe Process not Found File created C:\Windows\SysWOW64\Fikcdmdd.dll Agfhmo32.exe File opened for modification C:\Windows\SysWOW64\Nqlmnldd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nacgpi32.exe Nndkdn32.exe File created C:\Windows\SysWOW64\Jfeamimh.exe Jdgeanne.exe File created C:\Windows\SysWOW64\Lkgqkb32.dll Ipclej32.exe File created C:\Windows\SysWOW64\Anebhh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Goemjbna.exe Process not Found File created C:\Windows\SysWOW64\Ainhln32.exe Aebllocg.exe File created C:\Windows\SysWOW64\Ldngqqjh.exe Laokdekd.exe File created C:\Windows\SysWOW64\Iachom32.exe Iilqnp32.exe File created C:\Windows\SysWOW64\Lokkag32.exe Lkpoahgm.exe File opened for modification C:\Windows\SysWOW64\Lpggdj32.exe Process not Found File created C:\Windows\SysWOW64\Bnnblfgm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cpolli32.exe Camlpldf.exe File created C:\Windows\SysWOW64\Nfjpcjhe.exe Nppgfp32.exe File created C:\Windows\SysWOW64\Nakgibde.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nnboonmb.exe Nldbbbno.exe File created C:\Windows\SysWOW64\Hafppp32.exe Hmkdpafo.exe File opened for modification C:\Windows\SysWOW64\Jegknp32.exe Jbinbd32.exe File opened for modification C:\Windows\SysWOW64\Mdbocl32.exe Process not Found File created C:\Windows\SysWOW64\Mnkdlagc.exe Process not Found File created C:\Windows\SysWOW64\Edgllicl.dll Anonqq32.exe File opened for modification C:\Windows\SysWOW64\Bqpejh32.exe Bnbinl32.exe File created C:\Windows\SysWOW64\Gcpoaacc.dll Aekenl32.exe File created C:\Windows\SysWOW64\Abfonl32.exe Accobock.exe File created C:\Windows\SysWOW64\Bqpejh32.exe Bnbinl32.exe File created C:\Windows\SysWOW64\Nphncc32.dll Process not Found File created C:\Windows\SysWOW64\Cdbfahdg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lnflif32.exe Lgldmlil.exe File opened for modification C:\Windows\SysWOW64\Pifdog32.exe Papmnj32.exe File opened for modification C:\Windows\SysWOW64\Fklohgie.exe Fdafkm32.exe File opened for modification C:\Windows\SysWOW64\Dadkdj32.exe Dnfoho32.exe File created C:\Windows\SysWOW64\Lfpohf32.dll Fiiono32.exe File created C:\Windows\SysWOW64\Libhbo32.exe Process not Found File created C:\Windows\SysWOW64\Gnldai32.dll Process not Found File created C:\Windows\SysWOW64\Cqfcngpa.dll Process not Found File created C:\Windows\SysWOW64\Nmaialjp.exe Nifmqm32.exe File created C:\Windows\SysWOW64\Dakbajhh.dll Kjdmjiae.exe File created C:\Windows\SysWOW64\Hkhcjnob.dll Abfonl32.exe File created C:\Windows\SysWOW64\Okcfob32.dll Elgmbnfn.exe File created C:\Windows\SysWOW64\Idpipo32.dll Fcodhl32.exe File created C:\Windows\SysWOW64\Gndjpoaa.dll Ilpaqmkg.exe File created C:\Windows\SysWOW64\Iimebpbe.dll Ofoemm32.exe File opened for modification C:\Windows\SysWOW64\Ianodncp.exe Ijdggc32.exe File opened for modification C:\Windows\SysWOW64\Kjdmjiae.exe Kgfannba.exe File created C:\Windows\SysWOW64\Miqmkh32.exe Mfbqol32.exe File opened for modification C:\Windows\SysWOW64\Lkhfhaea.exe Lhjjle32.exe File opened for modification C:\Windows\SysWOW64\Ocfppm32.exe Oqhcda32.exe File created C:\Windows\SysWOW64\Iickee32.dll Fhbcaa32.exe File opened for modification C:\Windows\SysWOW64\Nelgkhdp.exe Nnboonmb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5056 5048 Process not Found 1380 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jibdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilggal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmkhlph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdflopoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ileibabq.dll" Pijjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbmann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenaoojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeakmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcqlcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmioem32.dll" Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbbpj32.dll" Pdpepejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accobock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlddohii.dll" Lokkag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqpgblqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcgae32.dll" Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimdba32.dll" Ojhehlag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pboihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipliafnn.dll" Eilodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkmdop.dll" Ancfbhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiclop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjmodph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hncjiecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilmem32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhmoo32.dll" Jolingnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kefnjdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halmkejm.dll" Cpolli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckbme32.dll" Fljhojnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcnleom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngajf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkfpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbieejff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbqol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiliihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimkhe32.dll" Gckfmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbjbdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnkgjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlcfedf.dll" Lpiaqqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qilgneen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnaadb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnojkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocfppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algjofhb.dll" Kmnonqce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkifgpn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmijiiao.dll" Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaejokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekjn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdnielg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baogbnpe.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 448 wrote to memory of 2032 448 6e745386e5cc3ddfb988313d0434c010N.exe 29 PID 448 wrote to memory of 2032 448 6e745386e5cc3ddfb988313d0434c010N.exe 29 PID 448 wrote to memory of 2032 448 6e745386e5cc3ddfb988313d0434c010N.exe 29 PID 448 wrote to memory of 2032 448 6e745386e5cc3ddfb988313d0434c010N.exe 29 PID 2032 wrote to memory of 1508 2032 Lkgmdbja.exe 30 PID 2032 wrote to memory of 1508 2032 Lkgmdbja.exe 30 PID 2032 wrote to memory of 1508 2032 Lkgmdbja.exe 30 PID 2032 wrote to memory of 1508 2032 Lkgmdbja.exe 30 PID 1508 wrote to memory of 2724 1508 Lmhjlj32.exe 31 PID 1508 wrote to memory of 2724 1508 Lmhjlj32.exe 31 PID 1508 wrote to memory of 2724 1508 Lmhjlj32.exe 31 PID 1508 wrote to memory of 2724 1508 Lmhjlj32.exe 31 PID 2724 wrote to memory of 2700 2724 Ldpbmg32.exe 32 PID 2724 wrote to memory of 2700 2724 Ldpbmg32.exe 32 PID 2724 wrote to memory of 2700 2724 Ldpbmg32.exe 32 PID 2724 wrote to memory of 2700 2724 Ldpbmg32.exe 32 PID 2700 wrote to memory of 2876 2700 Ljljenoi.exe 33 PID 2700 wrote to memory of 2876 2700 Ljljenoi.exe 33 PID 2700 wrote to memory of 2876 2700 Ljljenoi.exe 33 PID 2700 wrote to memory of 2876 2700 Ljljenoi.exe 33 PID 2876 wrote to memory of 2892 2876 Lgpkobnb.exe 34 PID 2876 wrote to memory of 2892 2876 Lgpkobnb.exe 34 PID 2876 wrote to memory of 2892 2876 Lgpkobnb.exe 34 PID 2876 wrote to memory of 2892 2876 Lgpkobnb.exe 34 PID 2892 wrote to memory of 2696 2892 Ljogknmf.exe 35 PID 2892 wrote to memory of 2696 2892 Ljogknmf.exe 35 PID 2892 wrote to memory of 2696 2892 Ljogknmf.exe 35 PID 2892 wrote to memory of 2696 2892 Ljogknmf.exe 35 PID 2696 wrote to memory of 1208 2696 Lmmcgilj.exe 36 PID 2696 wrote to memory of 1208 2696 Lmmcgilj.exe 36 PID 2696 wrote to memory of 1208 2696 Lmmcgilj.exe 36 PID 2696 wrote to memory of 1208 2696 Lmmcgilj.exe 36 PID 1208 wrote to memory of 2204 1208 Liddljan.exe 37 PID 1208 wrote to memory of 2204 1208 Liddljan.exe 37 PID 1208 wrote to memory of 2204 1208 Liddljan.exe 37 PID 1208 wrote to memory of 2204 1208 Liddljan.exe 37 PID 2204 wrote to memory of 2640 2204 Lkbphfab.exe 38 PID 2204 wrote to memory of 2640 2204 Lkbphfab.exe 38 PID 2204 wrote to memory of 2640 2204 Lkbphfab.exe 38 PID 2204 wrote to memory of 2640 2204 Lkbphfab.exe 38 PID 2640 wrote to memory of 2560 2640 Lekeak32.exe 39 PID 2640 wrote to memory of 2560 2640 Lekeak32.exe 39 PID 2640 wrote to memory of 2560 2640 Lekeak32.exe 39 PID 2640 wrote to memory of 2560 2640 Lekeak32.exe 39 PID 2560 wrote to memory of 2944 2560 Lmbmbi32.exe 40 PID 2560 wrote to memory of 2944 2560 Lmbmbi32.exe 40 PID 2560 wrote to memory of 2944 2560 Lmbmbi32.exe 40 PID 2560 wrote to memory of 2944 2560 Lmbmbi32.exe 40 PID 2944 wrote to memory of 2044 2944 Mboekp32.exe 41 PID 2944 wrote to memory of 2044 2944 Mboekp32.exe 41 PID 2944 wrote to memory of 2044 2944 Mboekp32.exe 41 PID 2944 wrote to memory of 2044 2944 Mboekp32.exe 41 PID 2044 wrote to memory of 1004 2044 Mgkncfdc.exe 42 PID 2044 wrote to memory of 1004 2044 Mgkncfdc.exe 42 PID 2044 wrote to memory of 1004 2044 Mgkncfdc.exe 42 PID 2044 wrote to memory of 1004 2044 Mgkncfdc.exe 42 PID 1004 wrote to memory of 796 1004 Mbabpodi.exe 43 PID 1004 wrote to memory of 796 1004 Mbabpodi.exe 43 PID 1004 wrote to memory of 796 1004 Mbabpodi.exe 43 PID 1004 wrote to memory of 796 1004 Mbabpodi.exe 43 PID 796 wrote to memory of 2380 796 Mikjmi32.exe 44 PID 796 wrote to memory of 2380 796 Mikjmi32.exe 44 PID 796 wrote to memory of 2380 796 Mikjmi32.exe 44 PID 796 wrote to memory of 2380 796 Mikjmi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e745386e5cc3ddfb988313d0434c010N.exe"C:\Users\Admin\AppData\Local\Temp\6e745386e5cc3ddfb988313d0434c010N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Lkgmdbja.exeC:\Windows\system32\Lkgmdbja.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lmhjlj32.exeC:\Windows\system32\Lmhjlj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ldpbmg32.exeC:\Windows\system32\Ldpbmg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ljogknmf.exeC:\Windows\system32\Ljogknmf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lekeak32.exeC:\Windows\system32\Lekeak32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mboekp32.exeC:\Windows\system32\Mboekp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Meakbjaj.exeC:\Windows\system32\Meakbjaj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Mhbdce32.exeC:\Windows\system32\Mhbdce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Mpnhhh32.exeC:\Windows\system32\Mpnhhh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Mheqie32.exeC:\Windows\system32\Mheqie32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Nifmqm32.exeC:\Windows\system32\Nifmqm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Nmaialjp.exeC:\Windows\system32\Nmaialjp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ndlanf32.exeC:\Windows\system32\Ndlanf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Npbbcgga.exeC:\Windows\system32\Npbbcgga.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Nbckeb32.exeC:\Windows\system32\Nbckeb32.exe33⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nimcallo.exeC:\Windows\system32\Nimcallo.exe34⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Nkqlodpk.exeC:\Windows\system32\Nkqlodpk.exe35⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe36⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe38⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Oamaan32.exeC:\Windows\system32\Oamaan32.exe39⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe42⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe44⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe45⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe46⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe48⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe49⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe51⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe53⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe54⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe55⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe56⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe58⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe59⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe60⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe61⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe63⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe64⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe66⤵PID:2512
-
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe67⤵PID:1540
-
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe68⤵PID:2548
-
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe69⤵PID:1736
-
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe70⤵PID:2120
-
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe71⤵PID:3024
-
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe72⤵PID:2196
-
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe73⤵PID:1740
-
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe74⤵PID:2688
-
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe75⤵PID:2972
-
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe76⤵PID:2108
-
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe77⤵PID:2236
-
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe78⤵PID:2308
-
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe79⤵PID:1500
-
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe80⤵PID:980
-
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe81⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe82⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Aoqjhiie.exeC:\Windows\system32\Aoqjhiie.exe83⤵PID:2940
-
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe84⤵PID:3008
-
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe85⤵PID:2900
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe87⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe88⤵PID:760
-
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe89⤵PID:2092
-
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe90⤵PID:864
-
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe91⤵PID:1980
-
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe92⤵PID:836
-
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe93⤵PID:3056
-
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe94⤵PID:340
-
C:\Windows\SysWOW64\Afolpb32.exeC:\Windows\system32\Afolpb32.exe95⤵PID:1884
-
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe96⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe98⤵PID:2592
-
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe99⤵PID:2100
-
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe100⤵PID:2280
-
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe101⤵PID:2476
-
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe102⤵PID:576
-
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe103⤵PID:2000
-
C:\Windows\SysWOW64\Bakjfp32.exeC:\Windows\system32\Bakjfp32.exe104⤵PID:2752
-
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe105⤵PID:1672
-
C:\Windows\SysWOW64\Bkqnchgo.exeC:\Windows\system32\Bkqnchgo.exe106⤵PID:2132
-
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe107⤵PID:1440
-
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe108⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe109⤵PID:2948
-
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe110⤵PID:2768
-
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe112⤵PID:1332
-
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe113⤵PID:2064
-
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe114⤵PID:2272
-
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe115⤵PID:1140
-
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe117⤵PID:1152
-
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe118⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe119⤵PID:2568
-
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe120⤵PID:2600
-
C:\Windows\SysWOW64\Bimdka32.exeC:\Windows\system32\Bimdka32.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-