Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 14:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6cd939482b4ade431c618bb116a8580N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6cd939482b4ade431c618bb116a8580N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
d6cd939482b4ade431c618bb116a8580N.exe
-
Size
96KB
-
MD5
d6cd939482b4ade431c618bb116a8580
-
SHA1
31b86412b353f13adee77ed31a832ebdf52defcf
-
SHA256
6c101abcee5c46ca29d30cc9bbc98937e0787536befcc9bac2d6bdabe71a18df
-
SHA512
94862c009c5401f9d8a330315bac6b8c1414788b5b2d171e784ca0968de66bd469688b8c687040b6fe2118420753bd18110fe383b5063434d52442785a59e669
-
SSDEEP
1536:0dlhgYkvlcms/kbJBVR/Hml2Le7RZObZUUWaegPYA:/+H/kbJBVRvmWeClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbapi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebappk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfmkjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmbje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlecinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaofgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipkfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhnfckm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcohahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acadchoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilchhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpgloog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphehidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgbkacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ochcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombddbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdjoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcojeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmaijdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadobccg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnklgkap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpnkm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Hifbdnbi.exe 2824 Hqnjek32.exe 2056 Hjfnnajl.exe 2776 Ikgkei32.exe 2552 Icncgf32.exe 320 Ifmocb32.exe 948 Ioeclg32.exe 880 Ibcphc32.exe 2932 Igqhpj32.exe 2804 Iaimipjl.exe 2912 Iipejmko.exe 496 Ibhicbao.exe 2640 Icifjk32.exe 536 Inojhc32.exe 2380 Iamfdo32.exe 2160 Jnagmc32.exe 112 Jcnoejch.exe 1764 Jjhgbd32.exe 868 Jikhnaao.exe 1672 Jpepkk32.exe 1320 Jbclgf32.exe 1928 Jjjdhc32.exe 2432 Jmipdo32.exe 1904 Jfaeme32.exe 1972 Jipaip32.exe 2080 Jmkmjoec.exe 3040 Jbhebfck.exe 1576 Jplfkjbd.exe 2012 Kbjbge32.exe 2372 Khgkpl32.exe 2660 Koaclfgl.exe 1032 Kbmome32.exe 1964 Kdnkdmec.exe 2868 Kdphjm32.exe 2864 Kfodfh32.exe 2044 Kpgionie.exe 1316 Khnapkjg.exe 484 Kipmhc32.exe 1932 Kpieengb.exe 2172 Libjncnc.exe 2176 Llpfjomf.exe 1196 Ldgnklmi.exe 992 Leikbd32.exe 1872 Lmpcca32.exe 1336 Lcmklh32.exe 1688 Lghgmg32.exe 2060 Lcohahpn.exe 1716 Lemdncoa.exe 2252 Lhlqjone.exe 2708 Lkjmfjmi.exe 2572 Lofifi32.exe 2576 Ladebd32.exe 1052 Ldbaopdj.exe 3000 Lljipmdl.exe 2976 Lohelidp.exe 2992 Mdendpbg.exe 2924 Mhqjen32.exe 1312 Mkofaj32.exe 1128 Mojbaham.exe 572 Mainndaq.exe 2140 Mdgkjopd.exe 2600 Mgegfk32.exe 2440 Mnpobefe.exe 2192 Mpnkopeh.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 d6cd939482b4ade431c618bb116a8580N.exe 2364 d6cd939482b4ade431c618bb116a8580N.exe 2632 Hifbdnbi.exe 2632 Hifbdnbi.exe 2824 Hqnjek32.exe 2824 Hqnjek32.exe 2056 Hjfnnajl.exe 2056 Hjfnnajl.exe 2776 Ikgkei32.exe 2776 Ikgkei32.exe 2552 Icncgf32.exe 2552 Icncgf32.exe 320 Ifmocb32.exe 320 Ifmocb32.exe 948 Ioeclg32.exe 948 Ioeclg32.exe 880 Ibcphc32.exe 880 Ibcphc32.exe 2932 Igqhpj32.exe 2932 Igqhpj32.exe 2804 Iaimipjl.exe 2804 Iaimipjl.exe 2912 Iipejmko.exe 2912 Iipejmko.exe 496 Ibhicbao.exe 496 Ibhicbao.exe 2640 Icifjk32.exe 2640 Icifjk32.exe 536 Inojhc32.exe 536 Inojhc32.exe 2380 Iamfdo32.exe 2380 Iamfdo32.exe 2160 Jnagmc32.exe 2160 Jnagmc32.exe 112 Jcnoejch.exe 112 Jcnoejch.exe 1764 Jjhgbd32.exe 1764 Jjhgbd32.exe 868 Jikhnaao.exe 868 Jikhnaao.exe 1672 Jpepkk32.exe 1672 Jpepkk32.exe 1320 Jbclgf32.exe 1320 Jbclgf32.exe 1928 Jjjdhc32.exe 1928 Jjjdhc32.exe 2432 Jmipdo32.exe 2432 Jmipdo32.exe 1904 Jfaeme32.exe 1904 Jfaeme32.exe 1972 Jipaip32.exe 1972 Jipaip32.exe 2080 Jmkmjoec.exe 2080 Jmkmjoec.exe 3040 Jbhebfck.exe 3040 Jbhebfck.exe 1576 Jplfkjbd.exe 1576 Jplfkjbd.exe 2012 Kbjbge32.exe 2012 Kbjbge32.exe 2372 Khgkpl32.exe 2372 Khgkpl32.exe 2660 Koaclfgl.exe 2660 Koaclfgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jmocbnop.exe Jjpgfbom.exe File created C:\Windows\SysWOW64\Lmpeljkm.exe Lidilk32.exe File opened for modification C:\Windows\SysWOW64\Nepokogo.exe Mcacochk.exe File created C:\Windows\SysWOW64\Gknfqppk.dll Pfflql32.exe File opened for modification C:\Windows\SysWOW64\Lehdhn32.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Cinefnpo.dll Gleqdb32.exe File opened for modification C:\Windows\SysWOW64\Akdafn32.exe Alaqjaaa.exe File opened for modification C:\Windows\SysWOW64\Qdlipplq.exe Qanmcdlm.exe File created C:\Windows\SysWOW64\Iemanlnj.dll Jgjmoace.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Nbfnggeo.exe Nohaklfk.exe File created C:\Windows\SysWOW64\Jjjdhc32.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Kipknhkd.dll Pfkimhhi.exe File opened for modification C:\Windows\SysWOW64\Bphooc32.exe Bnicbh32.exe File created C:\Windows\SysWOW64\Iajpndmp.dll Ecadddjh.exe File opened for modification C:\Windows\SysWOW64\Glfgnh32.exe Gigkbm32.exe File opened for modification C:\Windows\SysWOW64\Mdlfngcc.exe Manjaldo.exe File created C:\Windows\SysWOW64\Gmiflpof.dll Hjfnnajl.exe File opened for modification C:\Windows\SysWOW64\Omnkicen.exe Ojpomh32.exe File created C:\Windows\SysWOW64\Biogkbfn.dll Cfnkmi32.exe File created C:\Windows\SysWOW64\Fghjnd32.dll Idohdhbo.exe File opened for modification C:\Windows\SysWOW64\Ablbjj32.exe Apnfno32.exe File created C:\Windows\SysWOW64\Ngeogk32.dll Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File opened for modification C:\Windows\SysWOW64\Empomd32.exe Enmnahnm.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Inkcem32.exe Iklfia32.exe File opened for modification C:\Windows\SysWOW64\Jfojpn32.exe Jgmjdaqb.exe File opened for modification C:\Windows\SysWOW64\Qfkgdd32.exe Qghgigkn.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qaqlbmbn.exe File created C:\Windows\SysWOW64\Egpena32.exe Efoifiep.exe File created C:\Windows\SysWOW64\Aobffp32.dll Onamle32.exe File created C:\Windows\SysWOW64\Aoffeijg.dll Jqpebg32.exe File created C:\Windows\SysWOW64\Pofldf32.exe Pgodcich.exe File created C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Iianmlfn.exe Ifbaapfk.exe File created C:\Windows\SysWOW64\Kembedli.dll Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Hoimecmb.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Mmgkii32.dll Lmpeljkm.exe File created C:\Windows\SysWOW64\Jdhpfnbe.dll Cdedde32.exe File opened for modification C:\Windows\SysWOW64\Hgiked32.exe Hdjoii32.exe File created C:\Windows\SysWOW64\Iemalkgd.exe Iocioq32.exe File created C:\Windows\SysWOW64\Amefhjna.dll Plpqim32.exe File created C:\Windows\SysWOW64\Lgkqjo32.dll Ggklka32.exe File created C:\Windows\SysWOW64\Khagijcd.exe Kiofnm32.exe File opened for modification C:\Windows\SysWOW64\Adblnnbk.exe Aadobccg.exe File created C:\Windows\SysWOW64\Jbaajccm.dll Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Aebobgmi.exe Abdbflnf.exe File created C:\Windows\SysWOW64\Gdcmig32.exe Gaeqmk32.exe File created C:\Windows\SysWOW64\Ncfjajma.exe Nkobpmlo.exe File created C:\Windows\SysWOW64\Dphhka32.exe Dmjlof32.exe File opened for modification C:\Windows\SysWOW64\Qlggjlep.exe Qdpohodn.exe File opened for modification C:\Windows\SysWOW64\Hgckoofa.exe Hpicbe32.exe File created C:\Windows\SysWOW64\Lhlqjone.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Jijacjnc.exe Jacibm32.exe File opened for modification C:\Windows\SysWOW64\Kiecgo32.exe Kfggkc32.exe File created C:\Windows\SysWOW64\Nilacmgb.dll Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Celpqbon.exe Ccnddg32.exe File created C:\Windows\SysWOW64\Hdaefhgm.dll Dgcmod32.exe File created C:\Windows\SysWOW64\Klalgq32.dll Ldhgnk32.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Oddphp32.exe File opened for modification C:\Windows\SysWOW64\Pmkdhq32.exe Piohgbng.exe File opened for modification C:\Windows\SysWOW64\Jkopndcb.exe Jipcbidn.exe File created C:\Windows\SysWOW64\Magdam32.exe Mohhea32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpnoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhaeofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndafcmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmggp32.dll" Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkghniol.dll" Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflbpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjoklkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhal32.dll" Lolofd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chggdoee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlqk32.dll" Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplclg32.dll" Kccgheib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkckf32.dll" Nedifo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedehamj.dll" Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemanlnj.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnim32.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnkdmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hnpgloog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pilkle32.dll" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemqa32.dll" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilgjhena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nepokogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID d6cd939482b4ade431c618bb116a8580N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhglop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjmfjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmenhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiabmg32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll" Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfb32.dll" Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlalaoic.dll" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhocfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll" Qldjdlgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmagikg.dll" Fmbgageq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befima32.dll" Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmkm32.dll" Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqnoqah.dll" Fjckelfm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2632 2364 d6cd939482b4ade431c618bb116a8580N.exe 30 PID 2364 wrote to memory of 2632 2364 d6cd939482b4ade431c618bb116a8580N.exe 30 PID 2364 wrote to memory of 2632 2364 d6cd939482b4ade431c618bb116a8580N.exe 30 PID 2364 wrote to memory of 2632 2364 d6cd939482b4ade431c618bb116a8580N.exe 30 PID 2632 wrote to memory of 2824 2632 Hifbdnbi.exe 31 PID 2632 wrote to memory of 2824 2632 Hifbdnbi.exe 31 PID 2632 wrote to memory of 2824 2632 Hifbdnbi.exe 31 PID 2632 wrote to memory of 2824 2632 Hifbdnbi.exe 31 PID 2824 wrote to memory of 2056 2824 Hqnjek32.exe 32 PID 2824 wrote to memory of 2056 2824 Hqnjek32.exe 32 PID 2824 wrote to memory of 2056 2824 Hqnjek32.exe 32 PID 2824 wrote to memory of 2056 2824 Hqnjek32.exe 32 PID 2056 wrote to memory of 2776 2056 Hjfnnajl.exe 33 PID 2056 wrote to memory of 2776 2056 Hjfnnajl.exe 33 PID 2056 wrote to memory of 2776 2056 Hjfnnajl.exe 33 PID 2056 wrote to memory of 2776 2056 Hjfnnajl.exe 33 PID 2776 wrote to memory of 2552 2776 Ikgkei32.exe 34 PID 2776 wrote to memory of 2552 2776 Ikgkei32.exe 34 PID 2776 wrote to memory of 2552 2776 Ikgkei32.exe 34 PID 2776 wrote to memory of 2552 2776 Ikgkei32.exe 34 PID 2552 wrote to memory of 320 2552 Icncgf32.exe 35 PID 2552 wrote to memory of 320 2552 Icncgf32.exe 35 PID 2552 wrote to memory of 320 2552 Icncgf32.exe 35 PID 2552 wrote to memory of 320 2552 Icncgf32.exe 35 PID 320 wrote to memory of 948 320 Ifmocb32.exe 36 PID 320 wrote to memory of 948 320 Ifmocb32.exe 36 PID 320 wrote to memory of 948 320 Ifmocb32.exe 36 PID 320 wrote to memory of 948 320 Ifmocb32.exe 36 PID 948 wrote to memory of 880 948 Ioeclg32.exe 37 PID 948 wrote to memory of 880 948 Ioeclg32.exe 37 PID 948 wrote to memory of 880 948 Ioeclg32.exe 37 PID 948 wrote to memory of 880 948 Ioeclg32.exe 37 PID 880 wrote to memory of 2932 880 Ibcphc32.exe 38 PID 880 wrote to memory of 2932 880 Ibcphc32.exe 38 PID 880 wrote to memory of 2932 880 Ibcphc32.exe 38 PID 880 wrote to memory of 2932 880 Ibcphc32.exe 38 PID 2932 wrote to memory of 2804 2932 Igqhpj32.exe 39 PID 2932 wrote to memory of 2804 2932 Igqhpj32.exe 39 PID 2932 wrote to memory of 2804 2932 Igqhpj32.exe 39 PID 2932 wrote to memory of 2804 2932 Igqhpj32.exe 39 PID 2804 wrote to memory of 2912 2804 Iaimipjl.exe 40 PID 2804 wrote to memory of 2912 2804 Iaimipjl.exe 40 PID 2804 wrote to memory of 2912 2804 Iaimipjl.exe 40 PID 2804 wrote to memory of 2912 2804 Iaimipjl.exe 40 PID 2912 wrote to memory of 496 2912 Iipejmko.exe 41 PID 2912 wrote to memory of 496 2912 Iipejmko.exe 41 PID 2912 wrote to memory of 496 2912 Iipejmko.exe 41 PID 2912 wrote to memory of 496 2912 Iipejmko.exe 41 PID 496 wrote to memory of 2640 496 Ibhicbao.exe 42 PID 496 wrote to memory of 2640 496 Ibhicbao.exe 42 PID 496 wrote to memory of 2640 496 Ibhicbao.exe 42 PID 496 wrote to memory of 2640 496 Ibhicbao.exe 42 PID 2640 wrote to memory of 536 2640 Icifjk32.exe 43 PID 2640 wrote to memory of 536 2640 Icifjk32.exe 43 PID 2640 wrote to memory of 536 2640 Icifjk32.exe 43 PID 2640 wrote to memory of 536 2640 Icifjk32.exe 43 PID 536 wrote to memory of 2380 536 Inojhc32.exe 44 PID 536 wrote to memory of 2380 536 Inojhc32.exe 44 PID 536 wrote to memory of 2380 536 Inojhc32.exe 44 PID 536 wrote to memory of 2380 536 Inojhc32.exe 44 PID 2380 wrote to memory of 2160 2380 Iamfdo32.exe 45 PID 2380 wrote to memory of 2160 2380 Iamfdo32.exe 45 PID 2380 wrote to memory of 2160 2380 Iamfdo32.exe 45 PID 2380 wrote to memory of 2160 2380 Iamfdo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cd939482b4ade431c618bb116a8580N.exe"C:\Users\Admin\AppData\Local\Temp\d6cd939482b4ade431c618bb116a8580N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Jmipdo32.exeC:\Windows\system32\Jmipdo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe33⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe35⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe38⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe40⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe42⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe43⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe44⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe45⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe46⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe52⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe53⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe54⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe57⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe58⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe59⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe60⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe61⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe62⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe63⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe64⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe65⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe66⤵PID:2852
-
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe67⤵PID:2428
-
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe68⤵PID:608
-
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe69⤵PID:2480
-
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe70⤵PID:1548
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe73⤵PID:1056
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe74⤵PID:836
-
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe75⤵PID:3056
-
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe76⤵PID:2812
-
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe77⤵PID:2948
-
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe78⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe79⤵PID:2424
-
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe82⤵PID:1284
-
C:\Windows\SysWOW64\Nfdfmfle.exeC:\Windows\system32\Nfdfmfle.exe83⤵PID:844
-
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe84⤵PID:2700
-
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe86⤵PID:2896
-
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe87⤵PID:2224
-
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe88⤵PID:2784
-
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe89⤵PID:448
-
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe90⤵PID:2316
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe91⤵PID:2088
-
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe92⤵PID:1720
-
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe93⤵PID:1532
-
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe94⤵PID:796
-
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe95⤵PID:2656
-
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe96⤵PID:1564
-
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe97⤵PID:1472
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe98⤵PID:2256
-
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe99⤵PID:2920
-
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe101⤵PID:3004
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe103⤵PID:1808
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe104⤵PID:3068
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe105⤵PID:2396
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe107⤵PID:2672
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe108⤵PID:1912
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe110⤵PID:2604
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe111⤵PID:1224
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe112⤵PID:2876
-
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe113⤵PID:2476
-
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe114⤵PID:2200
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe115⤵PID:2892
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe117⤵PID:1804
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe118⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe119⤵PID:300
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe120⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe121⤵PID:1272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-