Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 13:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6a1bf5223ffd73b8c8b744fbbab33c0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b6a1bf5223ffd73b8c8b744fbbab33c0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
b6a1bf5223ffd73b8c8b744fbbab33c0N.exe
-
Size
397KB
-
MD5
b6a1bf5223ffd73b8c8b744fbbab33c0
-
SHA1
0a56fa2abca18654f3975dc5d11d1a3fdda1de2c
-
SHA256
1e5c02bc63366e42827db8637d936b26f07fc6a4ae0f167944d29441a93d937b
-
SHA512
b7ccbca4aa6f510f0d90d210affb55d9cf308f0eed586e11d0395a2f2c82d7663ee975d5fb165f4f0977976cc9930f99dd96888cffc7f3a636aada7eaf2f60c1
-
SSDEEP
6144:fsCYWstHVzFM6234lKm3mo8Yvi4KsLTFM6234lKm3pT11Tgkz1581hW:UJWsvFB24lwR45FB24lzx1skz15L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceiadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpldkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbacqdem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdonpjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aebllocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlncdio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbabodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekcpdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oindba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdgolml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpkdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpijngn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gijncn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdbmkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgnpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neihmpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alcbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Docjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkojcgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koglbkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdlccoje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pofnok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgefmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecdkgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eckcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceclmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmdenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnkdeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khfdcgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqdeciho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeloin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apjdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcpdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnaempnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndeifbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfhhicd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndhooaog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjaejbmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmndbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghjkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hffkhlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppgfkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfpfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomdfjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmigdend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiphpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klclom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknkncbl.exe -
Executes dropped EXE 64 IoCs
pid Process 2484 Hqcpfcbl.exe 2800 Hgbanlfc.exe 1368 Ijegeg32.exe 2668 Ikkmho32.exe 2644 Jajbfeop.exe 2700 Jijqeg32.exe 2588 Jecnpg32.exe 2624 Kalkjh32.exe 2888 Kdmdlc32.exe 1156 Lphnlcnh.exe 1992 Lophcpam.exe 2592 Macnjk32.exe 1632 Mhobldaf.exe 1784 Mlcekgbb.exe 2924 Nlfaag32.exe 2388 Ndfppije.exe 2428 Omjgkjof.exe 2296 Pfgeoo32.exe 236 Pldnge32.exe 1296 Pembpkfi.exe 1032 Peooek32.exe 3036 Pafpjljk.exe 1608 Pnjpdphd.exe 1388 Qhdabemb.exe 1648 Adkbgf32.exe 2120 Apbblg32.exe 592 Aogpmcmb.exe 2292 Almmlg32.exe 2720 Bdiaqj32.exe 1036 Bpbokj32.exe 2804 Baakem32.exe 1968 Bnhljnhm.exe 2640 Blmikkle.exe 2848 Cjaieoko.exe 2628 Clbbfj32.exe 1808 Cdpdpl32.exe 1868 Cqfdem32.exe 1272 Dddmkkpb.exe 2024 Dgefmf32.exe 2336 Djfooa32.exe 2304 Djhldahb.exe 1436 Ebcqicem.exe 1812 Epgabhdg.exe 2352 Efaiobkc.exe 1828 Enlncdio.exe 704 Elpnmhgh.exe 1376 Eckcak32.exe 2976 Ehilgikj.exe 1584 Fpdqlkhe.exe 2348 Fdbibjok.exe 2284 Fjlaod32.exe 2212 Fpijgk32.exe 2660 Fianpp32.exe 2792 Ffeoid32.exe 2560 Flbgak32.exe 2520 Gledgkfn.exe 2880 Gaamobdf.exe 3016 Gkjahg32.exe 852 Gohjnf32.exe 1800 Gkojcgga.exe 1676 Gcjogidl.exe 2104 Hekhid32.exe 1380 Igeggkoq.exe 960 Igjabj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 2484 Hqcpfcbl.exe 2484 Hqcpfcbl.exe 2800 Hgbanlfc.exe 2800 Hgbanlfc.exe 1368 Ijegeg32.exe 1368 Ijegeg32.exe 2668 Ikkmho32.exe 2668 Ikkmho32.exe 2644 Jajbfeop.exe 2644 Jajbfeop.exe 2700 Jijqeg32.exe 2700 Jijqeg32.exe 2588 Jecnpg32.exe 2588 Jecnpg32.exe 2624 Kalkjh32.exe 2624 Kalkjh32.exe 2888 Kdmdlc32.exe 2888 Kdmdlc32.exe 1156 Lphnlcnh.exe 1156 Lphnlcnh.exe 1992 Lophcpam.exe 1992 Lophcpam.exe 2592 Macnjk32.exe 2592 Macnjk32.exe 1632 Mhobldaf.exe 1632 Mhobldaf.exe 1784 Mlcekgbb.exe 1784 Mlcekgbb.exe 2924 Nlfaag32.exe 2924 Nlfaag32.exe 2388 Ndfppije.exe 2388 Ndfppije.exe 2428 Omjgkjof.exe 2428 Omjgkjof.exe 2296 Pfgeoo32.exe 2296 Pfgeoo32.exe 236 Pldnge32.exe 236 Pldnge32.exe 1296 Pembpkfi.exe 1296 Pembpkfi.exe 1032 Peooek32.exe 1032 Peooek32.exe 3036 Pafpjljk.exe 3036 Pafpjljk.exe 1608 Pnjpdphd.exe 1608 Pnjpdphd.exe 1388 Qhdabemb.exe 1388 Qhdabemb.exe 1648 Adkbgf32.exe 1648 Adkbgf32.exe 2120 Apbblg32.exe 2120 Apbblg32.exe 592 Aogpmcmb.exe 592 Aogpmcmb.exe 2292 Almmlg32.exe 2292 Almmlg32.exe 2720 Bdiaqj32.exe 2720 Bdiaqj32.exe 1036 Bpbokj32.exe 1036 Bpbokj32.exe 2804 Baakem32.exe 2804 Baakem32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dbgmglin.exe Dmkeoekf.exe File created C:\Windows\SysWOW64\Maakib32.dll Heqhon32.exe File created C:\Windows\SysWOW64\Qbboakna.exe Pjgjmipf.exe File opened for modification C:\Windows\SysWOW64\Jbpcgo32.exe Jlckoh32.exe File opened for modification C:\Windows\SysWOW64\Gclopbjo.exe Gmoghklh.exe File created C:\Windows\SysWOW64\Igeggkoq.exe Hekhid32.exe File opened for modification C:\Windows\SysWOW64\Blkoocfl.exe Baannfim.exe File created C:\Windows\SysWOW64\Glldfmcc.dll Cabnokkq.exe File opened for modification C:\Windows\SysWOW64\Piejbpgk.exe Pibmmp32.exe File opened for modification C:\Windows\SysWOW64\Oglfodai.exe Ooabjbdn.exe File created C:\Windows\SysWOW64\Lggnjkbl.dll Cnlcoage.exe File created C:\Windows\SysWOW64\Jjjdhcie.dll Qgqlig32.exe File created C:\Windows\SysWOW64\Henipenb.exe Hbomdjoo.exe File opened for modification C:\Windows\SysWOW64\Hgnkgjgh.exe Hglobj32.exe File created C:\Windows\SysWOW64\Iemoebmb.exe Ildjlmfb.exe File created C:\Windows\SysWOW64\Ghjkki32.exe Gndgmq32.exe File created C:\Windows\SysWOW64\Ombkhdcj.dll Pmimpf32.exe File created C:\Windows\SysWOW64\Qloiqcbn.exe Pbfehn32.exe File opened for modification C:\Windows\SysWOW64\Apgnpo32.exe Aimfcedl.exe File created C:\Windows\SysWOW64\Bjeecj32.dll Dghekobe.exe File opened for modification C:\Windows\SysWOW64\Ilggal32.exe Iemoebmb.exe File created C:\Windows\SysWOW64\Onloqmmk.dll Ddoiei32.exe File created C:\Windows\SysWOW64\Fbphedgp.dll Hopibdfd.exe File opened for modification C:\Windows\SysWOW64\Jlcmhann.exe Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Cojlfckj.exe Cqeoegfb.exe File created C:\Windows\SysWOW64\Idhmib32.dll Geibin32.exe File created C:\Windows\SysWOW64\Lenmnb32.exe Lhjmdn32.exe File created C:\Windows\SysWOW64\Mamjchoa.exe Mlqakaqi.exe File opened for modification C:\Windows\SysWOW64\Mppiod32.exe Lblhep32.exe File created C:\Windows\SysWOW64\Jbhlilip.exe Jiphpf32.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Acdemegf.exe File created C:\Windows\SysWOW64\Ekhoehke.dll Nqffoa32.exe File opened for modification C:\Windows\SysWOW64\Ikbpof32.exe Ibjkfpih.exe File created C:\Windows\SysWOW64\Iboeap32.exe Ifhdlo32.exe File created C:\Windows\SysWOW64\Nmkcaggl.dll Njikba32.exe File created C:\Windows\SysWOW64\Aeijmg32.dll Ognakk32.exe File opened for modification C:\Windows\SysWOW64\Ianmke32.exe Impdeg32.exe File created C:\Windows\SysWOW64\Qnommd32.dll Ckgkfi32.exe File opened for modification C:\Windows\SysWOW64\Acncngpl.exe Afjbecqb.exe File created C:\Windows\SysWOW64\Mghdolen.dll Pieodn32.exe File created C:\Windows\SysWOW64\Eacnpoqi.exe Ehkjgi32.exe File created C:\Windows\SysWOW64\Abkdac32.dll Qpilpo32.exe File opened for modification C:\Windows\SysWOW64\Kiifjd32.exe Kpqaanqd.exe File created C:\Windows\SysWOW64\Onipbl32.exe Ocoobngl.exe File opened for modification C:\Windows\SysWOW64\Nclcgoia.exe Nnokohkj.exe File created C:\Windows\SysWOW64\Edmmkabb.dll Ppoijq32.exe File created C:\Windows\SysWOW64\Iocekd32.exe Iboeap32.exe File opened for modification C:\Windows\SysWOW64\Ianambhc.exe Ihfmdm32.exe File opened for modification C:\Windows\SysWOW64\Ipkkhckl.exe Hfbfpnel.exe File opened for modification C:\Windows\SysWOW64\Aifpcfjd.exe Qmoone32.exe File created C:\Windows\SysWOW64\Meobib32.dll Aihenoef.exe File created C:\Windows\SysWOW64\Fnnbfjmp.exe Fnleqj32.exe File created C:\Windows\SysWOW64\Happcacp.dll Nlibhhme.exe File opened for modification C:\Windows\SysWOW64\Dpldkf32.exe Daghjj32.exe File created C:\Windows\SysWOW64\Bdlccoje.exe Bhecnndq.exe File created C:\Windows\SysWOW64\Lebcdd32.exe Lpekln32.exe File created C:\Windows\SysWOW64\Ndkoemji.exe Mmaghc32.exe File created C:\Windows\SysWOW64\Mgcflnfp.exe Mnjaci32.exe File opened for modification C:\Windows\SysWOW64\Mfbcheka.exe Mljnoo32.exe File opened for modification C:\Windows\SysWOW64\Lpfmefdc.exe Kjfhgp32.exe File opened for modification C:\Windows\SysWOW64\Dhadhakp.exe Doipoldo.exe File opened for modification C:\Windows\SysWOW64\Adohpe32.exe Abmkhmfe.exe File opened for modification C:\Windows\SysWOW64\Iapghlbe.exe Igjckcbo.exe File created C:\Windows\SysWOW64\Acbigfii.exe Ajidnp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2588 3988 WerFault.exe 883 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inofameg.dll" Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkamfnj.dll" Pembpkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdfpfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ildjlmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pefoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idiphpjd.dll" Ndeifbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdcinjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpmqom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgcqhagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pijhompm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmnaapo.dll" Afpnikda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbilclhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clbbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjphfe.dll" Hmkdpafo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnokohkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nijdcdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnblkahe.dll" Abodlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmogkkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laokdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlghmn32.dll" Mlqakaqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpfpde32.dll" Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbdil32.dll" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqijcg32.dll" Ipkkhckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khgglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqfdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhgnie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlomnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmafocbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpboan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnokohkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpdjaeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknlbd32.dll" Dmbpaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bheqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmdjjfc.dll" Dmkeoekf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oindba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpbokj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkeialfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Bcbabodk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaifoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdeekjmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddhbhe.dll" Bohejibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadcae32.dll" Nnnmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adadedjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioebelhe.dll" Ddgljced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jojmigpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icjokidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnpp32.dll" Coogjloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pofnok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfnep32.dll" Mgfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nannejni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emcqpjhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iaknmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdooongp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdpqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckkjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdlccoje.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2484 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 28 PID 2476 wrote to memory of 2484 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 28 PID 2476 wrote to memory of 2484 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 28 PID 2476 wrote to memory of 2484 2476 b6a1bf5223ffd73b8c8b744fbbab33c0N.exe 28 PID 2484 wrote to memory of 2800 2484 Hqcpfcbl.exe 29 PID 2484 wrote to memory of 2800 2484 Hqcpfcbl.exe 29 PID 2484 wrote to memory of 2800 2484 Hqcpfcbl.exe 29 PID 2484 wrote to memory of 2800 2484 Hqcpfcbl.exe 29 PID 2800 wrote to memory of 1368 2800 Hgbanlfc.exe 30 PID 2800 wrote to memory of 1368 2800 Hgbanlfc.exe 30 PID 2800 wrote to memory of 1368 2800 Hgbanlfc.exe 30 PID 2800 wrote to memory of 1368 2800 Hgbanlfc.exe 30 PID 1368 wrote to memory of 2668 1368 Ijegeg32.exe 31 PID 1368 wrote to memory of 2668 1368 Ijegeg32.exe 31 PID 1368 wrote to memory of 2668 1368 Ijegeg32.exe 31 PID 1368 wrote to memory of 2668 1368 Ijegeg32.exe 31 PID 2668 wrote to memory of 2644 2668 Ikkmho32.exe 32 PID 2668 wrote to memory of 2644 2668 Ikkmho32.exe 32 PID 2668 wrote to memory of 2644 2668 Ikkmho32.exe 32 PID 2668 wrote to memory of 2644 2668 Ikkmho32.exe 32 PID 2644 wrote to memory of 2700 2644 Jajbfeop.exe 33 PID 2644 wrote to memory of 2700 2644 Jajbfeop.exe 33 PID 2644 wrote to memory of 2700 2644 Jajbfeop.exe 33 PID 2644 wrote to memory of 2700 2644 Jajbfeop.exe 33 PID 2700 wrote to memory of 2588 2700 Jijqeg32.exe 34 PID 2700 wrote to memory of 2588 2700 Jijqeg32.exe 34 PID 2700 wrote to memory of 2588 2700 Jijqeg32.exe 34 PID 2700 wrote to memory of 2588 2700 Jijqeg32.exe 34 PID 2588 wrote to memory of 2624 2588 Jecnpg32.exe 35 PID 2588 wrote to memory of 2624 2588 Jecnpg32.exe 35 PID 2588 wrote to memory of 2624 2588 Jecnpg32.exe 35 PID 2588 wrote to memory of 2624 2588 Jecnpg32.exe 35 PID 2624 wrote to memory of 2888 2624 Kalkjh32.exe 36 PID 2624 wrote to memory of 2888 2624 Kalkjh32.exe 36 PID 2624 wrote to memory of 2888 2624 Kalkjh32.exe 36 PID 2624 wrote to memory of 2888 2624 Kalkjh32.exe 36 PID 2888 wrote to memory of 1156 2888 Kdmdlc32.exe 37 PID 2888 wrote to memory of 1156 2888 Kdmdlc32.exe 37 PID 2888 wrote to memory of 1156 2888 Kdmdlc32.exe 37 PID 2888 wrote to memory of 1156 2888 Kdmdlc32.exe 37 PID 1156 wrote to memory of 1992 1156 Lphnlcnh.exe 38 PID 1156 wrote to memory of 1992 1156 Lphnlcnh.exe 38 PID 1156 wrote to memory of 1992 1156 Lphnlcnh.exe 38 PID 1156 wrote to memory of 1992 1156 Lphnlcnh.exe 38 PID 1992 wrote to memory of 2592 1992 Lophcpam.exe 39 PID 1992 wrote to memory of 2592 1992 Lophcpam.exe 39 PID 1992 wrote to memory of 2592 1992 Lophcpam.exe 39 PID 1992 wrote to memory of 2592 1992 Lophcpam.exe 39 PID 2592 wrote to memory of 1632 2592 Macnjk32.exe 40 PID 2592 wrote to memory of 1632 2592 Macnjk32.exe 40 PID 2592 wrote to memory of 1632 2592 Macnjk32.exe 40 PID 2592 wrote to memory of 1632 2592 Macnjk32.exe 40 PID 1632 wrote to memory of 1784 1632 Mhobldaf.exe 41 PID 1632 wrote to memory of 1784 1632 Mhobldaf.exe 41 PID 1632 wrote to memory of 1784 1632 Mhobldaf.exe 41 PID 1632 wrote to memory of 1784 1632 Mhobldaf.exe 41 PID 1784 wrote to memory of 2924 1784 Mlcekgbb.exe 42 PID 1784 wrote to memory of 2924 1784 Mlcekgbb.exe 42 PID 1784 wrote to memory of 2924 1784 Mlcekgbb.exe 42 PID 1784 wrote to memory of 2924 1784 Mlcekgbb.exe 42 PID 2924 wrote to memory of 2388 2924 Nlfaag32.exe 43 PID 2924 wrote to memory of 2388 2924 Nlfaag32.exe 43 PID 2924 wrote to memory of 2388 2924 Nlfaag32.exe 43 PID 2924 wrote to memory of 2388 2924 Nlfaag32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a1bf5223ffd73b8c8b744fbbab33c0N.exe"C:\Users\Admin\AppData\Local\Temp\b6a1bf5223ffd73b8c8b744fbbab33c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Macnjk32.exeC:\Windows\system32\Macnjk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ndfppije.exeC:\Windows\system32\Ndfppije.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe33⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe39⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe41⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe42⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe43⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe44⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Enlncdio.exeC:\Windows\system32\Enlncdio.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe47⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe49⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe50⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe51⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe52⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe53⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe55⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe56⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe59⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe60⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe62⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Igeggkoq.exeC:\Windows\system32\Igeggkoq.exe64⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe66⤵PID:3052
-
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe67⤵PID:816
-
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe68⤵PID:2028
-
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe69⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe70⤵PID:2324
-
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe71⤵PID:2748
-
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Kpqaanqd.exeC:\Windows\system32\Kpqaanqd.exe74⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Kiifjd32.exeC:\Windows\system32\Kiifjd32.exe75⤵PID:2980
-
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe76⤵PID:1488
-
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe77⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe78⤵PID:2852
-
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe79⤵PID:2356
-
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe80⤵PID:1960
-
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe81⤵PID:1100
-
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe82⤵PID:296
-
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe83⤵PID:2288
-
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe84⤵PID:2148
-
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe86⤵PID:1936
-
C:\Windows\SysWOW64\Mchmblji.exeC:\Windows\system32\Mchmblji.exe87⤵PID:3044
-
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe89⤵PID:2572
-
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe90⤵PID:2536
-
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe91⤵PID:2856
-
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe92⤵PID:1504
-
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe93⤵PID:2512
-
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe95⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe96⤵PID:2192
-
C:\Windows\SysWOW64\Ocmbmnio.exeC:\Windows\system32\Ocmbmnio.exe97⤵PID:1320
-
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe98⤵PID:1056
-
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe99⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe100⤵PID:2080
-
C:\Windows\SysWOW64\Odbhofjh.exeC:\Windows\system32\Odbhofjh.exe101⤵PID:1564
-
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe102⤵PID:3060
-
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe103⤵PID:2548
-
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe105⤵PID:2864
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe106⤵PID:1396
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe107⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe108⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Qloiqcbn.exeC:\Windows\system32\Qloiqcbn.exe109⤵PID:272
-
C:\Windows\SysWOW64\Qfdnnlbc.exeC:\Windows\system32\Qfdnnlbc.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe111⤵PID:768
-
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe112⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe114⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe115⤵PID:2820
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe116⤵PID:1548
-
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe118⤵PID:1328
-
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe119⤵PID:1332
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe120⤵PID:2420
-
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe121⤵PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-