Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 18:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
-
Size
45KB
-
MD5
399e5ddb248845e498dabf8fcf035673
-
SHA1
680ecc3606d236c0617128d5714d944db3e434e4
-
SHA256
2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7
-
SHA512
5cc7a6701c6590bb7fad8bf8cae1e0dce859389174854c194a2b70c92903a47f6c6e89088170608b185f27f927fb4c83c91a2bf58d79833d6a2bc2ab06ece9f8
-
SSDEEP
768:fj4vo7BiRv3b0142tAJstWyIyR8PmrdCkgn/pzmQqn2u/1H5UsX:buo7BiRvrA42qJoWyIEkkgYQq7d
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphhenhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdboig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcgmoggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhcmhdke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjhmfekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpjlnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpiedieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnejbmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhohda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcllo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejehgkdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcomkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbbdfik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfogake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikbhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmfgjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoqnhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odbeilbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqanhd.exe -
Executes dropped EXE 64 IoCs
pid Process 2944 Mggpgmof.exe 2084 Mihiih32.exe 2656 Mgljbm32.exe 2172 Mpdnkb32.exe 2468 Mcbjgn32.exe 2508 Mimbdhhb.exe 2312 Moiklogi.exe 1624 Mhbped32.exe 1572 Ncgdbmmp.exe 968 Nialog32.exe 2028 Nondgn32.exe 528 Nehmdhja.exe 2408 Nlbeqb32.exe 760 Naoniipe.exe 3024 Nglfapnl.exe 2308 Naajoinb.exe 2632 Nkiogn32.exe 1824 Nacgdhlp.exe 924 Oklkmnbp.exe 2160 Oqideepg.exe 1912 Ojahnj32.exe 1284 Oonafa32.exe 2116 Oclilp32.exe 1164 Ohibdf32.exe 2276 Ofmbnkhg.exe 840 Okikfagn.exe 2108 Pfoocjfd.exe 3008 Pogclp32.exe 3056 Pqhpdhcc.exe 2624 Pnlqnl32.exe 2672 Pkpagq32.exe 2572 Peiepfgg.exe 2444 Papfegmk.exe 2456 Pgioaa32.exe 2888 Qmfgjh32.exe 2372 Qbcpbo32.exe 1784 Qmicohqm.exe 1216 Qcbllb32.exe 2388 Aipddi32.exe 2356 Aefeijle.exe 1812 Aehboi32.exe 1280 Albjlcao.exe 1292 Aaobdjof.exe 2136 Aekodi32.exe 1076 Alegac32.exe 2512 Ajhgmpfg.exe 2292 Amfcikek.exe 2776 Ajjcbpdd.exe 1764 Amhpnkch.exe 3004 Bpgljfbl.exe 1864 Bjlqhoba.exe 1552 Bmkmdk32.exe 1564 Biamilfj.exe 1068 Blpjegfm.exe 2036 Bdgafdfp.exe 988 Behnnm32.exe 2316 Blbfjg32.exe 2324 Bpnbkeld.exe 2100 Bghjhp32.exe 2936 Bhigphio.exe 3048 Bppoqeja.exe 2900 Baakhm32.exe 2772 Biicik32.exe 2552 Coelaaoi.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 2944 Mggpgmof.exe 2944 Mggpgmof.exe 2084 Mihiih32.exe 2084 Mihiih32.exe 2656 Mgljbm32.exe 2656 Mgljbm32.exe 2172 Mpdnkb32.exe 2172 Mpdnkb32.exe 2468 Mcbjgn32.exe 2468 Mcbjgn32.exe 2508 Mimbdhhb.exe 2508 Mimbdhhb.exe 2312 Moiklogi.exe 2312 Moiklogi.exe 1624 Mhbped32.exe 1624 Mhbped32.exe 1572 Ncgdbmmp.exe 1572 Ncgdbmmp.exe 968 Nialog32.exe 968 Nialog32.exe 2028 Nondgn32.exe 2028 Nondgn32.exe 528 Nehmdhja.exe 528 Nehmdhja.exe 2408 Nlbeqb32.exe 2408 Nlbeqb32.exe 760 Naoniipe.exe 760 Naoniipe.exe 3024 Nglfapnl.exe 3024 Nglfapnl.exe 2308 Naajoinb.exe 2308 Naajoinb.exe 2632 Nkiogn32.exe 2632 Nkiogn32.exe 1824 Nacgdhlp.exe 1824 Nacgdhlp.exe 924 Oklkmnbp.exe 924 Oklkmnbp.exe 2160 Oqideepg.exe 2160 Oqideepg.exe 1912 Ojahnj32.exe 1912 Ojahnj32.exe 1284 Oonafa32.exe 1284 Oonafa32.exe 2116 Oclilp32.exe 2116 Oclilp32.exe 1164 Ohibdf32.exe 1164 Ohibdf32.exe 2276 Ofmbnkhg.exe 2276 Ofmbnkhg.exe 840 Okikfagn.exe 840 Okikfagn.exe 2108 Pfoocjfd.exe 2108 Pfoocjfd.exe 3008 Pogclp32.exe 3008 Pogclp32.exe 3056 Pqhpdhcc.exe 3056 Pqhpdhcc.exe 2624 Pnlqnl32.exe 2624 Pnlqnl32.exe 2672 Pkpagq32.exe 2672 Pkpagq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pqemdbaj.exe Pngphgbf.exe File created C:\Windows\SysWOW64\Pfgngh32.exe Pbkbgjcc.exe File created C:\Windows\SysWOW64\Jmobpj32.dll Nlbgikia.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe Ahebaiac.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bpnbkeld.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bppoqeja.exe File created C:\Windows\SysWOW64\Gnefapmj.exe Gjijqa32.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Mamgmofp.exe Mnojacgm.exe File created C:\Windows\SysWOW64\Mfaefd32.exe Mdbiji32.exe File created C:\Windows\SysWOW64\Gdgcpi32.exe Faigdn32.exe File opened for modification C:\Windows\SysWOW64\Ejehgkdp.exe Efjlgmlf.exe File created C:\Windows\SysWOW64\Gbjlaplk.exe Gcglec32.exe File opened for modification C:\Windows\SysWOW64\Hhbdee32.exe Hahlhkhi.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Oegbheiq.exe File opened for modification C:\Windows\SysWOW64\Pgpeal32.exe Pqemdbaj.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Mgebdipp.exe Makjho32.exe File created C:\Windows\SysWOW64\Kpbbidem.dll Nehmdhja.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Qbbhgi32.exe Qodlkm32.exe File opened for modification C:\Windows\SysWOW64\Echfaf32.exe Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Kcakaipc.exe Kkjcplpa.exe File created C:\Windows\SysWOW64\Amnfnfgg.exe Akmjfn32.exe File created C:\Windows\SysWOW64\Lqpbpkco.dll Dgdpfp32.exe File created C:\Windows\SysWOW64\Mknhnalm.dll Aibcba32.exe File created C:\Windows\SysWOW64\Bhdeag32.dll Jcpkpe32.exe File opened for modification C:\Windows\SysWOW64\Kbcdbp32.exe Kqdhhm32.exe File created C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Jnmlhchd.exe Jchhkjhn.exe File created C:\Windows\SysWOW64\Dcnqanhd.exe Dkgippgb.exe File created C:\Windows\SysWOW64\Namciplg.dll Dlfejcoe.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Nglknl32.dll Qmfgjh32.exe File opened for modification C:\Windows\SysWOW64\Lpgajgeg.exe Lgpiij32.exe File opened for modification C:\Windows\SysWOW64\Bniajoic.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Homclekn.exe Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Gembhj32.exe Gbnflo32.exe File created C:\Windows\SysWOW64\Makjho32.exe Lnlnlc32.exe File created C:\Windows\SysWOW64\Keednado.exe Knklagmb.exe File created C:\Windows\SysWOW64\Opkekoll.dll Idiaii32.exe File created C:\Windows\SysWOW64\Bgjiml32.dll Ikefkcmo.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Migkgb32.dll Oohqqlei.exe File opened for modification C:\Windows\SysWOW64\Efnfbl32.exe Ebcjamoh.exe File created C:\Windows\SysWOW64\Jaidoiaj.dll Mfaefd32.exe File created C:\Windows\SysWOW64\Dgbdoe32.dll Ffibkj32.exe File created C:\Windows\SysWOW64\Ggfnopfg.exe Gegabegc.exe File opened for modification C:\Windows\SysWOW64\Dcnqanhd.exe Dkgippgb.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Bmeelpbm.dll Jqgoiokm.exe File created C:\Windows\SysWOW64\Lmcmdd32.dll Onpjghhn.exe File created C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Pledghce.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Ajjcbpdd.exe Amfcikek.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Gcglec32.exe Giahhj32.exe File created C:\Windows\SysWOW64\Ldkeee32.dll Npijoj32.exe File created C:\Windows\SysWOW64\Dgdpfp32.exe Ddfcje32.exe File created C:\Windows\SysWOW64\Efaibbij.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Mooaljkh.exe File created C:\Windows\SysWOW64\Njmggi32.dll Egjpkffe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dbaice32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dbaice32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2608 968 WerFault.exe 554 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkpogmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqbnp32.dll" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Halbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Becnhgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcgmoggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmkljal.dll" Aboaff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Annbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfgegnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmomjlhj.dll" Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfnjifg.dll" Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeogj32.dll" Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlncpkde.dll" Gfgegnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbqoqbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkijnbae.dll" Mjekfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckdlnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqkhngff.dll" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdhfji.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binoil32.dll" Qjkjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnflo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfaom32.dll" Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnlccec.dll" Nmhmlbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkmocpf.dll" Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkiogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfeaiog.dll" Jcgapdeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2944 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 28 PID 1732 wrote to memory of 2944 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 28 PID 1732 wrote to memory of 2944 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 28 PID 1732 wrote to memory of 2944 1732 2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe 28 PID 2944 wrote to memory of 2084 2944 Mggpgmof.exe 29 PID 2944 wrote to memory of 2084 2944 Mggpgmof.exe 29 PID 2944 wrote to memory of 2084 2944 Mggpgmof.exe 29 PID 2944 wrote to memory of 2084 2944 Mggpgmof.exe 29 PID 2084 wrote to memory of 2656 2084 Mihiih32.exe 30 PID 2084 wrote to memory of 2656 2084 Mihiih32.exe 30 PID 2084 wrote to memory of 2656 2084 Mihiih32.exe 30 PID 2084 wrote to memory of 2656 2084 Mihiih32.exe 30 PID 2656 wrote to memory of 2172 2656 Mgljbm32.exe 31 PID 2656 wrote to memory of 2172 2656 Mgljbm32.exe 31 PID 2656 wrote to memory of 2172 2656 Mgljbm32.exe 31 PID 2656 wrote to memory of 2172 2656 Mgljbm32.exe 31 PID 2172 wrote to memory of 2468 2172 Mpdnkb32.exe 32 PID 2172 wrote to memory of 2468 2172 Mpdnkb32.exe 32 PID 2172 wrote to memory of 2468 2172 Mpdnkb32.exe 32 PID 2172 wrote to memory of 2468 2172 Mpdnkb32.exe 32 PID 2468 wrote to memory of 2508 2468 Mcbjgn32.exe 33 PID 2468 wrote to memory of 2508 2468 Mcbjgn32.exe 33 PID 2468 wrote to memory of 2508 2468 Mcbjgn32.exe 33 PID 2468 wrote to memory of 2508 2468 Mcbjgn32.exe 33 PID 2508 wrote to memory of 2312 2508 Mimbdhhb.exe 34 PID 2508 wrote to memory of 2312 2508 Mimbdhhb.exe 34 PID 2508 wrote to memory of 2312 2508 Mimbdhhb.exe 34 PID 2508 wrote to memory of 2312 2508 Mimbdhhb.exe 34 PID 2312 wrote to memory of 1624 2312 Moiklogi.exe 35 PID 2312 wrote to memory of 1624 2312 Moiklogi.exe 35 PID 2312 wrote to memory of 1624 2312 Moiklogi.exe 35 PID 2312 wrote to memory of 1624 2312 Moiklogi.exe 35 PID 1624 wrote to memory of 1572 1624 Mhbped32.exe 36 PID 1624 wrote to memory of 1572 1624 Mhbped32.exe 36 PID 1624 wrote to memory of 1572 1624 Mhbped32.exe 36 PID 1624 wrote to memory of 1572 1624 Mhbped32.exe 36 PID 1572 wrote to memory of 968 1572 Ncgdbmmp.exe 37 PID 1572 wrote to memory of 968 1572 Ncgdbmmp.exe 37 PID 1572 wrote to memory of 968 1572 Ncgdbmmp.exe 37 PID 1572 wrote to memory of 968 1572 Ncgdbmmp.exe 37 PID 968 wrote to memory of 2028 968 Nialog32.exe 38 PID 968 wrote to memory of 2028 968 Nialog32.exe 38 PID 968 wrote to memory of 2028 968 Nialog32.exe 38 PID 968 wrote to memory of 2028 968 Nialog32.exe 38 PID 2028 wrote to memory of 528 2028 Nondgn32.exe 39 PID 2028 wrote to memory of 528 2028 Nondgn32.exe 39 PID 2028 wrote to memory of 528 2028 Nondgn32.exe 39 PID 2028 wrote to memory of 528 2028 Nondgn32.exe 39 PID 528 wrote to memory of 2408 528 Nehmdhja.exe 40 PID 528 wrote to memory of 2408 528 Nehmdhja.exe 40 PID 528 wrote to memory of 2408 528 Nehmdhja.exe 40 PID 528 wrote to memory of 2408 528 Nehmdhja.exe 40 PID 2408 wrote to memory of 760 2408 Nlbeqb32.exe 41 PID 2408 wrote to memory of 760 2408 Nlbeqb32.exe 41 PID 2408 wrote to memory of 760 2408 Nlbeqb32.exe 41 PID 2408 wrote to memory of 760 2408 Nlbeqb32.exe 41 PID 760 wrote to memory of 3024 760 Naoniipe.exe 42 PID 760 wrote to memory of 3024 760 Naoniipe.exe 42 PID 760 wrote to memory of 3024 760 Naoniipe.exe 42 PID 760 wrote to memory of 3024 760 Naoniipe.exe 42 PID 3024 wrote to memory of 2308 3024 Nglfapnl.exe 43 PID 3024 wrote to memory of 2308 3024 Nglfapnl.exe 43 PID 3024 wrote to memory of 2308 3024 Nglfapnl.exe 43 PID 3024 wrote to memory of 2308 3024 Nglfapnl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe"C:\Users\Admin\AppData\Local\Temp\2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe34⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe35⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe38⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe41⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe42⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe44⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe45⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe49⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe50⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe51⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe55⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe56⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe57⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe58⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe61⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe64⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe66⤵PID:2464
-
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe69⤵PID:2376
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe70⤵PID:2224
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe71⤵PID:2212
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe72⤵PID:1816
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe73⤵
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe74⤵PID:588
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:284 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe76⤵PID:1960
-
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe77⤵PID:1524
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe78⤵PID:2728
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe79⤵PID:2288
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe80⤵PID:2200
-
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe82⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe84⤵PID:560
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe85⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe86⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe87⤵PID:1952
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe88⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe90⤵PID:3060
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe91⤵PID:2676
-
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe93⤵PID:2700
-
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe94⤵PID:2844
-
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe95⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe96⤵PID:2412
-
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe97⤵PID:1984
-
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe98⤵PID:2360
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe99⤵
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe100⤵PID:1780
-
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe101⤵PID:1520
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe102⤵PID:1336
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe104⤵PID:1844
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe105⤵PID:956
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe106⤵PID:3032
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe107⤵PID:3036
-
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe108⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe110⤵PID:2128
-
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe111⤵PID:2940
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe112⤵PID:2912
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe113⤵PID:964
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe114⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe115⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe116⤵PID:2848
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe117⤵PID:2384
-
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe118⤵PID:1672
-
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe119⤵PID:1792
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe121⤵PID:776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-