Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe
-
Size
208KB
-
MD5
d7fd4f701684587998060b7c52143d2f
-
SHA1
dc72092bd754b5bef1f99d84c0ef3a8aea8c1cd0
-
SHA256
66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11
-
SHA512
bd43eceb2e3f56174c039b6cd36d7d7f019d21e23a549b87684fe9b18c434bfdcfae25d5674f395d5f896c272a5cedca7b5695fd446ddddc5a9e7504c6366153
-
SSDEEP
6144:oWjepYGE596wpUYDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:oWjKE596wpaChtMtkM71r1MSXqPix554
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlffdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idfnicfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmgechbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idiaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epecbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcfpel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2784 Gaemjbcg.exe 2228 Hiqbndpb.exe 2616 Hgdbhi32.exe 2572 Hggomh32.exe 2376 Hjhhocjj.exe 2932 Hacmcfge.exe 1792 Hlhaqogk.exe 2704 Hogmmjfo.exe 2748 Igdogl32.exe 1712 Iggkllpe.exe 1600 Idklfpon.exe 592 Idmhkpml.exe 1244 Jmhmpb32.exe 2892 Jcbellac.exe 2108 Jcdbbloa.exe 2772 Jbjochdi.exe 3008 Jkbcln32.exe 2300 Jejhecaj.exe 1280 Jnclnihj.exe 1520 Kihqkagp.exe 332 Kneicieh.exe 1884 Kcbakpdo.exe 2312 Kjljhjkl.exe 828 Keanebkb.exe 888 Kmmcjehm.exe 2092 Kcfkfo32.exe 2284 Kcihlong.exe 1480 Lckdanld.exe 2640 Lfjqnjkh.exe 2724 Lflmci32.exe 2420 Lpdbloof.exe 2448 Lhpfqama.exe 1904 Lojomkdn.exe 2564 Lecgje32.exe 1540 Lhbcfa32.exe 1516 Lajhofao.exe 2164 Lefdpe32.exe 1432 Monhhk32.exe 268 Mmahdggc.exe 872 Mgimmm32.exe 2040 Mkeimlfm.exe 1044 Mdmmfa32.exe 2084 Mbpnanch.exe 1120 Mlibjc32.exe 1908 Mdpjlajk.exe 1744 Mimbdhhb.exe 612 Mmhodf32.exe 1564 Mgqcmlgl.exe 2944 Miooigfo.exe 1672 Mpigfa32.exe 2336 Najdnj32.exe 2484 Nhdlkdkg.exe 2620 Nlphkb32.exe 2032 Nehmdhja.exe 2432 Ndkmpe32.exe 2404 Nkeelohh.exe 2496 Ndmjedoi.exe 2192 Nkgbbo32.exe 2712 Nocnbmoo.exe 1740 Ndpfkdmf.exe 984 Nhkbkc32.exe 488 Njlockkm.exe 848 Ndbcpd32.exe 2744 Ngpolo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 2784 Gaemjbcg.exe 2784 Gaemjbcg.exe 2228 Hiqbndpb.exe 2228 Hiqbndpb.exe 2616 Hgdbhi32.exe 2616 Hgdbhi32.exe 2572 Hggomh32.exe 2572 Hggomh32.exe 2376 Hjhhocjj.exe 2376 Hjhhocjj.exe 2932 Hacmcfge.exe 2932 Hacmcfge.exe 1792 Hlhaqogk.exe 1792 Hlhaqogk.exe 2704 Hogmmjfo.exe 2704 Hogmmjfo.exe 2748 Igdogl32.exe 2748 Igdogl32.exe 1712 Iggkllpe.exe 1712 Iggkllpe.exe 1600 Idklfpon.exe 1600 Idklfpon.exe 592 Idmhkpml.exe 592 Idmhkpml.exe 1244 Jmhmpb32.exe 1244 Jmhmpb32.exe 2892 Jcbellac.exe 2892 Jcbellac.exe 2108 Jcdbbloa.exe 2108 Jcdbbloa.exe 2772 Jbjochdi.exe 2772 Jbjochdi.exe 3008 Jkbcln32.exe 3008 Jkbcln32.exe 2300 Jejhecaj.exe 2300 Jejhecaj.exe 1280 Jnclnihj.exe 1280 Jnclnihj.exe 1520 Kihqkagp.exe 1520 Kihqkagp.exe 332 Kneicieh.exe 332 Kneicieh.exe 1884 Kcbakpdo.exe 1884 Kcbakpdo.exe 2312 Kjljhjkl.exe 2312 Kjljhjkl.exe 828 Keanebkb.exe 828 Keanebkb.exe 888 Kmmcjehm.exe 888 Kmmcjehm.exe 2092 Kcfkfo32.exe 2092 Kcfkfo32.exe 1500 Kifpdelo.exe 1500 Kifpdelo.exe 1480 Lckdanld.exe 1480 Lckdanld.exe 2640 Lfjqnjkh.exe 2640 Lfjqnjkh.exe 2724 Lflmci32.exe 2724 Lflmci32.exe 2420 Lpdbloof.exe 2420 Lpdbloof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lnjafd32.exe Lklejh32.exe File created C:\Windows\SysWOW64\Ipjkcehe.dll Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Eakhdj32.exe File created C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File opened for modification C:\Windows\SysWOW64\Llcfck32.exe Process not Found File created C:\Windows\SysWOW64\Ajjeld32.exe Process not Found File created C:\Windows\SysWOW64\Mcfidhng.dll Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Geoonjeg.exe Gnefapmj.exe File created C:\Windows\SysWOW64\Bnfeag32.dll Bbjdjjdn.exe File opened for modification C:\Windows\SysWOW64\Nddcimag.exe Process not Found File created C:\Windows\SysWOW64\Gokmnlcf.exe Process not Found File created C:\Windows\SysWOW64\Fbmcbbki.exe Fpngfgle.exe File opened for modification C:\Windows\SysWOW64\Hbqoqbho.exe Hoebpc32.exe File created C:\Windows\SysWOW64\Hmjofl32.dll Odkgec32.exe File created C:\Windows\SysWOW64\Fggmldfp.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Goqeoiki.dll Process not Found File created C:\Windows\SysWOW64\Oqcpob32.exe Ogkkfmml.exe File created C:\Windows\SysWOW64\Kqkdjkoi.dll Process not Found File created C:\Windows\SysWOW64\Jlcffk32.dll Process not Found File created C:\Windows\SysWOW64\Iemdfn32.dll Process not Found File created C:\Windows\SysWOW64\Ndqbnp32.dll Pcnejk32.exe File created C:\Windows\SysWOW64\Plmbkd32.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Omjeba32.exe Process not Found File created C:\Windows\SysWOW64\Fcddnkhf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Epakcm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgbipf32.exe Kqiaclhj.exe File created C:\Windows\SysWOW64\Qoeeolig.exe Qqbecp32.exe File created C:\Windows\SysWOW64\Klehgh32.exe Kjglkm32.exe File opened for modification C:\Windows\SysWOW64\Jenbjc32.exe Jacfidem.exe File created C:\Windows\SysWOW64\Cahlnl32.dll Process not Found File created C:\Windows\SysWOW64\Mcfied32.dll Process not Found File created C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File opened for modification C:\Windows\SysWOW64\Gfpjgn32.exe Process not Found File created C:\Windows\SysWOW64\Epakcm32.exe Process not Found File created C:\Windows\SysWOW64\Omkicqkc.dll Process not Found File created C:\Windows\SysWOW64\Jmbckb32.dll Ndjfeo32.exe File created C:\Windows\SysWOW64\Lcnbbqbd.dll Hfjnla32.exe File created C:\Windows\SysWOW64\Jcgapdeb.exe Jlmicj32.exe File created C:\Windows\SysWOW64\Jpnkep32.exe Process not Found File created C:\Windows\SysWOW64\Eoqfgcek.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fbbcdh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lfdmggnm.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Okmqlhnm.dll Lifbmn32.exe File opened for modification C:\Windows\SysWOW64\Aifjgdkj.exe Process not Found File created C:\Windows\SysWOW64\Odmgnl32.exe Process not Found File created C:\Windows\SysWOW64\Pggbla32.exe Pnomcl32.exe File created C:\Windows\SysWOW64\Blipno32.exe Process not Found File created C:\Windows\SysWOW64\Fkdlaplh.exe Process not Found File created C:\Windows\SysWOW64\Moelcodj.dll Process not Found File created C:\Windows\SysWOW64\Gkaohl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cmppehkh.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Ogkkfmml.exe File created C:\Windows\SysWOW64\Ncgfge32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ilnqhddd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Djpjjl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pogaeg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Amoibc32.exe Process not Found File created C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Jgncfcaa.exe Jdpgjhbm.exe File opened for modification C:\Windows\SysWOW64\Epqgopbi.exe Process not Found File created C:\Windows\SysWOW64\Pjgoohpd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iimhfj32.exe Process not Found File created C:\Windows\SysWOW64\Gmgninie.exe Gdniqh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6940 2460 Process not Found 1751 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afdgfelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbbghh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnhkclm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geofbffe.dll" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogqaehak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimpm32.dll" Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blndhdgi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaloddnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhbdee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihqegkl.dll" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgckhoib.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiahe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomhflpi.dll" Fjeefofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emclhigi.dll" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoomoin.dll" Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbfkh32.dll" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkkdjl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Labkdack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdhlnhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcifdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cohkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegfepjn.dll" Kbpbmkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjafk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chfpoeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgcbd32.dll" Bagkmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2784 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 28 PID 1612 wrote to memory of 2784 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 28 PID 1612 wrote to memory of 2784 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 28 PID 1612 wrote to memory of 2784 1612 66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe 28 PID 2784 wrote to memory of 2228 2784 Gaemjbcg.exe 29 PID 2784 wrote to memory of 2228 2784 Gaemjbcg.exe 29 PID 2784 wrote to memory of 2228 2784 Gaemjbcg.exe 29 PID 2784 wrote to memory of 2228 2784 Gaemjbcg.exe 29 PID 2228 wrote to memory of 2616 2228 Hiqbndpb.exe 30 PID 2228 wrote to memory of 2616 2228 Hiqbndpb.exe 30 PID 2228 wrote to memory of 2616 2228 Hiqbndpb.exe 30 PID 2228 wrote to memory of 2616 2228 Hiqbndpb.exe 30 PID 2616 wrote to memory of 2572 2616 Hgdbhi32.exe 31 PID 2616 wrote to memory of 2572 2616 Hgdbhi32.exe 31 PID 2616 wrote to memory of 2572 2616 Hgdbhi32.exe 31 PID 2616 wrote to memory of 2572 2616 Hgdbhi32.exe 31 PID 2572 wrote to memory of 2376 2572 Hggomh32.exe 32 PID 2572 wrote to memory of 2376 2572 Hggomh32.exe 32 PID 2572 wrote to memory of 2376 2572 Hggomh32.exe 32 PID 2572 wrote to memory of 2376 2572 Hggomh32.exe 32 PID 2376 wrote to memory of 2932 2376 Hjhhocjj.exe 33 PID 2376 wrote to memory of 2932 2376 Hjhhocjj.exe 33 PID 2376 wrote to memory of 2932 2376 Hjhhocjj.exe 33 PID 2376 wrote to memory of 2932 2376 Hjhhocjj.exe 33 PID 2932 wrote to memory of 1792 2932 Hacmcfge.exe 34 PID 2932 wrote to memory of 1792 2932 Hacmcfge.exe 34 PID 2932 wrote to memory of 1792 2932 Hacmcfge.exe 34 PID 2932 wrote to memory of 1792 2932 Hacmcfge.exe 34 PID 1792 wrote to memory of 2704 1792 Hlhaqogk.exe 35 PID 1792 wrote to memory of 2704 1792 Hlhaqogk.exe 35 PID 1792 wrote to memory of 2704 1792 Hlhaqogk.exe 35 PID 1792 wrote to memory of 2704 1792 Hlhaqogk.exe 35 PID 2704 wrote to memory of 2748 2704 Hogmmjfo.exe 36 PID 2704 wrote to memory of 2748 2704 Hogmmjfo.exe 36 PID 2704 wrote to memory of 2748 2704 Hogmmjfo.exe 36 PID 2704 wrote to memory of 2748 2704 Hogmmjfo.exe 36 PID 2748 wrote to memory of 1712 2748 Igdogl32.exe 37 PID 2748 wrote to memory of 1712 2748 Igdogl32.exe 37 PID 2748 wrote to memory of 1712 2748 Igdogl32.exe 37 PID 2748 wrote to memory of 1712 2748 Igdogl32.exe 37 PID 1712 wrote to memory of 1600 1712 Iggkllpe.exe 38 PID 1712 wrote to memory of 1600 1712 Iggkllpe.exe 38 PID 1712 wrote to memory of 1600 1712 Iggkllpe.exe 38 PID 1712 wrote to memory of 1600 1712 Iggkllpe.exe 38 PID 1600 wrote to memory of 592 1600 Idklfpon.exe 39 PID 1600 wrote to memory of 592 1600 Idklfpon.exe 39 PID 1600 wrote to memory of 592 1600 Idklfpon.exe 39 PID 1600 wrote to memory of 592 1600 Idklfpon.exe 39 PID 592 wrote to memory of 1244 592 Idmhkpml.exe 40 PID 592 wrote to memory of 1244 592 Idmhkpml.exe 40 PID 592 wrote to memory of 1244 592 Idmhkpml.exe 40 PID 592 wrote to memory of 1244 592 Idmhkpml.exe 40 PID 1244 wrote to memory of 2892 1244 Jmhmpb32.exe 41 PID 1244 wrote to memory of 2892 1244 Jmhmpb32.exe 41 PID 1244 wrote to memory of 2892 1244 Jmhmpb32.exe 41 PID 1244 wrote to memory of 2892 1244 Jmhmpb32.exe 41 PID 2892 wrote to memory of 2108 2892 Jcbellac.exe 42 PID 2892 wrote to memory of 2108 2892 Jcbellac.exe 42 PID 2892 wrote to memory of 2108 2892 Jcbellac.exe 42 PID 2892 wrote to memory of 2108 2892 Jcbellac.exe 42 PID 2108 wrote to memory of 2772 2108 Jcdbbloa.exe 43 PID 2108 wrote to memory of 2772 2108 Jcdbbloa.exe 43 PID 2108 wrote to memory of 2772 2108 Jcdbbloa.exe 43 PID 2108 wrote to memory of 2772 2108 Jcdbbloa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe"C:\Users\Admin\AppData\Local\Temp\66b0e49a60d2b09d4ec4f5468c3ebbb8bf844a1f7e762fa5a5e38539e4eb8b11.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe28⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe29⤵
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe34⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe35⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe36⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe37⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe38⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe39⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe40⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe41⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe43⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe44⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe45⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe46⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe47⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe48⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe49⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe50⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe51⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe54⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe55⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe56⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe57⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe58⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe59⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe60⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe61⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe62⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe63⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe64⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe66⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe67⤵PID:2752
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe68⤵PID:2972
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe70⤵PID:1596
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe71⤵PID:1232
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe72⤵PID:1108
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe73⤵PID:2276
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe74⤵PID:2124
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe75⤵PID:1636
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe76⤵PID:3016
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe77⤵PID:2460
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe78⤵PID:2408
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe79⤵PID:2588
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe80⤵PID:2876
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe81⤵PID:2552
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe82⤵PID:2896
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe83⤵PID:2184
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe84⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe85⤵PID:1256
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe86⤵PID:2768
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe87⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe88⤵PID:2328
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe89⤵PID:1228
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe91⤵PID:2920
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe92⤵PID:1972
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe93⤵PID:2608
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe95⤵PID:2580
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe96⤵PID:2812
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe97⤵PID:2440
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe98⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe99⤵PID:2424
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe100⤵PID:292
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe101⤵PID:1576
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe102⤵PID:1896
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe103⤵PID:336
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe104⤵PID:1248
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe105⤵PID:1684
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe106⤵PID:1892
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe107⤵PID:2088
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe108⤵PID:360
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe109⤵PID:1440
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe110⤵PID:2908
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe111⤵PID:1940
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe112⤵PID:2916
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe113⤵PID:2280
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe114⤵PID:1508
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe115⤵PID:2928
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe116⤵PID:2796
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe118⤵PID:1732
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe119⤵PID:1760
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe120⤵PID:2200
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-