Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 18:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe
-
Size
285KB
-
MD5
f102971a17e8b8b28286dc59893ec1cc
-
SHA1
417919e37b34bd1b21e7bc4c24834a26b73b2d4f
-
SHA256
3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4
-
SHA512
65dd5bc7eaf1aa9973adf4cfeb6dcbbffcf812c30723b3daf34b9e392afdeb82fc18fbd409ba1b97571f16369a43965fb83d03976c707b44a939aea82cf31bfb
-
SSDEEP
6144:4t+r6d60O/n0hoSTYaT15f7o+STYaT15f6ZLXonvPeZaF8vs:42rf0DTYapJoTYapiMnOZ9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglfapnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midcpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe -
Executes dropped EXE 64 IoCs
pid Process 2736 Lpgele32.exe 2640 Lganiohl.exe 2728 Lmkfei32.exe 2756 Ldenbcge.exe 2596 Libgjj32.exe 2956 Lmnbkinf.exe 2684 Mcjkcplm.exe 2792 Midcpj32.exe 1604 Mlcple32.exe 1668 Mekdekin.exe 2672 Mhjpaf32.exe 1588 Mcodno32.exe 2196 Mhlmgf32.exe 2204 Mofecpnl.exe 540 Madapkmp.exe 2592 Mkmfhacp.exe 1124 Mpjoqhah.exe 2240 Mgcgmb32.exe 3040 Njbcim32.exe 1300 Nplkfgoe.exe 1304 Ncjgbcoi.exe 2308 Ngfcca32.exe 1200 Njdpomfe.exe 2080 Nlblkhei.exe 2348 Njgldmdc.exe 2812 Nqqdag32.exe 1312 Njiijlbp.exe 2576 Nlgefh32.exe 2568 Nqcagfim.exe 1932 Nbdnoo32.exe 2788 Njkfpl32.exe 2440 Nhnfkigh.exe 2920 Nkmbgdfl.exe 2932 Nohnhc32.exe 2928 Nbfjdn32.exe 2772 Odegpj32.exe 2084 Ohqbqhde.exe 1152 Okoomd32.exe 1400 Onmkio32.exe 2480 Ofdcjm32.exe 1724 Ofdcjm32.exe 1952 Oicpfh32.exe 2940 Ogfpbeim.exe 996 Onphoo32.exe 1768 Oqndkj32.exe 2972 Odjpkihg.exe 2176 Oiellh32.exe 572 Oghlgdgk.exe 1652 Okchhc32.exe 952 Ojficpfn.exe 2732 Onbddoog.exe 2724 Oqqapjnk.exe 1220 Ocomlemo.exe 2912 Okfencna.exe 1936 Ojieip32.exe 2064 Ondajnme.exe 2140 Omgaek32.exe 2668 Oenifh32.exe 1244 Ocajbekl.exe 1964 Ojkboo32.exe 1148 Ojkboo32.exe 1848 Ongnonkb.exe 2796 Pminkk32.exe 2076 Paejki32.exe -
Loads dropped DLL 64 IoCs
pid Process 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 2736 Lpgele32.exe 2736 Lpgele32.exe 2640 Lganiohl.exe 2640 Lganiohl.exe 2728 Lmkfei32.exe 2728 Lmkfei32.exe 2756 Ldenbcge.exe 2756 Ldenbcge.exe 2596 Libgjj32.exe 2596 Libgjj32.exe 2956 Lmnbkinf.exe 2956 Lmnbkinf.exe 2684 Mcjkcplm.exe 2684 Mcjkcplm.exe 2792 Midcpj32.exe 2792 Midcpj32.exe 1604 Mlcple32.exe 1604 Mlcple32.exe 1668 Mekdekin.exe 1668 Mekdekin.exe 2672 Mhjpaf32.exe 2672 Mhjpaf32.exe 1588 Mcodno32.exe 1588 Mcodno32.exe 2196 Mhlmgf32.exe 2196 Mhlmgf32.exe 2204 Mofecpnl.exe 2204 Mofecpnl.exe 540 Madapkmp.exe 540 Madapkmp.exe 2592 Mkmfhacp.exe 2592 Mkmfhacp.exe 1124 Mpjoqhah.exe 1124 Mpjoqhah.exe 2240 Mgcgmb32.exe 2240 Mgcgmb32.exe 3040 Njbcim32.exe 3040 Njbcim32.exe 1300 Nplkfgoe.exe 1300 Nplkfgoe.exe 1304 Ncjgbcoi.exe 1304 Ncjgbcoi.exe 2308 Ngfcca32.exe 2308 Ngfcca32.exe 1200 Njdpomfe.exe 1200 Njdpomfe.exe 2080 Nlblkhei.exe 2080 Nlblkhei.exe 2348 Njgldmdc.exe 2348 Njgldmdc.exe 2812 Nqqdag32.exe 2812 Nqqdag32.exe 1312 Njiijlbp.exe 1312 Njiijlbp.exe 2576 Nlgefh32.exe 2576 Nlgefh32.exe 2568 Nqcagfim.exe 2568 Nqcagfim.exe 1932 Nbdnoo32.exe 1932 Nbdnoo32.exe 2788 Njkfpl32.exe 2788 Njkfpl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pbkpna32.exe Pchpbded.exe File created C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Libgjj32.exe Ldenbcge.exe File created C:\Windows\SysWOW64\Jcdbbloa.exe Joifam32.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Ckccgane.exe File created C:\Windows\SysWOW64\Jaqddb32.dll Enhacojl.exe File created C:\Windows\SysWOW64\Fabnbook.dll Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Bopicc32.exe Bghabf32.exe File created C:\Windows\SysWOW64\Iqfmng32.dll Kgpjanje.exe File created C:\Windows\SysWOW64\Djhphncm.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Fclomp32.dll Dfijnd32.exe File created C:\Windows\SysWOW64\Igihbknb.exe Icmlam32.exe File opened for modification C:\Windows\SysWOW64\Oqkqkdne.exe Olpdjf32.exe File created C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cjndop32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Cfnlkbne.dll Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Pdfdcg32.dll Bkodhe32.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File opened for modification C:\Windows\SysWOW64\Kgkafo32.exe Kihqkagp.exe File created C:\Windows\SysWOW64\Llkbap32.exe Lhpfqama.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Ofmbnkhg.exe File created C:\Windows\SysWOW64\Kijbioba.dll Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Ddagfm32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Bpnbkeld.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pfflopdh.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ebpkce32.exe File created C:\Windows\SysWOW64\Hobcak32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jokcgmee.exe File created C:\Windows\SysWOW64\Jnclnihj.exe Joplbl32.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cdgneh32.exe File created C:\Windows\SysWOW64\Gmfmen32.dll Mhlmgf32.exe File created C:\Windows\SysWOW64\Ihdkao32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qfokbnip.exe File created C:\Windows\SysWOW64\Njgpdbgm.dll Njiijlbp.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jejhecaj.exe File opened for modification C:\Windows\SysWOW64\Naoniipe.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Pijbfj32.exe File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Ejgcdb32.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Hkpnhgge.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Mkmfhacp.exe Madapkmp.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Ihankokm.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7952 7912 WerFault.exe 763 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdbbloa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Imfqjbli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmjak32.dll" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqamandk.dll" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bcaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongdpbkl.dll" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2736 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 28 PID 2952 wrote to memory of 2736 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 28 PID 2952 wrote to memory of 2736 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 28 PID 2952 wrote to memory of 2736 2952 3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe 28 PID 2736 wrote to memory of 2640 2736 Lpgele32.exe 29 PID 2736 wrote to memory of 2640 2736 Lpgele32.exe 29 PID 2736 wrote to memory of 2640 2736 Lpgele32.exe 29 PID 2736 wrote to memory of 2640 2736 Lpgele32.exe 29 PID 2640 wrote to memory of 2728 2640 Lganiohl.exe 30 PID 2640 wrote to memory of 2728 2640 Lganiohl.exe 30 PID 2640 wrote to memory of 2728 2640 Lganiohl.exe 30 PID 2640 wrote to memory of 2728 2640 Lganiohl.exe 30 PID 2728 wrote to memory of 2756 2728 Lmkfei32.exe 31 PID 2728 wrote to memory of 2756 2728 Lmkfei32.exe 31 PID 2728 wrote to memory of 2756 2728 Lmkfei32.exe 31 PID 2728 wrote to memory of 2756 2728 Lmkfei32.exe 31 PID 2756 wrote to memory of 2596 2756 Ldenbcge.exe 32 PID 2756 wrote to memory of 2596 2756 Ldenbcge.exe 32 PID 2756 wrote to memory of 2596 2756 Ldenbcge.exe 32 PID 2756 wrote to memory of 2596 2756 Ldenbcge.exe 32 PID 2596 wrote to memory of 2956 2596 Libgjj32.exe 33 PID 2596 wrote to memory of 2956 2596 Libgjj32.exe 33 PID 2596 wrote to memory of 2956 2596 Libgjj32.exe 33 PID 2596 wrote to memory of 2956 2596 Libgjj32.exe 33 PID 2956 wrote to memory of 2684 2956 Lmnbkinf.exe 34 PID 2956 wrote to memory of 2684 2956 Lmnbkinf.exe 34 PID 2956 wrote to memory of 2684 2956 Lmnbkinf.exe 34 PID 2956 wrote to memory of 2684 2956 Lmnbkinf.exe 34 PID 2684 wrote to memory of 2792 2684 Mcjkcplm.exe 35 PID 2684 wrote to memory of 2792 2684 Mcjkcplm.exe 35 PID 2684 wrote to memory of 2792 2684 Mcjkcplm.exe 35 PID 2684 wrote to memory of 2792 2684 Mcjkcplm.exe 35 PID 2792 wrote to memory of 1604 2792 Midcpj32.exe 36 PID 2792 wrote to memory of 1604 2792 Midcpj32.exe 36 PID 2792 wrote to memory of 1604 2792 Midcpj32.exe 36 PID 2792 wrote to memory of 1604 2792 Midcpj32.exe 36 PID 1604 wrote to memory of 1668 1604 Mlcple32.exe 37 PID 1604 wrote to memory of 1668 1604 Mlcple32.exe 37 PID 1604 wrote to memory of 1668 1604 Mlcple32.exe 37 PID 1604 wrote to memory of 1668 1604 Mlcple32.exe 37 PID 1668 wrote to memory of 2672 1668 Mekdekin.exe 38 PID 1668 wrote to memory of 2672 1668 Mekdekin.exe 38 PID 1668 wrote to memory of 2672 1668 Mekdekin.exe 38 PID 1668 wrote to memory of 2672 1668 Mekdekin.exe 38 PID 2672 wrote to memory of 1588 2672 Mhjpaf32.exe 39 PID 2672 wrote to memory of 1588 2672 Mhjpaf32.exe 39 PID 2672 wrote to memory of 1588 2672 Mhjpaf32.exe 39 PID 2672 wrote to memory of 1588 2672 Mhjpaf32.exe 39 PID 1588 wrote to memory of 2196 1588 Mcodno32.exe 40 PID 1588 wrote to memory of 2196 1588 Mcodno32.exe 40 PID 1588 wrote to memory of 2196 1588 Mcodno32.exe 40 PID 1588 wrote to memory of 2196 1588 Mcodno32.exe 40 PID 2196 wrote to memory of 2204 2196 Mhlmgf32.exe 41 PID 2196 wrote to memory of 2204 2196 Mhlmgf32.exe 41 PID 2196 wrote to memory of 2204 2196 Mhlmgf32.exe 41 PID 2196 wrote to memory of 2204 2196 Mhlmgf32.exe 41 PID 2204 wrote to memory of 540 2204 Mofecpnl.exe 42 PID 2204 wrote to memory of 540 2204 Mofecpnl.exe 42 PID 2204 wrote to memory of 540 2204 Mofecpnl.exe 42 PID 2204 wrote to memory of 540 2204 Mofecpnl.exe 42 PID 540 wrote to memory of 2592 540 Madapkmp.exe 43 PID 540 wrote to memory of 2592 540 Madapkmp.exe 43 PID 540 wrote to memory of 2592 540 Madapkmp.exe 43 PID 540 wrote to memory of 2592 540 Madapkmp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe"C:\Users\Admin\AppData\Local\Temp\3381baa9208d9483264f0829ae96e5f4a695e5c3c1c92cb69c946268c7b227a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe34⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe36⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe37⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe38⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe39⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe40⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe41⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe42⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe45⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe47⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe49⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe50⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe51⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe52⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe53⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe54⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe56⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe57⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe58⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe59⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe60⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe61⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe62⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe64⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe66⤵PID:356
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe67⤵PID:2072
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe68⤵PID:1992
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe69⤵PID:1644
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe70⤵PID:1884
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe71⤵PID:1780
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe72⤵PID:1456
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe73⤵PID:2828
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe74⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe75⤵PID:2460
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe76⤵PID:2280
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe78⤵PID:3008
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe79⤵PID:332
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe80⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe82⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe83⤵PID:2808
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe84⤵PID:2656
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe85⤵PID:860
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe86⤵PID:2924
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe88⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe89⤵PID:2776
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe90⤵PID:2268
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe91⤵PID:1564
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe92⤵PID:1212
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe94⤵PID:1640
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe95⤵PID:1524
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe96⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe97⤵PID:992
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe99⤵PID:2784
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe100⤵PID:1744
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe101⤵PID:2292
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe102⤵PID:1776
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe103⤵PID:2500
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe104⤵PID:2256
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe105⤵PID:2408
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe106⤵PID:2696
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe107⤵PID:404
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe109⤵PID:2172
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe110⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe111⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe114⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe115⤵PID:2708
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe116⤵PID:2324
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe117⤵PID:2432
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe118⤵PID:812
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe119⤵PID:1464
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe120⤵PID:2824
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe121⤵PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-