Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 00:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe
-
Size
80KB
-
MD5
aa427d2448bff2b0bfb85d8502327838
-
SHA1
75399bb0e9d6cb7016409d720b6b937fde58904c
-
SHA256
d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3
-
SHA512
a14acf7f66f55851865d9bdd788c5f531f5b59daa69fcd3c063e103c7250fd8e7397d4971a038b91ab10273b72b483b1e25487ad54806d7d5d5b3e192d08e5b7
-
SSDEEP
1536:cf9UM2gFrKf32SiMmU2Lt5ywfi+TjRC/6y:c1UM2gFrC2SiMgGwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcnlglc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe -
Executes dropped EXE 64 IoCs
pid Process 2644 Lefkjkmc.exe 820 Llqcfe32.exe 2672 Mcjkcplm.exe 2596 Mgfgdn32.exe 2720 Midcpj32.exe 2520 Mlcple32.exe 2752 Mpolmdkg.exe 2976 Moalhq32.exe 2440 Mcmhiojk.exe 1896 Maphdl32.exe 1532 Migpeiag.exe 2900 Mhjpaf32.exe 1856 Mkhmma32.exe 2176 Mochnppo.exe 2320 Mabejlob.exe 268 Menakj32.exe 1516 Mlgigdoh.exe 1988 Mofecpnl.exe 412 Madapkmp.exe 3012 Mdcnlglc.exe 960 Mdcnlglc.exe 1584 Mhnjle32.exe 2388 Mkmfhacp.exe 920 Mohbip32.exe 1944 Mnkbdlbd.exe 1664 Magnek32.exe 2232 Mpjoqhah.exe 2656 Mdejaf32.exe 2708 Mgcgmb32.exe 2604 Nnnojlpa.exe 3020 Nplkfgoe.exe 2804 Ndgggf32.exe 1904 Ngfcca32.exe 2272 Nkaocp32.exe 2808 Nnplpl32.exe 2636 Npnhlg32.exe 1448 Ncmdhb32.exe 2324 Nfkpdn32.exe 1960 Njgldmdc.exe 2060 Nleiqhcg.exe 2280 Nqqdag32.exe 1128 Nocemcbj.exe 2308 Ncoamb32.exe 1568 Nfmmin32.exe 1996 Njiijlbp.exe 1764 Nhlifi32.exe 908 Nlgefh32.exe 2544 Nqcagfim.exe 2164 Nofabc32.exe 992 Ncancbha.exe 1940 Nfpjomgd.exe 1672 Njkfpl32.exe 2728 Nhnfkigh.exe 2812 Nmjblg32.exe 1852 Nohnhc32.exe 2568 Nccjhafn.exe 2056 Nbfjdn32.exe 3024 Ofbfdmeb.exe 1200 Odegpj32.exe 1160 Ohqbqhde.exe 1656 Omloag32.exe 3064 Okoomd32.exe 3036 Oojknblb.exe 2352 Onmkio32.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 2644 Lefkjkmc.exe 2644 Lefkjkmc.exe 820 Llqcfe32.exe 820 Llqcfe32.exe 2672 Mcjkcplm.exe 2672 Mcjkcplm.exe 2596 Mgfgdn32.exe 2596 Mgfgdn32.exe 2720 Midcpj32.exe 2720 Midcpj32.exe 2520 Mlcple32.exe 2520 Mlcple32.exe 2752 Mpolmdkg.exe 2752 Mpolmdkg.exe 2976 Moalhq32.exe 2976 Moalhq32.exe 2440 Mcmhiojk.exe 2440 Mcmhiojk.exe 1896 Maphdl32.exe 1896 Maphdl32.exe 1532 Migpeiag.exe 1532 Migpeiag.exe 2900 Mhjpaf32.exe 2900 Mhjpaf32.exe 1856 Mkhmma32.exe 1856 Mkhmma32.exe 2176 Mochnppo.exe 2176 Mochnppo.exe 2320 Mabejlob.exe 2320 Mabejlob.exe 268 Menakj32.exe 268 Menakj32.exe 1516 Mlgigdoh.exe 1516 Mlgigdoh.exe 1988 Mofecpnl.exe 1988 Mofecpnl.exe 412 Madapkmp.exe 412 Madapkmp.exe 3012 Mdcnlglc.exe 3012 Mdcnlglc.exe 960 Mdcnlglc.exe 960 Mdcnlglc.exe 1584 Mhnjle32.exe 1584 Mhnjle32.exe 2388 Mkmfhacp.exe 2388 Mkmfhacp.exe 920 Mohbip32.exe 920 Mohbip32.exe 1944 Mnkbdlbd.exe 1944 Mnkbdlbd.exe 1664 Magnek32.exe 1664 Magnek32.exe 2232 Mpjoqhah.exe 2232 Mpjoqhah.exe 2656 Mdejaf32.exe 2656 Mdejaf32.exe 2708 Mgcgmb32.exe 2708 Mgcgmb32.exe 2604 Nnnojlpa.exe 2604 Nnnojlpa.exe 3020 Nplkfgoe.exe 3020 Nplkfgoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndkmpe32.exe Nehmdhja.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oclilp32.exe File created C:\Windows\SysWOW64\Jkbcpgjj.dll Coklgg32.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Afcenm32.exe Abhimnma.exe File created C:\Windows\SysWOW64\Fpgiom32.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Nlgefh32.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Lkojpojq.dll Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Jfghif32.exe Jbllihbf.exe File opened for modification C:\Windows\SysWOW64\Leonofpp.exe Lflmci32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Omloag32.exe Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Oomhcbjp.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Bibkki32.dll Leajdfnm.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bagpopmj.exe File created C:\Windows\SysWOW64\Loclnq32.dll Jkpgfn32.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Obojhlbq.exe Oclilp32.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Kpmlkp32.exe Kmopod32.exe File created C:\Windows\SysWOW64\Pjholl32.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Emieil32.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pklhlael.exe File created C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Affhncfc.exe File created C:\Windows\SysWOW64\Epafjqck.dll Eqonkmdh.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Bemgilhh.exe Baakhm32.exe File created C:\Windows\SysWOW64\Omocdp32.dll Mkmfhacp.exe File created C:\Windows\SysWOW64\Gkhqdcam.dll Ofbfdmeb.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Cnippoha.exe Cjndop32.exe File created C:\Windows\SysWOW64\Ijqnib32.dll Lefdpe32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hckcmjep.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pnjdhmdo.exe File opened for modification C:\Windows\SysWOW64\Ahgnke32.exe Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Mofecpnl.exe Mlgigdoh.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Kffbcfgd.dll Oomhcbjp.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Lblqijln.dll Namqci32.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Omfkke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7952 7928 WerFault.exe 731 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggkllpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joplbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpkce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Mcjkcplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahfd32.dll" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Aplifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blbfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhklfnh.dll" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alihbgdo.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekelld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpkenb.dll" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mochnppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Nhiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajejgp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2644 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 28 PID 2240 wrote to memory of 2644 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 28 PID 2240 wrote to memory of 2644 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 28 PID 2240 wrote to memory of 2644 2240 d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe 28 PID 2644 wrote to memory of 820 2644 Lefkjkmc.exe 29 PID 2644 wrote to memory of 820 2644 Lefkjkmc.exe 29 PID 2644 wrote to memory of 820 2644 Lefkjkmc.exe 29 PID 2644 wrote to memory of 820 2644 Lefkjkmc.exe 29 PID 820 wrote to memory of 2672 820 Llqcfe32.exe 30 PID 820 wrote to memory of 2672 820 Llqcfe32.exe 30 PID 820 wrote to memory of 2672 820 Llqcfe32.exe 30 PID 820 wrote to memory of 2672 820 Llqcfe32.exe 30 PID 2672 wrote to memory of 2596 2672 Mcjkcplm.exe 31 PID 2672 wrote to memory of 2596 2672 Mcjkcplm.exe 31 PID 2672 wrote to memory of 2596 2672 Mcjkcplm.exe 31 PID 2672 wrote to memory of 2596 2672 Mcjkcplm.exe 31 PID 2596 wrote to memory of 2720 2596 Mgfgdn32.exe 32 PID 2596 wrote to memory of 2720 2596 Mgfgdn32.exe 32 PID 2596 wrote to memory of 2720 2596 Mgfgdn32.exe 32 PID 2596 wrote to memory of 2720 2596 Mgfgdn32.exe 32 PID 2720 wrote to memory of 2520 2720 Midcpj32.exe 33 PID 2720 wrote to memory of 2520 2720 Midcpj32.exe 33 PID 2720 wrote to memory of 2520 2720 Midcpj32.exe 33 PID 2720 wrote to memory of 2520 2720 Midcpj32.exe 33 PID 2520 wrote to memory of 2752 2520 Mlcple32.exe 34 PID 2520 wrote to memory of 2752 2520 Mlcple32.exe 34 PID 2520 wrote to memory of 2752 2520 Mlcple32.exe 34 PID 2520 wrote to memory of 2752 2520 Mlcple32.exe 34 PID 2752 wrote to memory of 2976 2752 Mpolmdkg.exe 35 PID 2752 wrote to memory of 2976 2752 Mpolmdkg.exe 35 PID 2752 wrote to memory of 2976 2752 Mpolmdkg.exe 35 PID 2752 wrote to memory of 2976 2752 Mpolmdkg.exe 35 PID 2976 wrote to memory of 2440 2976 Moalhq32.exe 36 PID 2976 wrote to memory of 2440 2976 Moalhq32.exe 36 PID 2976 wrote to memory of 2440 2976 Moalhq32.exe 36 PID 2976 wrote to memory of 2440 2976 Moalhq32.exe 36 PID 2440 wrote to memory of 1896 2440 Mcmhiojk.exe 37 PID 2440 wrote to memory of 1896 2440 Mcmhiojk.exe 37 PID 2440 wrote to memory of 1896 2440 Mcmhiojk.exe 37 PID 2440 wrote to memory of 1896 2440 Mcmhiojk.exe 37 PID 1896 wrote to memory of 1532 1896 Maphdl32.exe 38 PID 1896 wrote to memory of 1532 1896 Maphdl32.exe 38 PID 1896 wrote to memory of 1532 1896 Maphdl32.exe 38 PID 1896 wrote to memory of 1532 1896 Maphdl32.exe 38 PID 1532 wrote to memory of 2900 1532 Migpeiag.exe 39 PID 1532 wrote to memory of 2900 1532 Migpeiag.exe 39 PID 1532 wrote to memory of 2900 1532 Migpeiag.exe 39 PID 1532 wrote to memory of 2900 1532 Migpeiag.exe 39 PID 2900 wrote to memory of 1856 2900 Mhjpaf32.exe 40 PID 2900 wrote to memory of 1856 2900 Mhjpaf32.exe 40 PID 2900 wrote to memory of 1856 2900 Mhjpaf32.exe 40 PID 2900 wrote to memory of 1856 2900 Mhjpaf32.exe 40 PID 1856 wrote to memory of 2176 1856 Mkhmma32.exe 41 PID 1856 wrote to memory of 2176 1856 Mkhmma32.exe 41 PID 1856 wrote to memory of 2176 1856 Mkhmma32.exe 41 PID 1856 wrote to memory of 2176 1856 Mkhmma32.exe 41 PID 2176 wrote to memory of 2320 2176 Mochnppo.exe 42 PID 2176 wrote to memory of 2320 2176 Mochnppo.exe 42 PID 2176 wrote to memory of 2320 2176 Mochnppo.exe 42 PID 2176 wrote to memory of 2320 2176 Mochnppo.exe 42 PID 2320 wrote to memory of 268 2320 Mabejlob.exe 43 PID 2320 wrote to memory of 268 2320 Mabejlob.exe 43 PID 2320 wrote to memory of 268 2320 Mabejlob.exe 43 PID 2320 wrote to memory of 268 2320 Mabejlob.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe"C:\Users\Admin\AppData\Local\Temp\d45332c2dcf74afce5ec1b1a1bb9cbafa5547fe46ee706f66b774ece6802f9e3.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe33⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe34⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe35⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe36⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe37⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe38⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe39⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe41⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe42⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe43⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe46⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe48⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe49⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe50⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe51⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe52⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe54⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe57⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe58⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe60⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe62⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe63⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe64⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe65⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe66⤵PID:1188
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe67⤵PID:2108
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe68⤵PID:1288
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe69⤵PID:784
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe70⤵PID:708
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe71⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe72⤵PID:2828
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe75⤵PID:2364
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe76⤵PID:2528
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe77⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe78⤵PID:1164
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe79⤵PID:1736
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe80⤵PID:2552
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe81⤵PID:692
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe82⤵PID:2268
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe84⤵PID:2580
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe85⤵PID:2480
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe86⤵PID:844
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe87⤵PID:2052
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe88⤵PID:592
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe89⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe90⤵PID:1648
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe91⤵PID:3048
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe92⤵PID:1148
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe93⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe97⤵PID:2460
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe98⤵PID:2428
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe100⤵PID:1364
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe101⤵PID:656
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe102⤵PID:848
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe103⤵PID:2092
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe104⤵PID:1680
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe105⤵PID:788
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe106⤵PID:1872
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe107⤵PID:1436
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe109⤵PID:2576
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe110⤵PID:2724
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe111⤵PID:968
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe112⤵PID:2504
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe113⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe114⤵PID:2928
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe115⤵PID:1580
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe116⤵PID:1880
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe117⤵PID:1792
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe118⤵PID:2680
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe120⤵PID:2040
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe121⤵PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-