Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 02:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe
-
Size
303KB
-
MD5
dd1f8a8e34b2f23def129765fc632bf3
-
SHA1
baa12ca876c70e20406279893c8e991bc743bc21
-
SHA256
cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97
-
SHA512
65c3ec921aab97aff19c02db6304a6fc7a4b5471c0813e6a4c6af25ab5e37b3684ac43626882fa6d5b2efe69f0105e9d39970d293dea5a39c0f346a47ea62aa2
-
SSDEEP
6144:0eKs1MlFojUjS65CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:/OvjfFHRFbeE8mo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1768 Labhkh32.exe 2124 Ldqegd32.exe 2600 Lhlqhb32.exe 2484 Lipjejgp.exe 2564 Lpjbad32.exe 2524 Lchnnp32.exe 1732 Mcjkcplm.exe 2868 Mlcple32.exe 2656 Moalhq32.exe 2036 Mochnppo.exe 1780 Mhlmgf32.exe 2848 Mnieom32.exe 1412 Mhnjle32.exe 1544 Mohbip32.exe 676 Mkobnqan.exe 1504 Nnnojlpa.exe 824 Nnplpl32.exe 408 Npnhlg32.exe 1992 Ncmdhb32.exe 1740 Nnbhek32.exe 748 Nqqdag32.exe 1952 Ngkmnacm.exe 3064 Njiijlbp.exe 1548 Nqcagfim.exe 1432 Nbdnoo32.exe 1036 Njkfpl32.exe 1596 Nohnhc32.exe 1448 Nccjhafn.exe 2272 Ofbfdmeb.exe 2748 Okoomd32.exe 2584 Obigjnkf.exe 3048 Okalbc32.exe 2504 Onphoo32.exe 3032 Oqndkj32.exe 2820 Ojficpfn.exe 2780 Onbddoog.exe 1008 Ogjimd32.exe 816 Ojieip32.exe 2840 Oenifh32.exe 2000 Ojkboo32.exe 2408 Ongnonkb.exe 2908 Pphjgfqq.exe 820 Pgobhcac.exe 1296 Pipopl32.exe 1820 Paggai32.exe 1720 Pcfcmd32.exe 1396 Pbiciana.exe 1964 Piblek32.exe 1892 Plahag32.exe 1164 Pchpbded.exe 1812 Pbkpna32.exe 892 Peiljl32.exe 1612 Pmqdkj32.exe 1204 Ppoqge32.exe 2648 Pbmmcq32.exe 2144 Pfiidobe.exe 2452 Phjelg32.exe 2984 Plfamfpm.exe 2828 Pbpjiphi.exe 2812 Pabjem32.exe 2344 Penfelgm.exe 496 Qlhnbf32.exe 2672 Qjknnbed.exe 2728 Qbbfopeg.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 1768 Labhkh32.exe 1768 Labhkh32.exe 2124 Ldqegd32.exe 2124 Ldqegd32.exe 2600 Lhlqhb32.exe 2600 Lhlqhb32.exe 2484 Lipjejgp.exe 2484 Lipjejgp.exe 2564 Lpjbad32.exe 2564 Lpjbad32.exe 2524 Lchnnp32.exe 2524 Lchnnp32.exe 1732 Mcjkcplm.exe 1732 Mcjkcplm.exe 2868 Mlcple32.exe 2868 Mlcple32.exe 2656 Moalhq32.exe 2656 Moalhq32.exe 2036 Mochnppo.exe 2036 Mochnppo.exe 1780 Mhlmgf32.exe 1780 Mhlmgf32.exe 2848 Mnieom32.exe 2848 Mnieom32.exe 1412 Mhnjle32.exe 1412 Mhnjle32.exe 1544 Mohbip32.exe 1544 Mohbip32.exe 676 Mkobnqan.exe 676 Mkobnqan.exe 1504 Nnnojlpa.exe 1504 Nnnojlpa.exe 824 Nnplpl32.exe 824 Nnplpl32.exe 408 Npnhlg32.exe 408 Npnhlg32.exe 1992 Ncmdhb32.exe 1992 Ncmdhb32.exe 1740 Nnbhek32.exe 1740 Nnbhek32.exe 748 Nqqdag32.exe 748 Nqqdag32.exe 1952 Ngkmnacm.exe 1952 Ngkmnacm.exe 3064 Njiijlbp.exe 3064 Njiijlbp.exe 1548 Nqcagfim.exe 1548 Nqcagfim.exe 1432 Nbdnoo32.exe 1432 Nbdnoo32.exe 1036 Njkfpl32.exe 1036 Njkfpl32.exe 1596 Nohnhc32.exe 1596 Nohnhc32.exe 1448 Nccjhafn.exe 1448 Nccjhafn.exe 2272 Ofbfdmeb.exe 2272 Ofbfdmeb.exe 2748 Okoomd32.exe 2748 Okoomd32.exe 2584 Obigjnkf.exe 2584 Obigjnkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlcple32.exe Mcjkcplm.exe File created C:\Windows\SysWOW64\Obilnl32.dll Clilkfnb.exe File created C:\Windows\SysWOW64\Kjpfgi32.dll Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Nmngmj32.dll Jnclnihj.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Ckdjbh32.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Kegiig32.dll Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Nkgbbo32.exe Nhiffc32.exe File created C:\Windows\SysWOW64\Icaooali.dll Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kfbkmk32.exe File created C:\Windows\SysWOW64\Ankdiqih.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File created C:\Windows\SysWOW64\Ebagmn32.dll Djbiicon.exe File created C:\Windows\SysWOW64\Naoniipe.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Njiijlbp.exe Ngkmnacm.exe File created C:\Windows\SysWOW64\Ldhebk32.dll Pfiidobe.exe File created C:\Windows\SysWOW64\Bebkpn32.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kjljhjkl.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Dhjfhhen.dll Okoomd32.exe File created C:\Windows\SysWOW64\Dhjgal32.exe Ddokpmfo.exe File created C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File created C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Hjbpkign.dll Jcbellac.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Pchpbded.exe Plahag32.exe File created C:\Windows\SysWOW64\Cjndop32.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Daoiajfm.dll Lflmci32.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Dccagcgk.exe Dpeekh32.exe File opened for modification C:\Windows\SysWOW64\Ebinic32.exe Eloemi32.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Ojfaijcc.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Kjjmbj32.exe File created C:\Windows\SysWOW64\Mpfkqb32.exe Mmhodf32.exe File opened for modification C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Globlmmj.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gpknlk32.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dglpbbbg.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Njkfpl32.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Jngohf32.dll Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Kcdnao32.exe Kafbec32.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Noqamn32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cdgneh32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hpmgqnfl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5492 5444 WerFault.exe 547 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" Clilkfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mkgfckcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baildokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkmeh32.dll" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Npfgpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpbahga.dll" Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbaebdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1768 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 28 PID 2204 wrote to memory of 1768 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 28 PID 2204 wrote to memory of 1768 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 28 PID 2204 wrote to memory of 1768 2204 cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe 28 PID 1768 wrote to memory of 2124 1768 Labhkh32.exe 29 PID 1768 wrote to memory of 2124 1768 Labhkh32.exe 29 PID 1768 wrote to memory of 2124 1768 Labhkh32.exe 29 PID 1768 wrote to memory of 2124 1768 Labhkh32.exe 29 PID 2124 wrote to memory of 2600 2124 Ldqegd32.exe 30 PID 2124 wrote to memory of 2600 2124 Ldqegd32.exe 30 PID 2124 wrote to memory of 2600 2124 Ldqegd32.exe 30 PID 2124 wrote to memory of 2600 2124 Ldqegd32.exe 30 PID 2600 wrote to memory of 2484 2600 Lhlqhb32.exe 31 PID 2600 wrote to memory of 2484 2600 Lhlqhb32.exe 31 PID 2600 wrote to memory of 2484 2600 Lhlqhb32.exe 31 PID 2600 wrote to memory of 2484 2600 Lhlqhb32.exe 31 PID 2484 wrote to memory of 2564 2484 Lipjejgp.exe 32 PID 2484 wrote to memory of 2564 2484 Lipjejgp.exe 32 PID 2484 wrote to memory of 2564 2484 Lipjejgp.exe 32 PID 2484 wrote to memory of 2564 2484 Lipjejgp.exe 32 PID 2564 wrote to memory of 2524 2564 Lpjbad32.exe 33 PID 2564 wrote to memory of 2524 2564 Lpjbad32.exe 33 PID 2564 wrote to memory of 2524 2564 Lpjbad32.exe 33 PID 2564 wrote to memory of 2524 2564 Lpjbad32.exe 33 PID 2524 wrote to memory of 1732 2524 Lchnnp32.exe 34 PID 2524 wrote to memory of 1732 2524 Lchnnp32.exe 34 PID 2524 wrote to memory of 1732 2524 Lchnnp32.exe 34 PID 2524 wrote to memory of 1732 2524 Lchnnp32.exe 34 PID 1732 wrote to memory of 2868 1732 Mcjkcplm.exe 35 PID 1732 wrote to memory of 2868 1732 Mcjkcplm.exe 35 PID 1732 wrote to memory of 2868 1732 Mcjkcplm.exe 35 PID 1732 wrote to memory of 2868 1732 Mcjkcplm.exe 35 PID 2868 wrote to memory of 2656 2868 Mlcple32.exe 36 PID 2868 wrote to memory of 2656 2868 Mlcple32.exe 36 PID 2868 wrote to memory of 2656 2868 Mlcple32.exe 36 PID 2868 wrote to memory of 2656 2868 Mlcple32.exe 36 PID 2656 wrote to memory of 2036 2656 Moalhq32.exe 37 PID 2656 wrote to memory of 2036 2656 Moalhq32.exe 37 PID 2656 wrote to memory of 2036 2656 Moalhq32.exe 37 PID 2656 wrote to memory of 2036 2656 Moalhq32.exe 37 PID 2036 wrote to memory of 1780 2036 Mochnppo.exe 38 PID 2036 wrote to memory of 1780 2036 Mochnppo.exe 38 PID 2036 wrote to memory of 1780 2036 Mochnppo.exe 38 PID 2036 wrote to memory of 1780 2036 Mochnppo.exe 38 PID 1780 wrote to memory of 2848 1780 Mhlmgf32.exe 39 PID 1780 wrote to memory of 2848 1780 Mhlmgf32.exe 39 PID 1780 wrote to memory of 2848 1780 Mhlmgf32.exe 39 PID 1780 wrote to memory of 2848 1780 Mhlmgf32.exe 39 PID 2848 wrote to memory of 1412 2848 Mnieom32.exe 40 PID 2848 wrote to memory of 1412 2848 Mnieom32.exe 40 PID 2848 wrote to memory of 1412 2848 Mnieom32.exe 40 PID 2848 wrote to memory of 1412 2848 Mnieom32.exe 40 PID 1412 wrote to memory of 1544 1412 Mhnjle32.exe 41 PID 1412 wrote to memory of 1544 1412 Mhnjle32.exe 41 PID 1412 wrote to memory of 1544 1412 Mhnjle32.exe 41 PID 1412 wrote to memory of 1544 1412 Mhnjle32.exe 41 PID 1544 wrote to memory of 676 1544 Mohbip32.exe 42 PID 1544 wrote to memory of 676 1544 Mohbip32.exe 42 PID 1544 wrote to memory of 676 1544 Mohbip32.exe 42 PID 1544 wrote to memory of 676 1544 Mohbip32.exe 42 PID 676 wrote to memory of 1504 676 Mkobnqan.exe 43 PID 676 wrote to memory of 1504 676 Mkobnqan.exe 43 PID 676 wrote to memory of 1504 676 Mkobnqan.exe 43 PID 676 wrote to memory of 1504 676 Mkobnqan.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe"C:\Users\Admin\AppData\Local\Temp\cc480bcafe2548153f7599f6ebf0a570149fea38077125acf6ffd30a25e41f97.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe33⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe36⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe37⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe38⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe39⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe40⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe41⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe44⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe45⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe46⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe49⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe51⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe52⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe53⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe54⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe55⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe56⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe60⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe61⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe62⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe63⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe64⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe65⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe66⤵PID:628
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe67⤵PID:1308
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe68⤵PID:3020
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe69⤵PID:1532
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe70⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe71⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe75⤵PID:2640
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe76⤵PID:2752
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe77⤵PID:2520
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe78⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe81⤵PID:1708
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe82⤵PID:2116
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe83⤵PID:776
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe84⤵PID:1832
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe85⤵PID:1368
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe86⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe87⤵PID:968
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe89⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe90⤵PID:3036
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe92⤵PID:2628
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe93⤵PID:2460
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe94⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe95⤵PID:764
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe97⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe98⤵PID:2432
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe100⤵PID:1168
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe101⤵PID:1712
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe102⤵PID:1796
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe103⤵PID:2012
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe105⤵PID:1956
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe106⤵PID:2208
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe107⤵PID:880
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe108⤵PID:2216
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe109⤵PID:2620
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe110⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe112⤵PID:1436
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe113⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe114⤵PID:1648
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe116⤵PID:2152
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe117⤵PID:2104
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe118⤵PID:2288
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe120⤵PID:2472
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-