Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe
-
Size
104KB
-
MD5
fc844983ee0522e9c4499bf34fcfb0e0
-
SHA1
2457702182691ad1f9c173943bd846567afe34f9
-
SHA256
300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6
-
SHA512
b4889f9e925a6ecec5f58b7611cbef82657e00d60880096ea88b2ba7d0eff0778d00c47dbc5ff959882203b97c1e0332b9ed4d9f6ed03cbe1b5e15148ea144e0
-
SSDEEP
3072:fZXwuMCztkPI+cbLRO3NeoluE+h3+rJM++SYSUZCbCdW:fxxpkP4LROgoQEcAJN+SYSUZCbX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpjomgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgbcoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijbfj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Lefkjkmc.exe 3004 Llqcfe32.exe 2688 Loooca32.exe 2556 Mgfgdn32.exe 2576 Mhgclfje.exe 2460 Mpolmdkg.exe 2384 Mcmhiojk.exe 2504 Maphdl32.exe 2856 Migpeiag.exe 320 Mhjpaf32.exe 2324 Mkhmma32.exe 2188 Mcodno32.exe 2160 Menakj32.exe 1320 Mlgigdoh.exe 2056 Mofecpnl.exe 2816 Mepnpj32.exe 696 Mgajhbkg.exe 1260 Mkmfhacp.exe 572 Mohbip32.exe 836 Magnek32.exe 2148 Mdejaf32.exe 1284 Mhqfbebj.exe 2796 Mkobnqan.exe 960 Njbcim32.exe 2332 Naikkk32.exe 1880 Ncjgbcoi.exe 2928 Nlblkhei.exe 2596 Npnhlg32.exe 2464 Ncmdhb32.exe 2436 Nfkpdn32.exe 2544 Nlgefh32.exe 860 Nofabc32.exe 380 Nfpjomgd.exe 1764 Njkfpl32.exe 2552 Nmjblg32.exe 1420 Nbfjdn32.exe 1768 Odegpj32.exe 2668 Omloag32.exe 1588 Onmkio32.exe 1552 Ofdcjm32.exe 2400 Ogfpbeim.exe 2252 Oomhcbjp.exe 436 Oiellh32.exe 1664 Oghlgdgk.exe 2532 Ojficpfn.exe 1312 Oqqapjnk.exe 1888 Oelmai32.exe 2336 Ogjimd32.exe 2652 Ojieip32.exe 2696 Ondajnme.exe 892 Oqcnfjli.exe 2832 Oenifh32.exe 1152 Ocajbekl.exe 2616 Ofpfnqjp.exe 1824 Pminkk32.exe 1008 Paejki32.exe 2676 Pphjgfqq.exe 2216 Pgobhcac.exe 1496 Pjmodopf.exe 1688 Pipopl32.exe 1532 Pmlkpjpj.exe 1856 Ppjglfon.exe 2256 Pbiciana.exe 1752 Piblek32.exe -
Loads dropped DLL 64 IoCs
pid Process 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 2900 Lefkjkmc.exe 2900 Lefkjkmc.exe 3004 Llqcfe32.exe 3004 Llqcfe32.exe 2688 Loooca32.exe 2688 Loooca32.exe 2556 Mgfgdn32.exe 2556 Mgfgdn32.exe 2576 Mhgclfje.exe 2576 Mhgclfje.exe 2460 Mpolmdkg.exe 2460 Mpolmdkg.exe 2384 Mcmhiojk.exe 2384 Mcmhiojk.exe 2504 Maphdl32.exe 2504 Maphdl32.exe 2856 Migpeiag.exe 2856 Migpeiag.exe 320 Mhjpaf32.exe 320 Mhjpaf32.exe 2324 Mkhmma32.exe 2324 Mkhmma32.exe 2188 Mcodno32.exe 2188 Mcodno32.exe 2160 Menakj32.exe 2160 Menakj32.exe 1320 Mlgigdoh.exe 1320 Mlgigdoh.exe 2056 Mofecpnl.exe 2056 Mofecpnl.exe 2816 Mepnpj32.exe 2816 Mepnpj32.exe 696 Mgajhbkg.exe 696 Mgajhbkg.exe 1260 Mkmfhacp.exe 1260 Mkmfhacp.exe 572 Mohbip32.exe 572 Mohbip32.exe 836 Magnek32.exe 836 Magnek32.exe 2148 Mdejaf32.exe 2148 Mdejaf32.exe 1284 Mhqfbebj.exe 1284 Mhqfbebj.exe 2796 Mkobnqan.exe 2796 Mkobnqan.exe 960 Njbcim32.exe 960 Njbcim32.exe 2332 Naikkk32.exe 2332 Naikkk32.exe 1608 Nkaocp32.exe 1608 Nkaocp32.exe 2928 Nlblkhei.exe 2928 Nlblkhei.exe 2596 Npnhlg32.exe 2596 Npnhlg32.exe 2464 Ncmdhb32.exe 2464 Ncmdhb32.exe 2436 Nfkpdn32.exe 2436 Nfkpdn32.exe 2544 Nlgefh32.exe 2544 Nlgefh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oockje32.dll Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Ddagfm32.exe File opened for modification C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File created C:\Windows\SysWOW64\Aifone32.dll Ahokfj32.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Njkfpl32.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File created C:\Windows\SysWOW64\Naikkk32.exe Njbcim32.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hnojdcfi.exe File opened for modification C:\Windows\SysWOW64\Codpklfq.dll Hpkjko32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Magnek32.exe Mohbip32.exe File created C:\Windows\SysWOW64\Gkgaje32.dll Nmjblg32.exe File created C:\Windows\SysWOW64\Lmkgjhfn.dll Ppoqge32.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Hfbenjka.dll Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Nfkpdn32.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File created C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Cdjgej32.dll Piehkkcl.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Pdmaibnf.dll Chcqpmep.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Epieghdk.exe File created C:\Windows\SysWOW64\Hpqpdnop.dll Fiaeoang.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qdccfh32.exe File created C:\Windows\SysWOW64\Affhncfc.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Pmddhkao.dll Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Hlpafgnp.dll Mkhmma32.exe File opened for modification C:\Windows\SysWOW64\Mlgigdoh.exe Menakj32.exe File opened for modification C:\Windows\SysWOW64\Paejki32.exe Pminkk32.exe File created C:\Windows\SysWOW64\Dnoillim.dll Emeopn32.exe File created C:\Windows\SysWOW64\Mofecpnl.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Baqbenep.exe Bnefdp32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Filldb32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File opened for modification C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Fpdhklkl.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Npnhlg32.exe Nlblkhei.exe File created C:\Windows\SysWOW64\Ffihah32.dll Clcflkic.exe File created C:\Windows\SysWOW64\Eeempocb.exe Epieghdk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3872 3824 WerFault.exe 287 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlib32.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhjpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokefmej.dll" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagbha32.dll" Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfofpak.dll" Phjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifclcknc.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leajegob.dll" Bnbjopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjlg32.dll" Menakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aajpelhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cphlljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiabffn.dll" 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll" Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Bdjefj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2900 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 28 PID 2732 wrote to memory of 2900 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 28 PID 2732 wrote to memory of 2900 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 28 PID 2732 wrote to memory of 2900 2732 300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe 28 PID 2900 wrote to memory of 3004 2900 Lefkjkmc.exe 29 PID 2900 wrote to memory of 3004 2900 Lefkjkmc.exe 29 PID 2900 wrote to memory of 3004 2900 Lefkjkmc.exe 29 PID 2900 wrote to memory of 3004 2900 Lefkjkmc.exe 29 PID 3004 wrote to memory of 2688 3004 Llqcfe32.exe 30 PID 3004 wrote to memory of 2688 3004 Llqcfe32.exe 30 PID 3004 wrote to memory of 2688 3004 Llqcfe32.exe 30 PID 3004 wrote to memory of 2688 3004 Llqcfe32.exe 30 PID 2688 wrote to memory of 2556 2688 Loooca32.exe 31 PID 2688 wrote to memory of 2556 2688 Loooca32.exe 31 PID 2688 wrote to memory of 2556 2688 Loooca32.exe 31 PID 2688 wrote to memory of 2556 2688 Loooca32.exe 31 PID 2556 wrote to memory of 2576 2556 Mgfgdn32.exe 32 PID 2556 wrote to memory of 2576 2556 Mgfgdn32.exe 32 PID 2556 wrote to memory of 2576 2556 Mgfgdn32.exe 32 PID 2556 wrote to memory of 2576 2556 Mgfgdn32.exe 32 PID 2576 wrote to memory of 2460 2576 Mhgclfje.exe 33 PID 2576 wrote to memory of 2460 2576 Mhgclfje.exe 33 PID 2576 wrote to memory of 2460 2576 Mhgclfje.exe 33 PID 2576 wrote to memory of 2460 2576 Mhgclfje.exe 33 PID 2460 wrote to memory of 2384 2460 Mpolmdkg.exe 34 PID 2460 wrote to memory of 2384 2460 Mpolmdkg.exe 34 PID 2460 wrote to memory of 2384 2460 Mpolmdkg.exe 34 PID 2460 wrote to memory of 2384 2460 Mpolmdkg.exe 34 PID 2384 wrote to memory of 2504 2384 Mcmhiojk.exe 35 PID 2384 wrote to memory of 2504 2384 Mcmhiojk.exe 35 PID 2384 wrote to memory of 2504 2384 Mcmhiojk.exe 35 PID 2384 wrote to memory of 2504 2384 Mcmhiojk.exe 35 PID 2504 wrote to memory of 2856 2504 Maphdl32.exe 36 PID 2504 wrote to memory of 2856 2504 Maphdl32.exe 36 PID 2504 wrote to memory of 2856 2504 Maphdl32.exe 36 PID 2504 wrote to memory of 2856 2504 Maphdl32.exe 36 PID 2856 wrote to memory of 320 2856 Migpeiag.exe 37 PID 2856 wrote to memory of 320 2856 Migpeiag.exe 37 PID 2856 wrote to memory of 320 2856 Migpeiag.exe 37 PID 2856 wrote to memory of 320 2856 Migpeiag.exe 37 PID 320 wrote to memory of 2324 320 Mhjpaf32.exe 38 PID 320 wrote to memory of 2324 320 Mhjpaf32.exe 38 PID 320 wrote to memory of 2324 320 Mhjpaf32.exe 38 PID 320 wrote to memory of 2324 320 Mhjpaf32.exe 38 PID 2324 wrote to memory of 2188 2324 Mkhmma32.exe 39 PID 2324 wrote to memory of 2188 2324 Mkhmma32.exe 39 PID 2324 wrote to memory of 2188 2324 Mkhmma32.exe 39 PID 2324 wrote to memory of 2188 2324 Mkhmma32.exe 39 PID 2188 wrote to memory of 2160 2188 Mcodno32.exe 40 PID 2188 wrote to memory of 2160 2188 Mcodno32.exe 40 PID 2188 wrote to memory of 2160 2188 Mcodno32.exe 40 PID 2188 wrote to memory of 2160 2188 Mcodno32.exe 40 PID 2160 wrote to memory of 1320 2160 Menakj32.exe 41 PID 2160 wrote to memory of 1320 2160 Menakj32.exe 41 PID 2160 wrote to memory of 1320 2160 Menakj32.exe 41 PID 2160 wrote to memory of 1320 2160 Menakj32.exe 41 PID 1320 wrote to memory of 2056 1320 Mlgigdoh.exe 42 PID 1320 wrote to memory of 2056 1320 Mlgigdoh.exe 42 PID 1320 wrote to memory of 2056 1320 Mlgigdoh.exe 42 PID 1320 wrote to memory of 2056 1320 Mlgigdoh.exe 42 PID 2056 wrote to memory of 2816 2056 Mofecpnl.exe 43 PID 2056 wrote to memory of 2816 2056 Mofecpnl.exe 43 PID 2056 wrote to memory of 2816 2056 Mofecpnl.exe 43 PID 2056 wrote to memory of 2816 2056 Mofecpnl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe"C:\Users\Admin\AppData\Local\Temp\300bdd587cf02381b506eadfb127f4b9c3a0d4e4e0e901188c63d3a66338d3b6.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe38⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe40⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe44⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe49⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe50⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe51⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe53⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe54⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe58⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe59⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe60⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe63⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe65⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe66⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe67⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe68⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe69⤵PID:908
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe70⤵PID:2848
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe71⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe72⤵PID:1936
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe73⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe74⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe75⤵PID:1324
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe76⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe82⤵PID:3036
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe83⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe84⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe86⤵PID:2784
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe88⤵PID:308
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe90⤵PID:2024
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe92⤵PID:2992
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe93⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe95⤵PID:1220
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe100⤵PID:2644
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe101⤵PID:1984
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe102⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe105⤵PID:1628
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe106⤵PID:1940
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe107⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe109⤵PID:2408
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe110⤵PID:2788
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe111⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe112⤵PID:2708
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe113⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe115⤵PID:1948
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe116⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe117⤵PID:2680
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe118⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe119⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe120⤵PID:1048
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe121⤵
- Modifies registry class
PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-