Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 01:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe
-
Size
240KB
-
MD5
8be661091b94250a0809488eada2f67c
-
SHA1
2e7f4e12b6bba689f08df3dc98a299d0dd80c533
-
SHA256
bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1
-
SHA512
333dff141808891b9ad20d19c46c773293a1157332b146cecd179d704887c2562682f70f140f72d50da55d3776b2e73a03e2cbc638b5f04a19dc825d3a99a642
-
SSDEEP
6144:V+0DDJxXITgGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:V+G1xYUGyXu1jGG1wsGeBgRTGA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocajbekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhhcgj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Ladeqhjd.exe 2604 Lipjejgp.exe 2588 Lchnnp32.exe 2732 Lmnbkinf.exe 2368 Mcjkcplm.exe 2524 Mhgclfje.exe 2704 Mcmhiojk.exe 2716 Migpeiag.exe 2720 Mcodno32.exe 1040 Mdqafgnf.exe 2424 Mnieom32.exe 920 Mgajhbkg.exe 1656 Mdejaf32.exe 2108 Nnnojlpa.exe 2788 Ngfcca32.exe 2096 Nnplpl32.exe 1076 Ncmdhb32.exe 1868 Nnbhek32.exe 1568 Nocemcbj.exe 2964 Nfmmin32.exe 3008 Nlgefh32.exe 1936 Ncancbha.exe 1856 Nbdnoo32.exe 1164 Nhnfkigh.exe 2544 Nohnhc32.exe 2740 Nbfjdn32.exe 2668 Ohqbqhde.exe 2568 Onmkio32.exe 2652 Ogfpbeim.exe 2208 Okalbc32.exe 2912 Oiellh32.exe 2248 Okchhc32.exe 1452 Onbddoog.exe 2884 Ogjimd32.exe 2044 Ondajnme.exe 404 Ocajbekl.exe 788 Ongnonkb.exe 2216 Paejki32.exe 2140 Pphjgfqq.exe 2852 Pgobhcac.exe 1708 Pmlkpjpj.exe 716 Pcfcmd32.exe 3020 Pbiciana.exe 2428 Pmnhfjmg.exe 2064 Pchpbded.exe 1572 Peiljl32.exe 1876 Pmqdkj32.exe 1252 Ppoqge32.exe 2820 Pbmmcq32.exe 2552 Phjelg32.exe 3004 Plfamfpm.exe 2708 Pbpjiphi.exe 2484 Pabjem32.exe 2536 Pijbfj32.exe 2016 Qhmbagfa.exe 2768 Qnfjna32.exe 2344 Qeqbkkej.exe 2024 Qhooggdn.exe 816 Qljkhe32.exe 2556 Qmlgonbe.exe 2240 Qagcpljo.exe 2144 Ahakmf32.exe 796 Afdlhchf.exe 1488 Ankdiqih.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 2192 Ladeqhjd.exe 2192 Ladeqhjd.exe 2604 Lipjejgp.exe 2604 Lipjejgp.exe 2588 Lchnnp32.exe 2588 Lchnnp32.exe 2732 Lmnbkinf.exe 2732 Lmnbkinf.exe 2368 Mcjkcplm.exe 2368 Mcjkcplm.exe 2524 Mhgclfje.exe 2524 Mhgclfje.exe 2704 Mcmhiojk.exe 2704 Mcmhiojk.exe 2716 Migpeiag.exe 2716 Migpeiag.exe 2720 Mcodno32.exe 2720 Mcodno32.exe 1040 Mdqafgnf.exe 1040 Mdqafgnf.exe 2424 Mnieom32.exe 2424 Mnieom32.exe 920 Mgajhbkg.exe 920 Mgajhbkg.exe 1656 Mdejaf32.exe 1656 Mdejaf32.exe 2108 Nnnojlpa.exe 2108 Nnnojlpa.exe 2788 Ngfcca32.exe 2788 Ngfcca32.exe 2096 Nnplpl32.exe 2096 Nnplpl32.exe 1076 Ncmdhb32.exe 1076 Ncmdhb32.exe 1868 Nnbhek32.exe 1868 Nnbhek32.exe 1568 Nocemcbj.exe 1568 Nocemcbj.exe 2964 Nfmmin32.exe 2964 Nfmmin32.exe 3008 Nlgefh32.exe 3008 Nlgefh32.exe 1936 Ncancbha.exe 1936 Ncancbha.exe 1856 Nbdnoo32.exe 1856 Nbdnoo32.exe 1164 Nhnfkigh.exe 1164 Nhnfkigh.exe 2544 Nohnhc32.exe 2544 Nohnhc32.exe 2740 Nbfjdn32.exe 2740 Nbfjdn32.exe 2668 Ohqbqhde.exe 2668 Ohqbqhde.exe 2568 Onmkio32.exe 2568 Onmkio32.exe 2652 Ogfpbeim.exe 2652 Ogfpbeim.exe 2208 Okalbc32.exe 2208 Okalbc32.exe 2912 Oiellh32.exe 2912 Oiellh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Behnnm32.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pbmmcq32.exe File opened for modification C:\Windows\SysWOW64\Cjndop32.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Fpdhklkl.exe Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Obcccl32.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Oiellh32.exe Okalbc32.exe File opened for modification C:\Windows\SysWOW64\Paejki32.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dfgmhd32.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Cpkbdiqb.exe Cojema32.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Dqelenlc.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Jcbellac.exe Jqdipqbp.exe File created C:\Windows\SysWOW64\Oonafa32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File opened for modification C:\Windows\SysWOW64\Ladeqhjd.exe bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Idmhkpml.exe Iqalka32.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Oopnlacm.exe Ohfeog32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Logbhl32.exe Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mmceigep.exe File created C:\Windows\SysWOW64\Bfjpdigc.dll Omdneebf.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qabcjgkh.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dggcffhg.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ecpgmhai.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Apmabnaj.dll Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jcbellac.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Hlbpenqj.dll Lmnbkinf.exe File opened for modification C:\Windows\SysWOW64\Affhncfc.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Chcphm32.dll Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Ennaieib.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Afmonbqk.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Eijcpoac.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gopkmhjk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5372 5332 WerFault.exe 514 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbhek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lafndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligkin32.dll" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdeeqehb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ondajnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Mcegmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddjolah.dll" Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodnnc32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaoqk32.dll" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poaljn32.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbmmcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqhhknjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2192 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 28 PID 2120 wrote to memory of 2192 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 28 PID 2120 wrote to memory of 2192 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 28 PID 2120 wrote to memory of 2192 2120 bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe 28 PID 2192 wrote to memory of 2604 2192 Ladeqhjd.exe 29 PID 2192 wrote to memory of 2604 2192 Ladeqhjd.exe 29 PID 2192 wrote to memory of 2604 2192 Ladeqhjd.exe 29 PID 2192 wrote to memory of 2604 2192 Ladeqhjd.exe 29 PID 2604 wrote to memory of 2588 2604 Lipjejgp.exe 30 PID 2604 wrote to memory of 2588 2604 Lipjejgp.exe 30 PID 2604 wrote to memory of 2588 2604 Lipjejgp.exe 30 PID 2604 wrote to memory of 2588 2604 Lipjejgp.exe 30 PID 2588 wrote to memory of 2732 2588 Lchnnp32.exe 31 PID 2588 wrote to memory of 2732 2588 Lchnnp32.exe 31 PID 2588 wrote to memory of 2732 2588 Lchnnp32.exe 31 PID 2588 wrote to memory of 2732 2588 Lchnnp32.exe 31 PID 2732 wrote to memory of 2368 2732 Lmnbkinf.exe 32 PID 2732 wrote to memory of 2368 2732 Lmnbkinf.exe 32 PID 2732 wrote to memory of 2368 2732 Lmnbkinf.exe 32 PID 2732 wrote to memory of 2368 2732 Lmnbkinf.exe 32 PID 2368 wrote to memory of 2524 2368 Mcjkcplm.exe 33 PID 2368 wrote to memory of 2524 2368 Mcjkcplm.exe 33 PID 2368 wrote to memory of 2524 2368 Mcjkcplm.exe 33 PID 2368 wrote to memory of 2524 2368 Mcjkcplm.exe 33 PID 2524 wrote to memory of 2704 2524 Mhgclfje.exe 34 PID 2524 wrote to memory of 2704 2524 Mhgclfje.exe 34 PID 2524 wrote to memory of 2704 2524 Mhgclfje.exe 34 PID 2524 wrote to memory of 2704 2524 Mhgclfje.exe 34 PID 2704 wrote to memory of 2716 2704 Mcmhiojk.exe 35 PID 2704 wrote to memory of 2716 2704 Mcmhiojk.exe 35 PID 2704 wrote to memory of 2716 2704 Mcmhiojk.exe 35 PID 2704 wrote to memory of 2716 2704 Mcmhiojk.exe 35 PID 2716 wrote to memory of 2720 2716 Migpeiag.exe 36 PID 2716 wrote to memory of 2720 2716 Migpeiag.exe 36 PID 2716 wrote to memory of 2720 2716 Migpeiag.exe 36 PID 2716 wrote to memory of 2720 2716 Migpeiag.exe 36 PID 2720 wrote to memory of 1040 2720 Mcodno32.exe 37 PID 2720 wrote to memory of 1040 2720 Mcodno32.exe 37 PID 2720 wrote to memory of 1040 2720 Mcodno32.exe 37 PID 2720 wrote to memory of 1040 2720 Mcodno32.exe 37 PID 1040 wrote to memory of 2424 1040 Mdqafgnf.exe 38 PID 1040 wrote to memory of 2424 1040 Mdqafgnf.exe 38 PID 1040 wrote to memory of 2424 1040 Mdqafgnf.exe 38 PID 1040 wrote to memory of 2424 1040 Mdqafgnf.exe 38 PID 2424 wrote to memory of 920 2424 Mnieom32.exe 39 PID 2424 wrote to memory of 920 2424 Mnieom32.exe 39 PID 2424 wrote to memory of 920 2424 Mnieom32.exe 39 PID 2424 wrote to memory of 920 2424 Mnieom32.exe 39 PID 920 wrote to memory of 1656 920 Mgajhbkg.exe 40 PID 920 wrote to memory of 1656 920 Mgajhbkg.exe 40 PID 920 wrote to memory of 1656 920 Mgajhbkg.exe 40 PID 920 wrote to memory of 1656 920 Mgajhbkg.exe 40 PID 1656 wrote to memory of 2108 1656 Mdejaf32.exe 41 PID 1656 wrote to memory of 2108 1656 Mdejaf32.exe 41 PID 1656 wrote to memory of 2108 1656 Mdejaf32.exe 41 PID 1656 wrote to memory of 2108 1656 Mdejaf32.exe 41 PID 2108 wrote to memory of 2788 2108 Nnnojlpa.exe 42 PID 2108 wrote to memory of 2788 2108 Nnnojlpa.exe 42 PID 2108 wrote to memory of 2788 2108 Nnnojlpa.exe 42 PID 2108 wrote to memory of 2788 2108 Nnnojlpa.exe 42 PID 2788 wrote to memory of 2096 2788 Ngfcca32.exe 43 PID 2788 wrote to memory of 2096 2788 Ngfcca32.exe 43 PID 2788 wrote to memory of 2096 2788 Ngfcca32.exe 43 PID 2788 wrote to memory of 2096 2788 Ngfcca32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe"C:\Users\Admin\AppData\Local\Temp\bcee09295cb807a666749cb7673785461e6c5f83eacd55328adddb1747ccd9e1.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe34⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe35⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe39⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe40⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe41⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe42⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe43⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe44⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe45⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe46⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe47⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe49⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe52⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe53⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe54⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe55⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe57⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe58⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe59⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe60⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe62⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe63⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe65⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe66⤵PID:412
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe67⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe68⤵PID:1932
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe69⤵PID:2836
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe70⤵PID:2196
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe71⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe72⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe73⤵PID:2480
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe75⤵PID:2340
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe76⤵PID:2000
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe77⤵PID:2220
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe79⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe80⤵PID:596
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe81⤵PID:848
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe82⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe83⤵PID:1880
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe84⤵PID:1500
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe85⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe86⤵PID:2640
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe87⤵PID:2492
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe88⤵PID:2448
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe89⤵PID:2896
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe90⤵PID:312
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe93⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe94⤵PID:1908
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe95⤵PID:668
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe99⤵PID:2532
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe100⤵PID:2772
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe101⤵PID:1948
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe102⤵PID:2228
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe103⤵PID:1056
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe104⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe105⤵
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe107⤵PID:1796
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe108⤵PID:1384
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe109⤵PID:1964
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe110⤵PID:2892
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe111⤵PID:2260
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe112⤵PID:2460
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe113⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe114⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe116⤵PID:2308
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe117⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe118⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe119⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe120⤵PID:1528
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe121⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-