Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe
-
Size
359KB
-
MD5
ae2540abb5ac4dae6767aa8645c7dcb1
-
SHA1
4b4ce89ae37b228b93cceb14870b0fcf91b23d08
-
SHA256
0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa
-
SHA512
09d3a86523ffe0363650f242e1b41c569c58f8adc8adbd58916be90d9a669f2f6f21e2b3378cde8f3aa877e78c2f3e7b68c2a384fb212e0e8f086faaabdd5957
-
SSDEEP
3072:3RiwY/Uec3Fyx/tIO0kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFM6Wpw:3RWO3FUIOprba4Yb31/doG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomfkndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giieco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcaoajg.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 Lhlqhb32.exe 2856 Ladeqhjd.exe 3012 Lipjejgp.exe 2660 Lgdjnofi.exe 2596 Mcjkcplm.exe 2616 Mlcple32.exe 2468 Maphdl32.exe 2124 Mkhmma32.exe 2724 Mhlmgf32.exe 1252 Madapkmp.exe 2912 Mdcnlglc.exe 1808 Mohbip32.exe 2104 Naikkk32.exe 1684 Ncjgbcoi.exe 532 Npnhlg32.exe 1484 Nfkpdn32.exe 644 Nfmmin32.exe 1740 Nhlifi32.exe 2684 Nofabc32.exe 3068 Nfpjomgd.exe 940 Njkfpl32.exe 1960 Nkmbgdfl.exe 740 Ofbfdmeb.exe 3040 Ohqbqhde.exe 2976 Oojknblb.exe 1504 Ofdcjm32.exe 2796 Odgcfijj.exe 1572 Onphoo32.exe 2844 Oiellh32.exe 1620 Ojficpfn.exe 2576 Oqqapjnk.exe 2584 Ogjimd32.exe 2632 Omgaek32.exe 2492 Ogmfbd32.exe 1908 Paejki32.exe 1912 Pccfge32.exe 2712 Pgobhcac.exe 1080 Paggai32.exe 2496 Pcfcmd32.exe 1820 Piblek32.exe 2068 Plahag32.exe 2288 Pchpbded.exe 1856 Piehkkcl.exe 852 Ppoqge32.exe 684 Pfiidobe.exe 2132 Pelipl32.exe 2808 Pigeqkai.exe 1868 Pndniaop.exe 2136 Pbpjiphi.exe 556 Penfelgm.exe 776 Qlhnbf32.exe 3048 Qbbfopeg.exe 2212 Qaefjm32.exe 2776 Qdccfh32.exe 2528 Qljkhe32.exe 2996 Qagcpljo.exe 2644 Ahakmf32.exe 1668 Ankdiqih.exe 1900 Amndem32.exe 2508 Aplpai32.exe 2700 Adhlaggp.exe 1340 Aiedjneg.exe 1436 Aalmklfi.exe 1708 Adjigg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 2824 Lhlqhb32.exe 2824 Lhlqhb32.exe 2856 Ladeqhjd.exe 2856 Ladeqhjd.exe 3012 Lipjejgp.exe 3012 Lipjejgp.exe 2660 Lgdjnofi.exe 2660 Lgdjnofi.exe 2596 Mcjkcplm.exe 2596 Mcjkcplm.exe 2616 Mlcple32.exe 2616 Mlcple32.exe 2468 Maphdl32.exe 2468 Maphdl32.exe 2124 Mkhmma32.exe 2124 Mkhmma32.exe 2724 Mhlmgf32.exe 2724 Mhlmgf32.exe 1252 Madapkmp.exe 1252 Madapkmp.exe 2912 Mdcnlglc.exe 2912 Mdcnlglc.exe 1808 Mohbip32.exe 1808 Mohbip32.exe 2104 Naikkk32.exe 2104 Naikkk32.exe 1684 Ncjgbcoi.exe 1684 Ncjgbcoi.exe 532 Npnhlg32.exe 532 Npnhlg32.exe 1484 Nfkpdn32.exe 1484 Nfkpdn32.exe 644 Nfmmin32.exe 644 Nfmmin32.exe 1740 Nhlifi32.exe 1740 Nhlifi32.exe 2684 Nofabc32.exe 2684 Nofabc32.exe 3068 Nfpjomgd.exe 3068 Nfpjomgd.exe 940 Njkfpl32.exe 940 Njkfpl32.exe 1960 Nkmbgdfl.exe 1960 Nkmbgdfl.exe 740 Ofbfdmeb.exe 740 Ofbfdmeb.exe 3040 Ohqbqhde.exe 3040 Ohqbqhde.exe 2976 Oojknblb.exe 2976 Oojknblb.exe 1504 Ofdcjm32.exe 1504 Ofdcjm32.exe 2796 Odgcfijj.exe 2796 Odgcfijj.exe 1572 Onphoo32.exe 1572 Onphoo32.exe 2844 Oiellh32.exe 2844 Oiellh32.exe 1620 Ojficpfn.exe 1620 Ojficpfn.exe 2576 Oqqapjnk.exe 2576 Oqqapjnk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Adhlaggp.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Jnffgd32.exe Jocflgga.exe File opened for modification C:\Windows\SysWOW64\Jkmcfhkc.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Nhlifi32.exe Nfmmin32.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Oclilp32.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hhckpk32.exe File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe Llohjo32.exe File created C:\Windows\SysWOW64\Oiellh32.exe Onphoo32.exe File created C:\Windows\SysWOW64\Dmafennb.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Ldeamlkj.dll Piekcd32.exe File opened for modification C:\Windows\SysWOW64\Qdccfh32.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Lmebnb32.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Pinfim32.dll Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Bbgnak32.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe File opened for modification C:\Windows\SysWOW64\Lmlhnagm.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kngfih32.exe File created C:\Windows\SysWOW64\Dkjgaecj.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Bgfgbaoo.dll Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Knpemf32.exe Kkaiqk32.exe File created C:\Windows\SysWOW64\Gadkgl32.dll Ealnephf.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Ekebnbmn.dll Mlhkpm32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Henidd32.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Ehllae32.dll Ikpjgkjq.exe File created C:\Windows\SysWOW64\Iooklook.dll Aadloj32.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dfdjhndl.exe File created C:\Windows\SysWOW64\Ibafdk32.dll Npccpo32.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Dkmmhf32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File created C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Aohfbg32.dll Illgimph.exe File opened for modification C:\Windows\SysWOW64\Ncjgbcoi.exe Naikkk32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pfjbgnme.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bldcpf32.exe File opened for modification C:\Windows\SysWOW64\Ankdiqih.exe Ahakmf32.exe File opened for modification C:\Windows\SysWOW64\Jejhecaj.exe Jfghif32.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Njlockkm.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Ggfblnnh.dll Meijhc32.exe File created C:\Windows\SysWOW64\Fclomp32.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kngfih32.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bfcampgf.exe File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe Qiladcdh.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Ekholjqg.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Fmlapp32.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Jdpndnei.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7960 7936 WerFault.exe 754 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaooali.dll" Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfjfiam.dll" Lhlqhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfjhgfl.dll" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egafleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapicp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fioeja32.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll" Bbdallnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcmap32.dll" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmcbbki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhohda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoffcnl.dll" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll" Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdngl32.dll" Bkodhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjcplpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Bcaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hoopae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2824 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 28 PID 2296 wrote to memory of 2824 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 28 PID 2296 wrote to memory of 2824 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 28 PID 2296 wrote to memory of 2824 2296 0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe 28 PID 2824 wrote to memory of 2856 2824 Lhlqhb32.exe 29 PID 2824 wrote to memory of 2856 2824 Lhlqhb32.exe 29 PID 2824 wrote to memory of 2856 2824 Lhlqhb32.exe 29 PID 2824 wrote to memory of 2856 2824 Lhlqhb32.exe 29 PID 2856 wrote to memory of 3012 2856 Ladeqhjd.exe 30 PID 2856 wrote to memory of 3012 2856 Ladeqhjd.exe 30 PID 2856 wrote to memory of 3012 2856 Ladeqhjd.exe 30 PID 2856 wrote to memory of 3012 2856 Ladeqhjd.exe 30 PID 3012 wrote to memory of 2660 3012 Lipjejgp.exe 31 PID 3012 wrote to memory of 2660 3012 Lipjejgp.exe 31 PID 3012 wrote to memory of 2660 3012 Lipjejgp.exe 31 PID 3012 wrote to memory of 2660 3012 Lipjejgp.exe 31 PID 2660 wrote to memory of 2596 2660 Lgdjnofi.exe 32 PID 2660 wrote to memory of 2596 2660 Lgdjnofi.exe 32 PID 2660 wrote to memory of 2596 2660 Lgdjnofi.exe 32 PID 2660 wrote to memory of 2596 2660 Lgdjnofi.exe 32 PID 2596 wrote to memory of 2616 2596 Mcjkcplm.exe 33 PID 2596 wrote to memory of 2616 2596 Mcjkcplm.exe 33 PID 2596 wrote to memory of 2616 2596 Mcjkcplm.exe 33 PID 2596 wrote to memory of 2616 2596 Mcjkcplm.exe 33 PID 2616 wrote to memory of 2468 2616 Mlcple32.exe 34 PID 2616 wrote to memory of 2468 2616 Mlcple32.exe 34 PID 2616 wrote to memory of 2468 2616 Mlcple32.exe 34 PID 2616 wrote to memory of 2468 2616 Mlcple32.exe 34 PID 2468 wrote to memory of 2124 2468 Maphdl32.exe 35 PID 2468 wrote to memory of 2124 2468 Maphdl32.exe 35 PID 2468 wrote to memory of 2124 2468 Maphdl32.exe 35 PID 2468 wrote to memory of 2124 2468 Maphdl32.exe 35 PID 2124 wrote to memory of 2724 2124 Mkhmma32.exe 36 PID 2124 wrote to memory of 2724 2124 Mkhmma32.exe 36 PID 2124 wrote to memory of 2724 2124 Mkhmma32.exe 36 PID 2124 wrote to memory of 2724 2124 Mkhmma32.exe 36 PID 2724 wrote to memory of 1252 2724 Mhlmgf32.exe 37 PID 2724 wrote to memory of 1252 2724 Mhlmgf32.exe 37 PID 2724 wrote to memory of 1252 2724 Mhlmgf32.exe 37 PID 2724 wrote to memory of 1252 2724 Mhlmgf32.exe 37 PID 1252 wrote to memory of 2912 1252 Madapkmp.exe 38 PID 1252 wrote to memory of 2912 1252 Madapkmp.exe 38 PID 1252 wrote to memory of 2912 1252 Madapkmp.exe 38 PID 1252 wrote to memory of 2912 1252 Madapkmp.exe 38 PID 2912 wrote to memory of 1808 2912 Mdcnlglc.exe 39 PID 2912 wrote to memory of 1808 2912 Mdcnlglc.exe 39 PID 2912 wrote to memory of 1808 2912 Mdcnlglc.exe 39 PID 2912 wrote to memory of 1808 2912 Mdcnlglc.exe 39 PID 1808 wrote to memory of 2104 1808 Mohbip32.exe 40 PID 1808 wrote to memory of 2104 1808 Mohbip32.exe 40 PID 1808 wrote to memory of 2104 1808 Mohbip32.exe 40 PID 1808 wrote to memory of 2104 1808 Mohbip32.exe 40 PID 2104 wrote to memory of 1684 2104 Naikkk32.exe 41 PID 2104 wrote to memory of 1684 2104 Naikkk32.exe 41 PID 2104 wrote to memory of 1684 2104 Naikkk32.exe 41 PID 2104 wrote to memory of 1684 2104 Naikkk32.exe 41 PID 1684 wrote to memory of 532 1684 Ncjgbcoi.exe 42 PID 1684 wrote to memory of 532 1684 Ncjgbcoi.exe 42 PID 1684 wrote to memory of 532 1684 Ncjgbcoi.exe 42 PID 1684 wrote to memory of 532 1684 Ncjgbcoi.exe 42 PID 532 wrote to memory of 1484 532 Npnhlg32.exe 43 PID 532 wrote to memory of 1484 532 Npnhlg32.exe 43 PID 532 wrote to memory of 1484 532 Npnhlg32.exe 43 PID 532 wrote to memory of 1484 532 Npnhlg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe"C:\Users\Admin\AppData\Local\Temp\0785a7d827b845a6965d869f9d36547f21ff8549669300a3a24dc2f003d819aa.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe33⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe35⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe36⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe38⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe39⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe40⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe42⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe44⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe46⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe47⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe48⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe49⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe50⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe51⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe52⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe53⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe56⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe57⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe60⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe61⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe63⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe64⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe65⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe66⤵PID:2276
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe67⤵PID:1928
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe68⤵PID:1092
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe69⤵PID:1292
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe70⤵PID:2416
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe71⤵PID:920
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe73⤵PID:3036
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe74⤵PID:876
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe75⤵PID:2160
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe76⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe78⤵PID:1896
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe79⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe80⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe81⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe82⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe84⤵PID:2092
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe85⤵PID:760
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe86⤵PID:2260
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe87⤵PID:2820
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe89⤵PID:2024
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe90⤵PID:2180
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe91⤵PID:2300
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe92⤵PID:1600
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe93⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe94⤵PID:2544
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe95⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe97⤵PID:2252
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe98⤵PID:2380
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe99⤵PID:2736
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe100⤵PID:468
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe101⤵PID:264
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe102⤵PID:568
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe103⤵PID:1812
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe104⤵PID:2816
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe105⤵PID:2524
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe106⤵PID:3044
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe107⤵PID:972
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe108⤵PID:884
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe110⤵PID:2552
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe111⤵PID:2456
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe113⤵PID:2916
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe114⤵PID:1680
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe115⤵PID:1152
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe116⤵PID:692
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe117⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe118⤵PID:764
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe119⤵PID:888
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe120⤵PID:1884
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe121⤵
- Drops file in System32 directory
PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-