Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 03:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe
-
Size
344KB
-
MD5
c678563be3f718763071b4c94dd86f51
-
SHA1
1fef2992131de2630ddc80954b1849cbea561da5
-
SHA256
ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3
-
SHA512
1a74b9395631bafef1362ae038ac20a8d16611551264ddff8528317cdf6b6dda2dd12c26cb3fad9c9ae1e57d9eb3facf46efd3bf3c6fc72b135a3e76bef2a574
-
SSDEEP
6144:iKmHwM2UuHk8D1fIz7kdEPuHBCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:uHwM2UuHk8D1fIz7kzhCpXImbzQD6OkS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdbhcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoafi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoeoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfeopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmepi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oboaabga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heapdjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboeaifi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghieg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boepel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njefqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peimil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jianff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaklidoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgfooop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhfjljd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlefklpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpnkama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkcmdhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gododflk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpkba32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x00080000000233f7-14.dat UPX behavioral2/files/0x0007000000023402-39.dat UPX behavioral2/files/0x0007000000023408-64.dat UPX behavioral2/files/0x0007000000023412-102.dat UPX behavioral2/files/0x0007000000023414-112.dat UPX behavioral2/files/0x0007000000023416-120.dat UPX behavioral2/files/0x000700000002341c-144.dat UPX behavioral2/files/0x000700000002341e-152.dat UPX behavioral2/files/0x0007000000023422-166.dat UPX behavioral2/files/0x0007000000023426-182.dat UPX behavioral2/files/0x0007000000023428-190.dat UPX behavioral2/files/0x000700000002342a-199.dat UPX behavioral2/files/0x000700000002342c-207.dat UPX behavioral2/files/0x00090000000233ef-214.dat UPX behavioral2/files/0x000700000002342f-223.dat UPX behavioral2/files/0x0007000000023435-241.dat UPX behavioral2/files/0x000700000002344b-311.dat UPX behavioral2/files/0x0007000000023475-437.dat UPX behavioral2/files/0x00070000000234e9-824.dat UPX behavioral2/files/0x0007000000023683-2193.dat UPX behavioral2/files/0x00070000000236fd-2598.dat UPX behavioral2/files/0x0007000000023727-2737.dat UPX behavioral2/files/0x000700000002374f-2869.dat UPX behavioral2/files/0x0007000000023753-2883.dat UPX behavioral2/files/0x0007000000023745-2836.dat UPX behavioral2/files/0x000700000002375f-2923.dat UPX behavioral2/files/0x000700000002376b-2960.dat UPX behavioral2/files/0x0007000000023771-2983.dat UPX behavioral2/files/0x0007000000023783-3041.dat UPX behavioral2/files/0x0007000000023793-3094.dat UPX behavioral2/files/0x0007000000023763-2933.dat UPX behavioral2/files/0x0007000000023759-2903.dat UPX behavioral2/files/0x000700000002379f-3133.dat UPX behavioral2/files/0x0007000000023741-2822.dat UPX behavioral2/files/0x000700000002373d-2810.dat UPX behavioral2/files/0x0007000000023719-2692.dat UPX behavioral2/files/0x000700000002370f-2657.dat UPX behavioral2/files/0x00070000000237a7-3167.dat UPX behavioral2/files/0x00070000000236f7-2577.dat UPX behavioral2/files/0x00070000000236f3-2562.dat UPX behavioral2/files/0x00070000000236ef-2550.dat UPX behavioral2/files/0x00070000000236df-2497.dat UPX behavioral2/files/0x00070000000236d9-2476.dat UPX behavioral2/files/0x00070000000236cf-2446.dat UPX behavioral2/files/0x00070000000236cb-2431.dat UPX behavioral2/files/0x00070000000237be-3244.dat UPX behavioral2/files/0x00070000000236c3-2406.dat UPX behavioral2/files/0x00070000000237c0-3253.dat UPX behavioral2/files/0x00070000000236c1-2397.dat UPX behavioral2/files/0x00070000000237ca-3288.dat UPX behavioral2/files/0x00070000000236b3-2352.dat UPX behavioral2/files/0x00070000000237d2-3315.dat UPX behavioral2/files/0x00070000000237d8-3340.dat UPX behavioral2/files/0x00070000000236a7-2312.dat UPX behavioral2/files/0x00070000000237f0-3424.dat UPX behavioral2/files/0x00070000000237f6-3444.dat UPX behavioral2/files/0x000700000002369b-2273.dat UPX behavioral2/files/0x0007000000023691-2240.dat UPX behavioral2/files/0x0007000000023677-2153.dat UPX behavioral2/files/0x0007000000023671-2133.dat UPX behavioral2/files/0x000700000002366d-2121.dat UPX behavioral2/files/0x0007000000023669-2107.dat UPX behavioral2/files/0x000700000002365b-2060.dat UPX behavioral2/files/0x0007000000023649-2000.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3692 Mgekbljc.exe 4192 Mjcgohig.exe 4632 Mnocof32.exe 1696 Mpmokb32.exe 2444 Mdiklqhm.exe 836 Mgghhlhq.exe 60 Mjeddggd.exe 1152 Mamleegg.exe 1104 Mpolqa32.exe 4056 Mkepnjng.exe 2536 Mncmjfmk.exe 4784 Mpaifalo.exe 4968 Maaepd32.exe 1012 Mdpalp32.exe 5052 Mgnnhk32.exe 404 Nnhfee32.exe 4536 Nqfbaq32.exe 3904 Ngpjnkpf.exe 1244 Njogjfoj.exe 3108 Nafokcol.exe 1920 Ncgkcl32.exe 1968 Njacpf32.exe 3164 Nbhkac32.exe 2872 Ndghmo32.exe 4164 Ncihikcg.exe 2428 Nqmhbpba.exe 3288 Nggqoj32.exe 4268 Nbmelbid.exe 2172 Ncnadk32.exe 2812 Ogjmdigk.exe 4940 Oboaabga.exe 4552 Odnnnnfe.exe 3932 Ogljjiei.exe 4004 Okhfjh32.exe 4976 Ogogoi32.exe 1088 Okjbpglo.exe 4480 Ojmcld32.exe 1852 Obdkma32.exe 900 Odbgim32.exe 4144 Ocegdjij.exe 3452 Okloegjl.exe 1572 Ojopad32.exe 2368 Onklabip.exe 5008 Obfhba32.exe 2280 Odednmpm.exe 3892 Ogcpjhoq.exe 3448 Okolkg32.exe 876 Onmhgb32.exe 1808 Obidhaog.exe 3800 Odgqdlnj.exe 4012 Pcjapi32.exe 4568 Pkaiqf32.exe 3344 Pnpemb32.exe 4860 Pbkamqmd.exe 3860 Peimil32.exe 1864 Pghieg32.exe 2100 Pjffbc32.exe 1588 Pnbbbabh.exe 4712 Pbmncp32.exe 4840 Pqpnombl.exe 1632 Pcojkhap.exe 1300 Pkfblfab.exe 5048 Pjhbgb32.exe 2844 Pbpjhp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Liimncmf.exe Lfkaag32.exe File opened for modification C:\Windows\SysWOW64\Mlcifmbl.exe Miemjaci.exe File opened for modification C:\Windows\SysWOW64\Acqimo32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Dmjapi32.dll Bgcknmop.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mgekbljc.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ncgkcl32.exe File opened for modification C:\Windows\SysWOW64\Eekaebcm.exe Eapedd32.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Agglboim.exe File created C:\Windows\SysWOW64\Acmflf32.exe Aanjpk32.exe File created C:\Windows\SysWOW64\Dedkdcie.exe Dahode32.exe File created C:\Windows\SysWOW64\Fbnafb32.exe Fckajehi.exe File created C:\Windows\SysWOW64\Cagobalc.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Ahkobekf.exe Aelcfilb.exe File created C:\Windows\SysWOW64\Phfkqkek.dll Ahkobekf.exe File created C:\Windows\SysWOW64\Edihepnm.exe Eefhjc32.exe File created C:\Windows\SysWOW64\Hbcbgk32.dll Eeidoc32.exe File created C:\Windows\SysWOW64\Ijmanlfp.dll Fohoigfh.exe File created C:\Windows\SysWOW64\Aolmfp32.dll Pjffbc32.exe File created C:\Windows\SysWOW64\Dgdelcpg.dll Jbhfjljd.exe File opened for modification C:\Windows\SysWOW64\Pgioqq32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Pjkombfj.exe Pkhoae32.exe File created C:\Windows\SysWOW64\Adopjh32.dll Iemppiab.exe File created C:\Windows\SysWOW64\Elogmm32.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Hflheb32.dll Lpcfkm32.exe File created C:\Windows\SysWOW64\Ngpccdlj.exe Ncdgcf32.exe File opened for modification C:\Windows\SysWOW64\Kebbafoj.exe Kfoafi32.exe File created C:\Windows\SysWOW64\Oadacmff.dll Olfobjbg.exe File created C:\Windows\SysWOW64\Ogjmdigk.exe Ncnadk32.exe File created C:\Windows\SysWOW64\Ddpeoafg.exe Demecd32.exe File created C:\Windows\SysWOW64\Chdfonda.dll Gdjjckag.exe File created C:\Windows\SysWOW64\Ghkebndc.dll Hfnphn32.exe File created C:\Windows\SysWOW64\Laapnj32.dll Ickchq32.exe File opened for modification C:\Windows\SysWOW64\Jmknaell.exe Jioaqfcc.exe File created C:\Windows\SysWOW64\Ocegdjij.exe Odbgim32.exe File created C:\Windows\SysWOW64\Pgopffec.exe Pcccfh32.exe File created C:\Windows\SysWOW64\Qloebdig.exe Qchmagie.exe File created C:\Windows\SysWOW64\Belebq32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Obfhba32.exe Onklabip.exe File created C:\Windows\SysWOW64\Copfjgjf.dll Qbimoo32.exe File created C:\Windows\SysWOW64\Docmgjhp.exe Dkgqfl32.exe File created C:\Windows\SysWOW64\Aoohalad.dll Kbaipkbi.exe File created C:\Windows\SysWOW64\Gnbinq32.dll Kfckahdj.exe File created C:\Windows\SysWOW64\Agjhgngj.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Qbimoo32.exe Qjbena32.exe File opened for modification C:\Windows\SysWOW64\Ajkhdp32.exe Alhhhcal.exe File opened for modification C:\Windows\SysWOW64\Cojjqlpk.exe Cknnpm32.exe File created C:\Windows\SysWOW64\Agocgbni.dll Ncbknfed.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Mjddiqoc.dll Jfcbjk32.exe File created C:\Windows\SysWOW64\Igjnojdk.dll Pgefeajb.exe File created C:\Windows\SysWOW64\Jinpgcmg.dll Daolnf32.exe File created C:\Windows\SysWOW64\Mgcdak32.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Jlkagbej.exe Jmhale32.exe File created C:\Windows\SysWOW64\Ejckel32.dll Jlnnmb32.exe File created C:\Windows\SysWOW64\Dfdjmlhn.dll Ofqpqo32.exe File opened for modification C:\Windows\SysWOW64\Gkaejf32.exe Gmoeoidl.exe File created C:\Windows\SysWOW64\Ndcdmikd.exe Nphhmj32.exe File created C:\Windows\SysWOW64\Qfbgbeai.dll Ocdqjceo.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Mnocof32.exe Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Ahoimd32.exe Adcmmeog.exe File created C:\Windows\SysWOW64\Echmafdm.dll Ogogoi32.exe File created C:\Windows\SysWOW64\Gdqfah32.dll Cehkhecb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13584 13424 WerFault.exe 749 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll" ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Aeopki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojjqlpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copfjgjf.dll" Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqfah32.dll" Cehkhecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll" Jblpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjbena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfmmcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll" Kplpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll" Mgekbljc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" Aglemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlnbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomakdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pgioqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceoibflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll" Nggjdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mckemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll" Gbgdlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll" Flqimk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll" Pjffbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejogg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmkhg32.dll" Onmhgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" Ipdqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Baaplhef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhimici.dll" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iifokh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3692 4132 ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe 80 PID 4132 wrote to memory of 3692 4132 ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe 80 PID 4132 wrote to memory of 3692 4132 ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe 80 PID 3692 wrote to memory of 4192 3692 Mgekbljc.exe 81 PID 3692 wrote to memory of 4192 3692 Mgekbljc.exe 81 PID 3692 wrote to memory of 4192 3692 Mgekbljc.exe 81 PID 4192 wrote to memory of 4632 4192 Mjcgohig.exe 82 PID 4192 wrote to memory of 4632 4192 Mjcgohig.exe 82 PID 4192 wrote to memory of 4632 4192 Mjcgohig.exe 82 PID 4632 wrote to memory of 1696 4632 Mnocof32.exe 83 PID 4632 wrote to memory of 1696 4632 Mnocof32.exe 83 PID 4632 wrote to memory of 1696 4632 Mnocof32.exe 83 PID 1696 wrote to memory of 2444 1696 Mpmokb32.exe 84 PID 1696 wrote to memory of 2444 1696 Mpmokb32.exe 84 PID 1696 wrote to memory of 2444 1696 Mpmokb32.exe 84 PID 2444 wrote to memory of 836 2444 Mdiklqhm.exe 85 PID 2444 wrote to memory of 836 2444 Mdiklqhm.exe 85 PID 2444 wrote to memory of 836 2444 Mdiklqhm.exe 85 PID 836 wrote to memory of 60 836 Mgghhlhq.exe 86 PID 836 wrote to memory of 60 836 Mgghhlhq.exe 86 PID 836 wrote to memory of 60 836 Mgghhlhq.exe 86 PID 60 wrote to memory of 1152 60 Mjeddggd.exe 87 PID 60 wrote to memory of 1152 60 Mjeddggd.exe 87 PID 60 wrote to memory of 1152 60 Mjeddggd.exe 87 PID 1152 wrote to memory of 1104 1152 Mamleegg.exe 88 PID 1152 wrote to memory of 1104 1152 Mamleegg.exe 88 PID 1152 wrote to memory of 1104 1152 Mamleegg.exe 88 PID 1104 wrote to memory of 4056 1104 Mpolqa32.exe 89 PID 1104 wrote to memory of 4056 1104 Mpolqa32.exe 89 PID 1104 wrote to memory of 4056 1104 Mpolqa32.exe 89 PID 4056 wrote to memory of 2536 4056 Mkepnjng.exe 90 PID 4056 wrote to memory of 2536 4056 Mkepnjng.exe 90 PID 4056 wrote to memory of 2536 4056 Mkepnjng.exe 90 PID 2536 wrote to memory of 4784 2536 Mncmjfmk.exe 91 PID 2536 wrote to memory of 4784 2536 Mncmjfmk.exe 91 PID 2536 wrote to memory of 4784 2536 Mncmjfmk.exe 91 PID 4784 wrote to memory of 4968 4784 Mpaifalo.exe 92 PID 4784 wrote to memory of 4968 4784 Mpaifalo.exe 92 PID 4784 wrote to memory of 4968 4784 Mpaifalo.exe 92 PID 4968 wrote to memory of 1012 4968 Maaepd32.exe 93 PID 4968 wrote to memory of 1012 4968 Maaepd32.exe 93 PID 4968 wrote to memory of 1012 4968 Maaepd32.exe 93 PID 1012 wrote to memory of 5052 1012 Mdpalp32.exe 94 PID 1012 wrote to memory of 5052 1012 Mdpalp32.exe 94 PID 1012 wrote to memory of 5052 1012 Mdpalp32.exe 94 PID 5052 wrote to memory of 404 5052 Mgnnhk32.exe 95 PID 5052 wrote to memory of 404 5052 Mgnnhk32.exe 95 PID 5052 wrote to memory of 404 5052 Mgnnhk32.exe 95 PID 404 wrote to memory of 4536 404 Nnhfee32.exe 96 PID 404 wrote to memory of 4536 404 Nnhfee32.exe 96 PID 404 wrote to memory of 4536 404 Nnhfee32.exe 96 PID 4536 wrote to memory of 3904 4536 Nqfbaq32.exe 97 PID 4536 wrote to memory of 3904 4536 Nqfbaq32.exe 97 PID 4536 wrote to memory of 3904 4536 Nqfbaq32.exe 97 PID 3904 wrote to memory of 1244 3904 Ngpjnkpf.exe 98 PID 3904 wrote to memory of 1244 3904 Ngpjnkpf.exe 98 PID 3904 wrote to memory of 1244 3904 Ngpjnkpf.exe 98 PID 1244 wrote to memory of 3108 1244 Njogjfoj.exe 99 PID 1244 wrote to memory of 3108 1244 Njogjfoj.exe 99 PID 1244 wrote to memory of 3108 1244 Njogjfoj.exe 99 PID 3108 wrote to memory of 1920 3108 Nafokcol.exe 100 PID 3108 wrote to memory of 1920 3108 Nafokcol.exe 100 PID 3108 wrote to memory of 1920 3108 Nafokcol.exe 100 PID 1920 wrote to memory of 1968 1920 Ncgkcl32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe"C:\Users\Admin\AppData\Local\Temp\ed45bb1acb2d349a2f836798b5d1211405587d80794203237c293a9091fe34f3.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe23⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe24⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe25⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe26⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe27⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe28⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe29⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe31⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe33⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe34⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe35⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe37⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe38⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe39⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe41⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe42⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe45⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe46⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe47⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe48⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe50⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe51⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe52⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe53⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe54⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe55⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe59⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe61⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe62⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe63⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe65⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe66⤵PID:3040
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe67⤵PID:3584
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe68⤵PID:1700
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe69⤵
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe70⤵PID:4460
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe71⤵PID:4720
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe72⤵
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe73⤵PID:1308
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe74⤵PID:4384
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe75⤵PID:3648
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe76⤵PID:1532
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe77⤵PID:4532
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe78⤵PID:2648
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe80⤵PID:4444
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe81⤵PID:1944
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe82⤵
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe83⤵PID:4548
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe86⤵PID:2880
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe87⤵PID:1060
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe88⤵PID:3212
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe89⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe90⤵PID:5060
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe91⤵PID:3208
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe92⤵PID:2680
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe93⤵PID:4664
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe94⤵PID:2052
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe95⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe96⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe97⤵PID:2432
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe98⤵PID:548
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe99⤵PID:400
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe100⤵PID:2184
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe101⤵PID:1368
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe102⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe103⤵PID:2408
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe104⤵
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe105⤵PID:4884
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe106⤵PID:3968
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe107⤵PID:4092
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe108⤵PID:2240
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe109⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe110⤵PID:216
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe111⤵PID:3148
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe112⤵PID:3008
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe113⤵PID:2840
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe114⤵PID:5056
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe115⤵PID:2188
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe116⤵PID:1648
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe117⤵PID:5144
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe118⤵PID:5180
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe119⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe120⤵PID:5268
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe121⤵
- Modifies registry class
PID:5312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-