Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe
-
Size
89KB
-
MD5
7094a49e3c6b82c05a9e83e5487e2ee5
-
SHA1
b8b52cbf6fecca17285f9c21a69575a5f36734b9
-
SHA256
2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d
-
SHA512
61425f088f294cd75d53c7fc82b1e7ac9646fde06bc9588f931c9bd3a48006ef246832e72e28a028dfe8202cd4166fd38285123e71c9045c583bef2c45b33ad7
-
SSDEEP
1536:OdLF39qUqUicwAHwLXAQ6vtZbpR8D1nmBURYiTboIAc2lExkg8Fk:OdLFDqhbAQLX96vtzG1mGRYMbmc2laky
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebedndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpfkqb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1736 Lplogdmj.exe 2676 Mlcple32.exe 2996 Mhjpaf32.exe 2696 Mcodno32.exe 2700 Mlgigdoh.exe 1932 Madapkmp.exe 2260 Mohbip32.exe 2916 Mhqfbebj.exe 2352 Nnnojlpa.exe 952 Ncjgbcoi.exe 1908 Nnplpl32.exe 2012 Nghphaeo.exe 1952 Njgldmdc.exe 2244 Njiijlbp.exe 3012 Nbdnoo32.exe 2444 Nmjblg32.exe 592 Nbfjdn32.exe 1916 Odegpj32.exe 2036 Okoomd32.exe 448 Obigjnkf.exe 900 Oomhcbjp.exe 268 Obkdonic.exe 1724 Oiellh32.exe 328 Oelmai32.exe 2620 Ocomlemo.exe 2968 Okfencna.exe 1304 Ofpfnqjp.exe 2732 Ongnonkb.exe 2660 Pccfge32.exe 2568 Pjmodopf.exe 2704 Pcfcmd32.exe 2544 Pfdpip32.exe 2108 Pjpkjond.exe 2960 Pfflopdh.exe 1140 Pmqdkj32.exe 2792 Ppoqge32.exe 1888 Phjelg32.exe 1032 Pbpjiphi.exe 1644 Pabjem32.exe 1776 Qhmbagfa.exe 2992 Qdccfh32.exe 1116 Qljkhe32.exe 784 Qecoqk32.exe 1508 Ahakmf32.exe 2508 Ajphib32.exe 1524 Ankdiqih.exe 1640 Aajpelhl.exe 1612 Adhlaggp.exe 2624 Ahchbf32.exe 3024 Ajbdna32.exe 2148 Ampqjm32.exe 2640 Apomfh32.exe 2824 Abmibdlh.exe 2564 Ajdadamj.exe 2552 Ambmpmln.exe 2596 Apajlhka.exe 2952 Afkbib32.exe 1964 Aenbdoii.exe 2628 Apcfahio.exe 2776 Abbbnchb.exe 2864 Aepojo32.exe 1284 Ailkjmpo.exe 1252 Aljgfioc.exe 2520 Bbdocc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 1736 Lplogdmj.exe 1736 Lplogdmj.exe 2676 Mlcple32.exe 2676 Mlcple32.exe 2996 Mhjpaf32.exe 2996 Mhjpaf32.exe 2696 Mcodno32.exe 2696 Mcodno32.exe 2700 Mlgigdoh.exe 2700 Mlgigdoh.exe 1932 Madapkmp.exe 1932 Madapkmp.exe 2260 Mohbip32.exe 2260 Mohbip32.exe 2916 Mhqfbebj.exe 2916 Mhqfbebj.exe 2352 Nnnojlpa.exe 2352 Nnnojlpa.exe 952 Ncjgbcoi.exe 952 Ncjgbcoi.exe 1908 Nnplpl32.exe 1908 Nnplpl32.exe 2012 Nghphaeo.exe 2012 Nghphaeo.exe 1952 Njgldmdc.exe 1952 Njgldmdc.exe 2244 Njiijlbp.exe 2244 Njiijlbp.exe 3012 Nbdnoo32.exe 3012 Nbdnoo32.exe 2444 Nmjblg32.exe 2444 Nmjblg32.exe 592 Nbfjdn32.exe 592 Nbfjdn32.exe 1916 Odegpj32.exe 1916 Odegpj32.exe 2036 Okoomd32.exe 2036 Okoomd32.exe 448 Obigjnkf.exe 448 Obigjnkf.exe 900 Oomhcbjp.exe 900 Oomhcbjp.exe 268 Obkdonic.exe 268 Obkdonic.exe 1724 Oiellh32.exe 1724 Oiellh32.exe 328 Oelmai32.exe 328 Oelmai32.exe 2620 Ocomlemo.exe 2620 Ocomlemo.exe 2968 Okfencna.exe 2968 Okfencna.exe 1304 Ofpfnqjp.exe 1304 Ofpfnqjp.exe 2732 Ongnonkb.exe 2732 Ongnonkb.exe 2660 Pccfge32.exe 2660 Pccfge32.exe 2568 Pjmodopf.exe 2568 Pjmodopf.exe 2704 Pcfcmd32.exe 2704 Pcfcmd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhhnli32.exe Banepo32.exe File created C:\Windows\SysWOW64\Ikbkhq32.dll Jmocpado.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Cafecmlj.exe File created C:\Windows\SysWOW64\Afkbib32.exe Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Loeebl32.exe Lmcijcbe.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Ljefkdjq.dll Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Ndbcpd32.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Bkommo32.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File created C:\Windows\SysWOW64\Oonafa32.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Pmqdkj32.exe Pfflopdh.exe File created C:\Windows\SysWOW64\Dobkmdfq.dll Aljgfioc.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Keanebkb.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nmjblg32.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Hgeegb32.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Feljlnoc.dll Nhiffc32.exe File created C:\Windows\SysWOW64\Lcoich32.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Nghphaeo.exe Nnplpl32.exe File created C:\Windows\SysWOW64\Claifkkf.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Lckdanld.exe Kmaled32.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Olmhdf32.exe Ojolhk32.exe File opened for modification C:\Windows\SysWOW64\Ogeigofa.exe Oonafa32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Apimacnn.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File created C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Icmlam32.exe Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Mdkqqa32.exe Mamddf32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Oomhcbjp.exe Obigjnkf.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Nhiffc32.exe Naoniipe.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Bkommo32.exe File created C:\Windows\SysWOW64\Okfencna.exe Ocomlemo.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Ndpaod32.dll Jjjacf32.exe File created C:\Windows\SysWOW64\Oqideepg.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Pjpkjond.exe Pfdpip32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5088 5084 WerFault.exe 405 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpome32.dll" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fioeja32.dll" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll" Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmoql32.dll" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhognbb.dll" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Banepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhegaocb.dll" Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmkhb32.dll" Imfqjbli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Emkaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feocmm32.dll" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmokmik.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlhneio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlblm32.dll" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdmcdoe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1736 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 28 PID 2220 wrote to memory of 1736 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 28 PID 2220 wrote to memory of 1736 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 28 PID 2220 wrote to memory of 1736 2220 2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe 28 PID 1736 wrote to memory of 2676 1736 Lplogdmj.exe 29 PID 1736 wrote to memory of 2676 1736 Lplogdmj.exe 29 PID 1736 wrote to memory of 2676 1736 Lplogdmj.exe 29 PID 1736 wrote to memory of 2676 1736 Lplogdmj.exe 29 PID 2676 wrote to memory of 2996 2676 Mlcple32.exe 30 PID 2676 wrote to memory of 2996 2676 Mlcple32.exe 30 PID 2676 wrote to memory of 2996 2676 Mlcple32.exe 30 PID 2676 wrote to memory of 2996 2676 Mlcple32.exe 30 PID 2996 wrote to memory of 2696 2996 Mhjpaf32.exe 31 PID 2996 wrote to memory of 2696 2996 Mhjpaf32.exe 31 PID 2996 wrote to memory of 2696 2996 Mhjpaf32.exe 31 PID 2996 wrote to memory of 2696 2996 Mhjpaf32.exe 31 PID 2696 wrote to memory of 2700 2696 Mcodno32.exe 32 PID 2696 wrote to memory of 2700 2696 Mcodno32.exe 32 PID 2696 wrote to memory of 2700 2696 Mcodno32.exe 32 PID 2696 wrote to memory of 2700 2696 Mcodno32.exe 32 PID 2700 wrote to memory of 1932 2700 Mlgigdoh.exe 33 PID 2700 wrote to memory of 1932 2700 Mlgigdoh.exe 33 PID 2700 wrote to memory of 1932 2700 Mlgigdoh.exe 33 PID 2700 wrote to memory of 1932 2700 Mlgigdoh.exe 33 PID 1932 wrote to memory of 2260 1932 Madapkmp.exe 34 PID 1932 wrote to memory of 2260 1932 Madapkmp.exe 34 PID 1932 wrote to memory of 2260 1932 Madapkmp.exe 34 PID 1932 wrote to memory of 2260 1932 Madapkmp.exe 34 PID 2260 wrote to memory of 2916 2260 Mohbip32.exe 35 PID 2260 wrote to memory of 2916 2260 Mohbip32.exe 35 PID 2260 wrote to memory of 2916 2260 Mohbip32.exe 35 PID 2260 wrote to memory of 2916 2260 Mohbip32.exe 35 PID 2916 wrote to memory of 2352 2916 Mhqfbebj.exe 36 PID 2916 wrote to memory of 2352 2916 Mhqfbebj.exe 36 PID 2916 wrote to memory of 2352 2916 Mhqfbebj.exe 36 PID 2916 wrote to memory of 2352 2916 Mhqfbebj.exe 36 PID 2352 wrote to memory of 952 2352 Nnnojlpa.exe 37 PID 2352 wrote to memory of 952 2352 Nnnojlpa.exe 37 PID 2352 wrote to memory of 952 2352 Nnnojlpa.exe 37 PID 2352 wrote to memory of 952 2352 Nnnojlpa.exe 37 PID 952 wrote to memory of 1908 952 Ncjgbcoi.exe 38 PID 952 wrote to memory of 1908 952 Ncjgbcoi.exe 38 PID 952 wrote to memory of 1908 952 Ncjgbcoi.exe 38 PID 952 wrote to memory of 1908 952 Ncjgbcoi.exe 38 PID 1908 wrote to memory of 2012 1908 Nnplpl32.exe 39 PID 1908 wrote to memory of 2012 1908 Nnplpl32.exe 39 PID 1908 wrote to memory of 2012 1908 Nnplpl32.exe 39 PID 1908 wrote to memory of 2012 1908 Nnplpl32.exe 39 PID 2012 wrote to memory of 1952 2012 Nghphaeo.exe 40 PID 2012 wrote to memory of 1952 2012 Nghphaeo.exe 40 PID 2012 wrote to memory of 1952 2012 Nghphaeo.exe 40 PID 2012 wrote to memory of 1952 2012 Nghphaeo.exe 40 PID 1952 wrote to memory of 2244 1952 Njgldmdc.exe 41 PID 1952 wrote to memory of 2244 1952 Njgldmdc.exe 41 PID 1952 wrote to memory of 2244 1952 Njgldmdc.exe 41 PID 1952 wrote to memory of 2244 1952 Njgldmdc.exe 41 PID 2244 wrote to memory of 3012 2244 Njiijlbp.exe 42 PID 2244 wrote to memory of 3012 2244 Njiijlbp.exe 42 PID 2244 wrote to memory of 3012 2244 Njiijlbp.exe 42 PID 2244 wrote to memory of 3012 2244 Njiijlbp.exe 42 PID 3012 wrote to memory of 2444 3012 Nbdnoo32.exe 43 PID 3012 wrote to memory of 2444 3012 Nbdnoo32.exe 43 PID 3012 wrote to memory of 2444 3012 Nbdnoo32.exe 43 PID 3012 wrote to memory of 2444 3012 Nbdnoo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe"C:\Users\Admin\AppData\Local\Temp\2e2768598788386890df4b7524f2d51853f8ccf19a0eebaf19acd139874f135d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe34⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe36⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe41⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe42⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe45⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe50⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe53⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe56⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe59⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe60⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe61⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe62⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe64⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe66⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe67⤵PID:1164
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe68⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe69⤵PID:584
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe70⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe71⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe72⤵PID:2164
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe73⤵PID:1720
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe74⤵PID:2736
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe75⤵PID:2128
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe76⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe79⤵PID:936
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe80⤵PID:2888
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe81⤵PID:1424
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe82⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe83⤵PID:1832
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe86⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe88⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe89⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe90⤵PID:2928
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe91⤵PID:3060
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe94⤵PID:1596
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe95⤵PID:3008
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe96⤵PID:2636
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe98⤵PID:1936
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe99⤵PID:3032
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe101⤵
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe102⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe103⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe104⤵PID:2652
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe105⤵PID:1664
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe106⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe107⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe108⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe109⤵PID:536
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe110⤵PID:1040
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe112⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe113⤵PID:2684
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe114⤵PID:2272
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe115⤵PID:1120
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe116⤵PID:2528
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe117⤵PID:1292
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe118⤵PID:1532
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe119⤵PID:1384
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe120⤵PID:2064
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-