Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 11:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe
-
Size
90KB
-
MD5
b5bd128d065b42ec80c27f08b6a46050
-
SHA1
48096b7ffb671a05029b41465eb81eec16aabee8
-
SHA256
46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95
-
SHA512
0fe2ec803f746b7b4bad9fd7b99c77db164e946b8eb90e3b83df09c915e44a779fd266378a69ed7de1d73d700f99d24865f31b645c72b2c9c4db08fdaed29eb2
-
SSDEEP
1536:1zExx0Y4dwKDZywfdfXwU38OXrRxwSMGMu/Ub0VkVNK:1zExxV4dwKDBBJVXVQGMu/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdhbmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdhffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjijmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbebbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Albpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocaebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccmcgcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpbecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbgkl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1528 Icdheded.exe 3948 Ikkpgafg.exe 1920 Ilmmni32.exe 1616 Icfekc32.exe 3620 Ijqmhnko.exe 2876 Inlihl32.exe 3100 Iciaqc32.exe 3956 Ijcjmmil.exe 1420 Idhnkf32.exe 4868 Ikbfgppo.exe 3864 Ilccoh32.exe 4508 Icnklbmj.exe 5044 Ikdcmpnl.exe 2540 Jlfpdh32.exe 3400 Jdmgfedl.exe 4608 Jjjpnlbd.exe 2396 Jlhljhbg.exe 2964 Jgnqgqan.exe 3312 Jjlmclqa.exe 684 Jdaaaeqg.exe 432 Jgpmmp32.exe 3264 Jnjejjgh.exe 3724 Jddnfd32.exe 2264 Jgbjbp32.exe 1292 Jnlbojee.exe 4628 Kkpbin32.exe 1652 Knooej32.exe 4616 Kggcnoic.exe 2248 Kjepjkhf.exe 1168 Kgipcogp.exe 1348 Kmfhkf32.exe 2164 Kglmio32.exe 1360 Knfeeimj.exe 1176 Kgninn32.exe 4536 Kmkbfeab.exe 2784 Lgqfdnah.exe 636 Lklbdm32.exe 864 Lqikmc32.exe 3372 Lnmkfh32.exe 2832 Lgepom32.exe 1144 Lclpdncg.exe 1568 Lmdemd32.exe 2324 Lgjijmin.exe 4688 Lqbncb32.exe 4240 Mnfnlf32.exe 2916 Mminhceb.exe 3164 Mkjnfkma.exe 1044 Maggnali.exe 3292 Mcecjmkl.exe 2824 Mnkggfkb.exe 1716 Maiccajf.exe 3332 Mgclpkac.exe 4580 Mjahlgpf.exe 4872 Mmpdhboj.exe 4008 Mcjmel32.exe 2160 Mjdebfnd.exe 2136 Meiioonj.exe 4520 Nghekkmn.exe 4044 Nnbnhedj.exe 4092 Ngjbaj32.exe 1820 Nndjndbh.exe 2000 Nenbjo32.exe 4456 Ncabfkqo.exe 2588 Nnfgcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Ofgdcipq.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Eegcnaoo.dll Ehpadhll.exe File opened for modification C:\Windows\SysWOW64\Ipbaol32.exe Ihkjno32.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Odjeljhd.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Alkijdci.exe File created C:\Windows\SysWOW64\Jponoqjl.dll Pmlfqh32.exe File created C:\Windows\SysWOW64\Libmeq32.dll Gkdpbpih.exe File created C:\Windows\SysWOW64\Lodabb32.dll Oifppdpd.exe File opened for modification C:\Windows\SysWOW64\Kflide32.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qjfmkk32.exe File created C:\Windows\SysWOW64\Feenjgfq.exe Fnkfmm32.exe File opened for modification C:\Windows\SysWOW64\Kifojnol.exe Kekbjo32.exe File created C:\Windows\SysWOW64\Leeigm32.dll Qfmfefni.exe File created C:\Windows\SysWOW64\Nccokk32.exe Neqopnhb.exe File opened for modification C:\Windows\SysWOW64\Eohmkb32.exe Egaejeej.exe File created C:\Windows\SysWOW64\Fohfbpgi.exe Fganqbgg.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lqojclne.exe File created C:\Windows\SysWOW64\Mnfgko32.dll Lhnhajba.exe File created C:\Windows\SysWOW64\Fqgedh32.exe Fniihmpf.exe File created C:\Windows\SysWOW64\Jldbpl32.exe Jekjcaef.exe File opened for modification C:\Windows\SysWOW64\Nfihbk32.exe Nckkfp32.exe File opened for modification C:\Windows\SysWOW64\Diqnjl32.exe Dcffnbee.exe File created C:\Windows\SysWOW64\Ggiabl32.dll Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Odalmibl.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Mjcngpjh.exe Mgeakekd.exe File created C:\Windows\SysWOW64\Pmdpecjm.dll Ijqmhnko.exe File created C:\Windows\SysWOW64\Bkobmnka.exe Bhpfqcln.exe File created C:\Windows\SysWOW64\Mfcjqc32.dll Knnhjcog.exe File created C:\Windows\SysWOW64\Lihcbd32.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Ibqnkh32.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Mgmqkimh.dll Bdlfjh32.exe File created C:\Windows\SysWOW64\Lplfcf32.exe Ljbnfleo.exe File created C:\Windows\SysWOW64\Nbphglbe.exe Nqoloc32.exe File created C:\Windows\SysWOW64\Keldkigj.dll Oanfen32.exe File opened for modification C:\Windows\SysWOW64\Ihmfco32.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Eciqfjec.dll Ieojgc32.exe File created C:\Windows\SysWOW64\Cfidbo32.dll Iomoenej.exe File created C:\Windows\SysWOW64\Cedckdaj.dll Pnfiplog.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Bkibgh32.exe Bgnffj32.exe File opened for modification C:\Windows\SysWOW64\Cdimqm32.exe Bajqda32.exe File created C:\Windows\SysWOW64\Dpagekkf.dll Ciihjmcj.exe File created C:\Windows\SysWOW64\Odoogi32.exe Omegjomb.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Efeihb32.exe File created C:\Windows\SysWOW64\Doccpcja.exe Dglkoeio.exe File created C:\Windows\SysWOW64\Ojdnid32.exe Odjeljhd.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Ljnlecmp.exe File opened for modification C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Mpkcqhdh.dll Doccpcja.exe File created C:\Windows\SysWOW64\Bdepoj32.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nckkfp32.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Knnhjcog.exe File created C:\Windows\SysWOW64\Ppolhcnm.exe Pmpolgoi.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Enkdaepb.exe File created C:\Windows\SysWOW64\Bjqlnnkp.dll Emhkdmlg.exe File created C:\Windows\SysWOW64\Ekdnei32.exe Eifaim32.exe File created C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Njhgbp32.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Ahaceo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15996 15920 WerFault.exe 804 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icnklbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkngke32.dll" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Bfolacnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcnjijoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdcmkgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eomffaag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcapicdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajdjn32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geanfelc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihpcinld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfmfefni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkefnho.dll" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlmchoan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjkfjbc.dll" Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhckcgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjoppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll" Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Fohfbpgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edgbii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojajin32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 1528 3276 46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe 88 PID 3276 wrote to memory of 1528 3276 46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe 88 PID 3276 wrote to memory of 1528 3276 46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe 88 PID 1528 wrote to memory of 3948 1528 Icdheded.exe 89 PID 1528 wrote to memory of 3948 1528 Icdheded.exe 89 PID 1528 wrote to memory of 3948 1528 Icdheded.exe 89 PID 3948 wrote to memory of 1920 3948 Ikkpgafg.exe 90 PID 3948 wrote to memory of 1920 3948 Ikkpgafg.exe 90 PID 3948 wrote to memory of 1920 3948 Ikkpgafg.exe 90 PID 1920 wrote to memory of 1616 1920 Ilmmni32.exe 91 PID 1920 wrote to memory of 1616 1920 Ilmmni32.exe 91 PID 1920 wrote to memory of 1616 1920 Ilmmni32.exe 91 PID 1616 wrote to memory of 3620 1616 Icfekc32.exe 92 PID 1616 wrote to memory of 3620 1616 Icfekc32.exe 92 PID 1616 wrote to memory of 3620 1616 Icfekc32.exe 92 PID 3620 wrote to memory of 2876 3620 Ijqmhnko.exe 93 PID 3620 wrote to memory of 2876 3620 Ijqmhnko.exe 93 PID 3620 wrote to memory of 2876 3620 Ijqmhnko.exe 93 PID 2876 wrote to memory of 3100 2876 Inlihl32.exe 94 PID 2876 wrote to memory of 3100 2876 Inlihl32.exe 94 PID 2876 wrote to memory of 3100 2876 Inlihl32.exe 94 PID 3100 wrote to memory of 3956 3100 Iciaqc32.exe 95 PID 3100 wrote to memory of 3956 3100 Iciaqc32.exe 95 PID 3100 wrote to memory of 3956 3100 Iciaqc32.exe 95 PID 3956 wrote to memory of 1420 3956 Ijcjmmil.exe 96 PID 3956 wrote to memory of 1420 3956 Ijcjmmil.exe 96 PID 3956 wrote to memory of 1420 3956 Ijcjmmil.exe 96 PID 1420 wrote to memory of 4868 1420 Idhnkf32.exe 97 PID 1420 wrote to memory of 4868 1420 Idhnkf32.exe 97 PID 1420 wrote to memory of 4868 1420 Idhnkf32.exe 97 PID 4868 wrote to memory of 3864 4868 Ikbfgppo.exe 98 PID 4868 wrote to memory of 3864 4868 Ikbfgppo.exe 98 PID 4868 wrote to memory of 3864 4868 Ikbfgppo.exe 98 PID 3864 wrote to memory of 4508 3864 Ilccoh32.exe 99 PID 3864 wrote to memory of 4508 3864 Ilccoh32.exe 99 PID 3864 wrote to memory of 4508 3864 Ilccoh32.exe 99 PID 4508 wrote to memory of 5044 4508 Icnklbmj.exe 100 PID 4508 wrote to memory of 5044 4508 Icnklbmj.exe 100 PID 4508 wrote to memory of 5044 4508 Icnklbmj.exe 100 PID 5044 wrote to memory of 2540 5044 Ikdcmpnl.exe 101 PID 5044 wrote to memory of 2540 5044 Ikdcmpnl.exe 101 PID 5044 wrote to memory of 2540 5044 Ikdcmpnl.exe 101 PID 2540 wrote to memory of 3400 2540 Jlfpdh32.exe 102 PID 2540 wrote to memory of 3400 2540 Jlfpdh32.exe 102 PID 2540 wrote to memory of 3400 2540 Jlfpdh32.exe 102 PID 3400 wrote to memory of 4608 3400 Jdmgfedl.exe 103 PID 3400 wrote to memory of 4608 3400 Jdmgfedl.exe 103 PID 3400 wrote to memory of 4608 3400 Jdmgfedl.exe 103 PID 4608 wrote to memory of 2396 4608 Jjjpnlbd.exe 104 PID 4608 wrote to memory of 2396 4608 Jjjpnlbd.exe 104 PID 4608 wrote to memory of 2396 4608 Jjjpnlbd.exe 104 PID 2396 wrote to memory of 2964 2396 Jlhljhbg.exe 105 PID 2396 wrote to memory of 2964 2396 Jlhljhbg.exe 105 PID 2396 wrote to memory of 2964 2396 Jlhljhbg.exe 105 PID 2964 wrote to memory of 3312 2964 Jgnqgqan.exe 106 PID 2964 wrote to memory of 3312 2964 Jgnqgqan.exe 106 PID 2964 wrote to memory of 3312 2964 Jgnqgqan.exe 106 PID 3312 wrote to memory of 684 3312 Jjlmclqa.exe 107 PID 3312 wrote to memory of 684 3312 Jjlmclqa.exe 107 PID 3312 wrote to memory of 684 3312 Jjlmclqa.exe 107 PID 684 wrote to memory of 432 684 Jdaaaeqg.exe 108 PID 684 wrote to memory of 432 684 Jdaaaeqg.exe 108 PID 684 wrote to memory of 432 684 Jdaaaeqg.exe 108 PID 432 wrote to memory of 3264 432 Jgpmmp32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe"C:\Users\Admin\AppData\Local\Temp\46f7314ee63702f5252b74662cdaef1d50e2708200f6ae9e88c12ff758002c95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe23⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe24⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe25⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe26⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe27⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe28⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe30⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe31⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe33⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe34⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe35⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe36⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe37⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe38⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe39⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe40⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe42⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe43⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe45⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe47⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe48⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe49⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe50⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe53⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe54⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe55⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe56⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe57⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe58⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe59⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe60⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe61⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe62⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe63⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe64⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe65⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe66⤵
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe68⤵
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3300 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe70⤵PID:3932
-
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe71⤵
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe72⤵PID:384
-
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe73⤵PID:536
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe74⤵PID:2392
-
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe75⤵
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe76⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe78⤵PID:4700
-
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe79⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe80⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3888 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe82⤵
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe83⤵PID:2472
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe84⤵PID:2552
-
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe85⤵PID:5164
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe87⤵PID:5268
-
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe88⤵PID:5312
-
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe89⤵PID:5356
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe91⤵PID:5444
-
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe93⤵PID:5532
-
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe94⤵PID:5576
-
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe95⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe96⤵PID:5664
-
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe97⤵PID:5712
-
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe98⤵PID:5756
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe99⤵PID:5800
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe100⤵PID:5844
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe102⤵PID:5932
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5972 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe104⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe105⤵PID:6060
-
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe106⤵PID:6104
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe107⤵PID:2376
-
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe108⤵PID:5188
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe109⤵PID:5248
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe111⤵PID:5376
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe113⤵PID:5520
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe115⤵PID:5660
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe116⤵PID:5736
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe117⤵PID:5780
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe118⤵PID:5828
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe119⤵PID:5920
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe121⤵PID:6044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-