Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe
-
Size
89KB
-
MD5
9c3af1ec7110931e7ef513f129e0da1a
-
SHA1
46be760a4b80df49a981acb8fcb64bd1656fe485
-
SHA256
9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4
-
SHA512
338a16238b149e3166f4b70445ad63f47575bf35610c4035ee93b50e74cb3ddeb6fcfc4dfef453f27edf39395d39e0ad5e40f24b9cdbfff0198b07392846c288
-
SSDEEP
1536:LulfLwwCxk0rVszKTvAKD9yc1dkGoYu0sf5LTygh8RQ+D68a+VMKKTRVGFtUhQf1:CpMxlpaKTvAKoGnlm7Oe3r4MKy3G7UEb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipomlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdfooh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflchkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqaafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkompgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpglbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgkfal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcaiiejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghibjjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emdmjamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kigndekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdiokbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgppnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omqlpp32.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Kfebambf.exe 2472 Kdhcli32.exe 2804 Khcomhbi.exe 2288 Kgfoie32.exe 2996 Lkakicam.exe 2744 Lblcfnhj.exe 2624 Lqncaj32.exe 2180 Ldjpbign.exe 1120 Lhelbh32.exe 596 Lghlndfa.exe 2908 Lnbdko32.exe 856 Lbnpkmfg.exe 1664 Ldllgiek.exe 2328 Ljieppcb.exe 2704 Lmgalkcf.exe 2708 Lqcmmjko.exe 3028 Lcaiiejc.exe 1872 Lfpeeqig.exe 2008 Ljkaeo32.exe 1780 Lmjnak32.exe 2476 Lohjnf32.exe 1960 Lgoboc32.exe 2284 Ljnnko32.exe 1784 Liqoflfh.exe 880 Lqhfhigj.exe 2808 Lcfbdd32.exe 2960 Mfdopp32.exe 1320 Micklk32.exe 2332 Mpmcielb.exe 2920 Miehak32.exe 376 Mkddnf32.exe 308 Mbnljqic.exe 2936 Melifl32.exe 2652 Mgjebg32.exe 2912 Macilmnk.exe 1972 Mjkndb32.exe 2320 Mjkndb32.exe 900 Mbbfep32.exe 2184 Meabakda.exe 584 Mhonngce.exe 1528 Mlkjne32.exe 352 Mnifja32.exe 932 Nmlgfnal.exe 1812 Nagbgl32.exe 3036 Ncfoch32.exe 1652 Nhakcfab.exe 2028 Njpgpbpf.exe 1936 Nnkcpq32.exe 2620 Najpll32.exe 680 Npmphinm.exe 2820 Ndhlhg32.exe 2588 Nhdhif32.exe 2204 Njbdea32.exe 560 Niedqnen.exe 2636 Nmqpam32.exe 2080 Nallalep.exe 1292 Npolmh32.exe 1824 Ndkhngdd.exe 2984 Nfidjbdg.exe 1680 Njdqka32.exe 1372 Nmcmgm32.exe 268 Nlfmbibo.exe 3012 Npaich32.exe 2572 Ndmecgba.exe -
Loads dropped DLL 64 IoCs
pid Process 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 1996 Kfebambf.exe 1996 Kfebambf.exe 2472 Kdhcli32.exe 2472 Kdhcli32.exe 2804 Khcomhbi.exe 2804 Khcomhbi.exe 2288 Kgfoie32.exe 2288 Kgfoie32.exe 2996 Lkakicam.exe 2996 Lkakicam.exe 2744 Lblcfnhj.exe 2744 Lblcfnhj.exe 2624 Lqncaj32.exe 2624 Lqncaj32.exe 2180 Ldjpbign.exe 2180 Ldjpbign.exe 1120 Lhelbh32.exe 1120 Lhelbh32.exe 596 Lghlndfa.exe 596 Lghlndfa.exe 2908 Lnbdko32.exe 2908 Lnbdko32.exe 856 Lbnpkmfg.exe 856 Lbnpkmfg.exe 1664 Ldllgiek.exe 1664 Ldllgiek.exe 2328 Ljieppcb.exe 2328 Ljieppcb.exe 2704 Lmgalkcf.exe 2704 Lmgalkcf.exe 2708 Lqcmmjko.exe 2708 Lqcmmjko.exe 3028 Lcaiiejc.exe 3028 Lcaiiejc.exe 1872 Lfpeeqig.exe 1872 Lfpeeqig.exe 2008 Ljkaeo32.exe 2008 Ljkaeo32.exe 1780 Lmjnak32.exe 1780 Lmjnak32.exe 2476 Lohjnf32.exe 2476 Lohjnf32.exe 1960 Lgoboc32.exe 1960 Lgoboc32.exe 2284 Ljnnko32.exe 2284 Ljnnko32.exe 1784 Liqoflfh.exe 1784 Liqoflfh.exe 880 Lqhfhigj.exe 880 Lqhfhigj.exe 2808 Lcfbdd32.exe 2808 Lcfbdd32.exe 2960 Mfdopp32.exe 2960 Mfdopp32.exe 1320 Micklk32.exe 1320 Micklk32.exe 2332 Mpmcielb.exe 2332 Mpmcielb.exe 2920 Miehak32.exe 2920 Miehak32.exe 376 Mkddnf32.exe 376 Mkddnf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cjgoje32.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Acnenl32.dll Caifjn32.exe File created C:\Windows\SysWOW64\Igphon32.dll Ggagmjbq.exe File created C:\Windows\SysWOW64\Lgpdglhn.exe Ldahkaij.exe File opened for modification C:\Windows\SysWOW64\Khldkllj.exe Process not Found File created C:\Windows\SysWOW64\Kainfp32.dll Bcpgdhpp.exe File created C:\Windows\SysWOW64\Hkbdaaci.dll Hpbdmo32.exe File created C:\Windows\SysWOW64\Ghofam32.exe Fepjea32.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nedhjj32.exe File opened for modification C:\Windows\SysWOW64\Fmnopp32.exe Feggob32.exe File created C:\Windows\SysWOW64\Bdmpfa32.dll Lcblan32.exe File created C:\Windows\SysWOW64\Pdfndl32.dll Giolnomh.exe File opened for modification C:\Windows\SysWOW64\Ooicid32.exe Olkfmi32.exe File created C:\Windows\SysWOW64\Ajgbkbjp.exe Aflfjc32.exe File created C:\Windows\SysWOW64\Cpmjhk32.exe Clbnhmjo.exe File created C:\Windows\SysWOW64\Fkbgckgd.exe Fnofjfhk.exe File opened for modification C:\Windows\SysWOW64\Mhcmedli.exe Mfeaiime.exe File created C:\Windows\SysWOW64\Aonalffc.dll Ikgkei32.exe File opened for modification C:\Windows\SysWOW64\Oopijc32.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Oqbfik32.dll Ddfebnoo.exe File created C:\Windows\SysWOW64\Dafqii32.dll Oidiekdn.exe File created C:\Windows\SysWOW64\Eneegl32.dll Piliii32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hnkdnqhm.exe File created C:\Windows\SysWOW64\Qqfdfdee.dll Bgffhkoj.exe File opened for modification C:\Windows\SysWOW64\Lhiakf32.exe Lboiol32.exe File created C:\Windows\SysWOW64\Ojomdoof.exe Oaghki32.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Pgcmbcih.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Fdiqpigl.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Hgeelf32.exe Honnki32.exe File created C:\Windows\SysWOW64\Ibedepbh.dll Hcldhnkk.exe File opened for modification C:\Windows\SysWOW64\Cfeepelg.exe Cbiiog32.exe File created C:\Windows\SysWOW64\Dklddhka.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Ghanagbo.dll Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Kdhcli32.exe Kfebambf.exe File created C:\Windows\SysWOW64\Fepjea32.exe Fadndbci.exe File opened for modification C:\Windows\SysWOW64\Fakdcnhh.exe Fmohco32.exe File created C:\Windows\SysWOW64\Cjjkpe32.exe Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Ohhmcinf.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Behilopf.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Gjdldd32.exe Ggfpgi32.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Jfliim32.exe File opened for modification C:\Windows\SysWOW64\Pfbfhm32.exe Pddjlb32.exe File opened for modification C:\Windows\SysWOW64\Fkcilc32.exe Fhdmph32.exe File created C:\Windows\SysWOW64\Eamjfeja.dll Nbmaon32.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ndfnecgp.exe File opened for modification C:\Windows\SysWOW64\Aahfdihn.exe Aiaoclgl.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Damfcpfg.dll Plmpblnb.exe File created C:\Windows\SysWOW64\Mggabaea.exe Mdiefffn.exe File created C:\Windows\SysWOW64\Hoeheonb.dll Lngpog32.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Nnleiipc.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Eakhdj32.exe File created C:\Windows\SysWOW64\Pldebkhj.exe Phhjblpa.exe File created C:\Windows\SysWOW64\Dklqidif.dll Bejfao32.exe File opened for modification C:\Windows\SysWOW64\Fgnadkic.exe Flhmfbim.exe File created C:\Windows\SysWOW64\Doempm32.dll Kdklfe32.exe File created C:\Windows\SysWOW64\Oonldcih.exe Oonldcih.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Acnlgajg.exe File created C:\Windows\SysWOW64\Cicalakk.exe Cehfkb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10436 10412 Process not Found 1099 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgkadij.dll" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koaqcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epflllfi.dll" Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmgalkcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Biaign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomdjlpi.dll" Iichjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbaonni.dll" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimeai32.dll" Daacecfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdiefffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plpopddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilpge32.dll" Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmidgbj.dll" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nflchkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcfjpo.dll" Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbonbipa.dll" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjipagod.dll" Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamhcmdo.dll" Bnlgbnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jigbebhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqmpdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmdkjmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Qnebjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amponajh.dll" Ccdmnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1996 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 31 PID 2352 wrote to memory of 1996 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 31 PID 2352 wrote to memory of 1996 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 31 PID 2352 wrote to memory of 1996 2352 9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe 31 PID 1996 wrote to memory of 2472 1996 Kfebambf.exe 32 PID 1996 wrote to memory of 2472 1996 Kfebambf.exe 32 PID 1996 wrote to memory of 2472 1996 Kfebambf.exe 32 PID 1996 wrote to memory of 2472 1996 Kfebambf.exe 32 PID 2472 wrote to memory of 2804 2472 Kdhcli32.exe 33 PID 2472 wrote to memory of 2804 2472 Kdhcli32.exe 33 PID 2472 wrote to memory of 2804 2472 Kdhcli32.exe 33 PID 2472 wrote to memory of 2804 2472 Kdhcli32.exe 33 PID 2804 wrote to memory of 2288 2804 Khcomhbi.exe 34 PID 2804 wrote to memory of 2288 2804 Khcomhbi.exe 34 PID 2804 wrote to memory of 2288 2804 Khcomhbi.exe 34 PID 2804 wrote to memory of 2288 2804 Khcomhbi.exe 34 PID 2288 wrote to memory of 2996 2288 Kgfoie32.exe 35 PID 2288 wrote to memory of 2996 2288 Kgfoie32.exe 35 PID 2288 wrote to memory of 2996 2288 Kgfoie32.exe 35 PID 2288 wrote to memory of 2996 2288 Kgfoie32.exe 35 PID 2996 wrote to memory of 2744 2996 Lkakicam.exe 36 PID 2996 wrote to memory of 2744 2996 Lkakicam.exe 36 PID 2996 wrote to memory of 2744 2996 Lkakicam.exe 36 PID 2996 wrote to memory of 2744 2996 Lkakicam.exe 36 PID 2744 wrote to memory of 2624 2744 Lblcfnhj.exe 37 PID 2744 wrote to memory of 2624 2744 Lblcfnhj.exe 37 PID 2744 wrote to memory of 2624 2744 Lblcfnhj.exe 37 PID 2744 wrote to memory of 2624 2744 Lblcfnhj.exe 37 PID 2624 wrote to memory of 2180 2624 Lqncaj32.exe 38 PID 2624 wrote to memory of 2180 2624 Lqncaj32.exe 38 PID 2624 wrote to memory of 2180 2624 Lqncaj32.exe 38 PID 2624 wrote to memory of 2180 2624 Lqncaj32.exe 38 PID 2180 wrote to memory of 1120 2180 Ldjpbign.exe 39 PID 2180 wrote to memory of 1120 2180 Ldjpbign.exe 39 PID 2180 wrote to memory of 1120 2180 Ldjpbign.exe 39 PID 2180 wrote to memory of 1120 2180 Ldjpbign.exe 39 PID 1120 wrote to memory of 596 1120 Lhelbh32.exe 40 PID 1120 wrote to memory of 596 1120 Lhelbh32.exe 40 PID 1120 wrote to memory of 596 1120 Lhelbh32.exe 40 PID 1120 wrote to memory of 596 1120 Lhelbh32.exe 40 PID 596 wrote to memory of 2908 596 Lghlndfa.exe 41 PID 596 wrote to memory of 2908 596 Lghlndfa.exe 41 PID 596 wrote to memory of 2908 596 Lghlndfa.exe 41 PID 596 wrote to memory of 2908 596 Lghlndfa.exe 41 PID 2908 wrote to memory of 856 2908 Lnbdko32.exe 42 PID 2908 wrote to memory of 856 2908 Lnbdko32.exe 42 PID 2908 wrote to memory of 856 2908 Lnbdko32.exe 42 PID 2908 wrote to memory of 856 2908 Lnbdko32.exe 42 PID 856 wrote to memory of 1664 856 Lbnpkmfg.exe 43 PID 856 wrote to memory of 1664 856 Lbnpkmfg.exe 43 PID 856 wrote to memory of 1664 856 Lbnpkmfg.exe 43 PID 856 wrote to memory of 1664 856 Lbnpkmfg.exe 43 PID 1664 wrote to memory of 2328 1664 Ldllgiek.exe 44 PID 1664 wrote to memory of 2328 1664 Ldllgiek.exe 44 PID 1664 wrote to memory of 2328 1664 Ldllgiek.exe 44 PID 1664 wrote to memory of 2328 1664 Ldllgiek.exe 44 PID 2328 wrote to memory of 2704 2328 Ljieppcb.exe 45 PID 2328 wrote to memory of 2704 2328 Ljieppcb.exe 45 PID 2328 wrote to memory of 2704 2328 Ljieppcb.exe 45 PID 2328 wrote to memory of 2704 2328 Ljieppcb.exe 45 PID 2704 wrote to memory of 2708 2704 Lmgalkcf.exe 46 PID 2704 wrote to memory of 2708 2704 Lmgalkcf.exe 46 PID 2704 wrote to memory of 2708 2704 Lmgalkcf.exe 46 PID 2704 wrote to memory of 2708 2704 Lmgalkcf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe"C:\Users\Admin\AppData\Local\Temp\9327132051c076ebf625c6ffb9e07a44aacebac594217154b0a02377322e49e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe33⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe35⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe36⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe38⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe39⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe40⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe41⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe42⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe43⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe44⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe48⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe49⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe50⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe51⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe52⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe54⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe55⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe57⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe58⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe59⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe60⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe62⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe63⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe64⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe65⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe66⤵PID:472
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe68⤵PID:1560
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe69⤵PID:1696
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe70⤵PID:2156
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe71⤵PID:2592
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe72⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe74⤵PID:2832
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe75⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe76⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe77⤵PID:1508
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe78⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe79⤵PID:1052
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe80⤵PID:1720
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe82⤵PID:2280
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe83⤵PID:1744
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe84⤵PID:3016
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe85⤵PID:2612
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe86⤵PID:2208
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe87⤵PID:2868
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe88⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe89⤵PID:2212
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe91⤵PID:2228
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe92⤵PID:2508
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe93⤵PID:884
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe94⤵PID:828
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe95⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe96⤵PID:1364
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe97⤵PID:1096
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe98⤵PID:2104
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe99⤵PID:2992
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe101⤵PID:2616
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe102⤵PID:1500
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe103⤵PID:1728
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe104⤵PID:1524
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe105⤵PID:832
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe106⤵PID:2924
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe107⤵PID:1512
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe108⤵PID:1616
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe109⤵PID:2916
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe111⤵PID:2556
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe112⤵PID:888
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe113⤵PID:2000
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe114⤵PID:864
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe115⤵PID:684
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe116⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe117⤵PID:1332
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe118⤵PID:2892
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe119⤵PID:2460
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe120⤵PID:2160
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe121⤵PID:1852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-