Analysis
-
max time kernel
51s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe
-
Size
80KB
-
MD5
be78834ee05d41abf4d1521384b56cc4
-
SHA1
b140b020ce3f9c8172ade8e61e7e3451542041ce
-
SHA256
75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593
-
SHA512
64fc6838f98805e0dbc4a9b30bb0bfebd1da5f6257bfcb14e8c1c2c898538ac956226df95e052f6261c46503a0d53dad783e6ddbb7aa492053daddba6503df0a
-
SSDEEP
1536:oq2xQFLSS/n1wpZK8OjxOts4+Qpwz2LeaIZTJ+7LhkiB0:o6FLSQn1wbK8OjxOtsKeaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeicenni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpdoffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmhgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhjcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccakij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmlfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onejjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeigi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdolga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgfciee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfdmogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qomcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacbel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbdbbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojhmjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfadc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheola32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkkbcpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babbpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhogjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmqckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioppl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdmkb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 Mglpjc32.exe 2856 Mgomoboc.exe 2352 Mkqbhf32.exe 2336 Mookod32.exe 2632 Mdkcgk32.exe 2940 Moahdd32.exe 1612 Ndnplk32.exe 2512 Nkjeod32.exe 2544 Nmkbfmpf.exe 2924 Ncejcg32.exe 2840 Njaoeq32.exe 2824 Ojdlkp32.exe 2176 Olehbh32.exe 2568 Oiiilm32.exe 2156 Onfadc32.exe 1928 Onhnjclg.exe 2104 Oebffm32.exe 1536 Onkjocjd.exe 2716 Olokighn.exe 1760 Pegpamoo.exe 1128 Pjfdpckc.exe 872 Ppcmhj32.exe 2972 Ppejmj32.exe 2440 Pinnfonh.exe 2788 Ppgfciee.exe 2944 Qomcdf32.exe 2604 Qkcdigpa.exe 888 Ahgdbk32.exe 1728 Amdmkb32.exe 2136 Akhndf32.exe 2140 Ahlnmjkf.exe 2100 Adcobk32.exe 2888 Akmgoehg.exe 2816 Adekhkng.exe 1480 Agchdfmk.exe 2064 Ajbdpblo.exe 2484 Alqplmlb.exe 2168 Bgfdjfkh.exe 944 Bjdqfajl.exe 2516 Boainhic.exe 2412 Bjgmka32.exe 1784 Bkhjcing.exe 1124 Babbpc32.exe 1816 Bhljlnma.exe 1680 Bkjfhile.exe 3028 Bfpkfb32.exe 1152 Bhngbm32.exe 1980 Bohoogbk.exe 2664 Bqilfp32.exe 2792 Bhqdgm32.exe 2828 Cnmlpd32.exe 388 Cgfqii32.exe 2652 Cnpieceq.exe 2072 Cghmni32.exe 1824 Cnbfkccn.exe 1708 Cocbbk32.exe 1380 Cjifpdib.exe 2128 Cqcomn32.exe 2500 Ccakij32.exe 640 Cincaq32.exe 1012 Cbfhjfdk.exe 1548 Dnmhogjo.exe 2224 Ephhmn32.exe 556 Epjdbn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 2248 Mglpjc32.exe 2248 Mglpjc32.exe 2856 Mgomoboc.exe 2856 Mgomoboc.exe 2352 Mkqbhf32.exe 2352 Mkqbhf32.exe 2336 Mookod32.exe 2336 Mookod32.exe 2632 Mdkcgk32.exe 2632 Mdkcgk32.exe 2940 Moahdd32.exe 2940 Moahdd32.exe 1612 Ndnplk32.exe 1612 Ndnplk32.exe 2512 Nkjeod32.exe 2512 Nkjeod32.exe 2544 Nmkbfmpf.exe 2544 Nmkbfmpf.exe 2924 Ncejcg32.exe 2924 Ncejcg32.exe 2840 Njaoeq32.exe 2840 Njaoeq32.exe 2824 Ojdlkp32.exe 2824 Ojdlkp32.exe 2176 Olehbh32.exe 2176 Olehbh32.exe 2568 Oiiilm32.exe 2568 Oiiilm32.exe 2156 Onfadc32.exe 2156 Onfadc32.exe 1928 Onhnjclg.exe 1928 Onhnjclg.exe 2104 Oebffm32.exe 2104 Oebffm32.exe 1536 Onkjocjd.exe 1536 Onkjocjd.exe 2716 Olokighn.exe 2716 Olokighn.exe 1760 Pegpamoo.exe 1760 Pegpamoo.exe 1128 Pjfdpckc.exe 1128 Pjfdpckc.exe 872 Ppcmhj32.exe 872 Ppcmhj32.exe 2972 Ppejmj32.exe 2972 Ppejmj32.exe 2440 Pinnfonh.exe 2440 Pinnfonh.exe 2788 Ppgfciee.exe 2788 Ppgfciee.exe 2944 Qomcdf32.exe 2944 Qomcdf32.exe 2604 Qkcdigpa.exe 2604 Qkcdigpa.exe 888 Ahgdbk32.exe 888 Ahgdbk32.exe 1728 Amdmkb32.exe 1728 Amdmkb32.exe 2136 Akhndf32.exe 2136 Akhndf32.exe 2140 Ahlnmjkf.exe 2140 Ahlnmjkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lobehpok.exe Lielphqc.exe File opened for modification C:\Windows\SysWOW64\Lelmei32.exe Lobehpok.exe File created C:\Windows\SysWOW64\Bllndljk.dll Nkjeod32.exe File created C:\Windows\SysWOW64\Ajbdpblo.exe Agchdfmk.exe File created C:\Windows\SysWOW64\Cnpieceq.exe Cgfqii32.exe File created C:\Windows\SysWOW64\Gjpakdbl.exe Gllabp32.exe File created C:\Windows\SysWOW64\Ifndph32.exe Iflhjh32.exe File opened for modification C:\Windows\SysWOW64\Lgpjcnhh.exe Ldangbhd.exe File created C:\Windows\SysWOW64\Hegjbnaa.dll Ngkfnp32.exe File created C:\Windows\SysWOW64\Jommmbhn.dll Ogkbmcba.exe File created C:\Windows\SysWOW64\Njmlqd32.dll Ofcldoef.exe File opened for modification C:\Windows\SysWOW64\Ebhjdc32.exe Elnagijk.exe File created C:\Windows\SysWOW64\Pnejdhif.dll Inaliedk.exe File created C:\Windows\SysWOW64\Kbajci32.exe Klgbfo32.exe File opened for modification C:\Windows\SysWOW64\Cjifpdib.exe Cocbbk32.exe File created C:\Windows\SysWOW64\Fkpeojha.exe Fagqed32.exe File created C:\Windows\SysWOW64\Himgihno.dll Gjpakdbl.exe File opened for modification C:\Windows\SysWOW64\Ocdohdfc.exe Omjgkjof.exe File opened for modification C:\Windows\SysWOW64\Cfemdp32.exe Colegflh.exe File created C:\Windows\SysWOW64\Jmplqp32.exe Jchhhjjg.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qkcdigpa.exe File created C:\Windows\SysWOW64\Mbcbdo32.dll Onejjm32.exe File created C:\Windows\SysWOW64\Dcppmg32.exe Dmfhqmge.exe File opened for modification C:\Windows\SysWOW64\Ecnpgj32.exe Enagnc32.exe File created C:\Windows\SysWOW64\Iqbekpal.exe Igjabj32.exe File created C:\Windows\SysWOW64\Kmnljc32.exe Kceganoe.exe File created C:\Windows\SysWOW64\Dldldj32.dll Lmpdoffo.exe File created C:\Windows\SysWOW64\Lhgeao32.exe Looahi32.exe File created C:\Windows\SysWOW64\Iqidng32.dll Cgfqii32.exe File opened for modification C:\Windows\SysWOW64\Fpojlp32.exe Fomndhng.exe File opened for modification C:\Windows\SysWOW64\Hqhiab32.exe Hjnaehgj.exe File opened for modification C:\Windows\SysWOW64\Jmqckf32.exe Jchobqnc.exe File created C:\Windows\SysWOW64\Npqbka32.dll Jfigdl32.exe File created C:\Windows\SysWOW64\Pohpepmf.dll Iqbekpal.exe File created C:\Windows\SysWOW64\Gcfmolmc.dll Bhljlnma.exe File opened for modification C:\Windows\SysWOW64\Oqomkimg.exe Nkbdbbop.exe File created C:\Windows\SysWOW64\Alicahno.exe Apbblg32.exe File created C:\Windows\SysWOW64\Fmhaep32.exe Fdpmljan.exe File created C:\Windows\SysWOW64\Hdailaib.exe Hngppgae.exe File opened for modification C:\Windows\SysWOW64\Jfkdik32.exe Jfigdl32.exe File created C:\Windows\SysWOW64\Ldjmkq32.exe Lmpdoffo.exe File created C:\Windows\SysWOW64\Oifbhdjc.dll 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe File opened for modification C:\Windows\SysWOW64\Ndnplk32.exe Moahdd32.exe File created C:\Windows\SysWOW64\Oflpgp32.dll Kiojqfdp.exe File created C:\Windows\SysWOW64\Ebjdjpda.dll Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Fplgljbm.exe Fdefgimi.exe File created C:\Windows\SysWOW64\Klgbfo32.exe Kfkjnh32.exe File opened for modification C:\Windows\SysWOW64\Akmgoehg.exe Adcobk32.exe File created C:\Windows\SysWOW64\Odefpfcd.dll Ajbdpblo.exe File opened for modification C:\Windows\SysWOW64\Ehjbaooe.exe Ebmjihqn.exe File created C:\Windows\SysWOW64\Oeckdc32.dll Hjpnjheg.exe File opened for modification C:\Windows\SysWOW64\Djaedbnj.exe Dcgmgh32.exe File opened for modification C:\Windows\SysWOW64\Kmnljc32.exe Kceganoe.exe File opened for modification C:\Windows\SysWOW64\Onhnjclg.exe Onfadc32.exe File opened for modification C:\Windows\SysWOW64\Bgfdjfkh.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Gebiefle.exe Gljdlq32.exe File created C:\Windows\SysWOW64\Hpplfm32.exe Hghhngjb.exe File opened for modification C:\Windows\SysWOW64\Kgcpgl32.exe Kmnljc32.exe File created C:\Windows\SysWOW64\Okgiokkl.dll Pfgeoo32.exe File created C:\Windows\SysWOW64\Ojbachjd.dll Kcjqlm32.exe File created C:\Windows\SysWOW64\Hmmckh32.dll Ibeeeijg.exe File created C:\Windows\SysWOW64\Jfkdik32.exe Jfigdl32.exe File created C:\Windows\SysWOW64\Jfajgn32.dll Meafpibb.exe File created C:\Windows\SysWOW64\Okdahbmm.exe Oqomkimg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 432 3100 WerFault.exe 274 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addlbf32.dll" Fpojlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjqplmck.dll" Fdpmljan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchobqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haekqknh.dll" Nkbdbbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhdabemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Janjga32.dll" Ppcmhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfqii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihjpman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmkjp32.dll" Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boobcigh.dll" Gebiefle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdnffpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiiilm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqcomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdoaackf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmldoe.dll" Iogbllfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphnlcnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcbdo32.dll" Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqleff32.dll" Ofqonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pligbekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkhbkg32.dll" Bjdqfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnbfkccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heccqa32.dll" Enagnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcjqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgglq32.dll" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoacabb.dll" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggpdmap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bglghdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Dcgmgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhmhk32.dll" Hkngbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmnclpk.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpipeaaf.dll" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgloo32.dll" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Lphnlcnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boainhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmdpf32.dll" Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogbllfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegpamoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqidng32.dll" Cgfqii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifndph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfigdl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2248 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 29 PID 2388 wrote to memory of 2248 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 29 PID 2388 wrote to memory of 2248 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 29 PID 2388 wrote to memory of 2248 2388 75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe 29 PID 2248 wrote to memory of 2856 2248 Mglpjc32.exe 30 PID 2248 wrote to memory of 2856 2248 Mglpjc32.exe 30 PID 2248 wrote to memory of 2856 2248 Mglpjc32.exe 30 PID 2248 wrote to memory of 2856 2248 Mglpjc32.exe 30 PID 2856 wrote to memory of 2352 2856 Mgomoboc.exe 31 PID 2856 wrote to memory of 2352 2856 Mgomoboc.exe 31 PID 2856 wrote to memory of 2352 2856 Mgomoboc.exe 31 PID 2856 wrote to memory of 2352 2856 Mgomoboc.exe 31 PID 2352 wrote to memory of 2336 2352 Mkqbhf32.exe 32 PID 2352 wrote to memory of 2336 2352 Mkqbhf32.exe 32 PID 2352 wrote to memory of 2336 2352 Mkqbhf32.exe 32 PID 2352 wrote to memory of 2336 2352 Mkqbhf32.exe 32 PID 2336 wrote to memory of 2632 2336 Mookod32.exe 33 PID 2336 wrote to memory of 2632 2336 Mookod32.exe 33 PID 2336 wrote to memory of 2632 2336 Mookod32.exe 33 PID 2336 wrote to memory of 2632 2336 Mookod32.exe 33 PID 2632 wrote to memory of 2940 2632 Mdkcgk32.exe 34 PID 2632 wrote to memory of 2940 2632 Mdkcgk32.exe 34 PID 2632 wrote to memory of 2940 2632 Mdkcgk32.exe 34 PID 2632 wrote to memory of 2940 2632 Mdkcgk32.exe 34 PID 2940 wrote to memory of 1612 2940 Moahdd32.exe 35 PID 2940 wrote to memory of 1612 2940 Moahdd32.exe 35 PID 2940 wrote to memory of 1612 2940 Moahdd32.exe 35 PID 2940 wrote to memory of 1612 2940 Moahdd32.exe 35 PID 1612 wrote to memory of 2512 1612 Ndnplk32.exe 36 PID 1612 wrote to memory of 2512 1612 Ndnplk32.exe 36 PID 1612 wrote to memory of 2512 1612 Ndnplk32.exe 36 PID 1612 wrote to memory of 2512 1612 Ndnplk32.exe 36 PID 2512 wrote to memory of 2544 2512 Nkjeod32.exe 37 PID 2512 wrote to memory of 2544 2512 Nkjeod32.exe 37 PID 2512 wrote to memory of 2544 2512 Nkjeod32.exe 37 PID 2512 wrote to memory of 2544 2512 Nkjeod32.exe 37 PID 2544 wrote to memory of 2924 2544 Nmkbfmpf.exe 38 PID 2544 wrote to memory of 2924 2544 Nmkbfmpf.exe 38 PID 2544 wrote to memory of 2924 2544 Nmkbfmpf.exe 38 PID 2544 wrote to memory of 2924 2544 Nmkbfmpf.exe 38 PID 2924 wrote to memory of 2840 2924 Ncejcg32.exe 39 PID 2924 wrote to memory of 2840 2924 Ncejcg32.exe 39 PID 2924 wrote to memory of 2840 2924 Ncejcg32.exe 39 PID 2924 wrote to memory of 2840 2924 Ncejcg32.exe 39 PID 2840 wrote to memory of 2824 2840 Njaoeq32.exe 40 PID 2840 wrote to memory of 2824 2840 Njaoeq32.exe 40 PID 2840 wrote to memory of 2824 2840 Njaoeq32.exe 40 PID 2840 wrote to memory of 2824 2840 Njaoeq32.exe 40 PID 2824 wrote to memory of 2176 2824 Ojdlkp32.exe 41 PID 2824 wrote to memory of 2176 2824 Ojdlkp32.exe 41 PID 2824 wrote to memory of 2176 2824 Ojdlkp32.exe 41 PID 2824 wrote to memory of 2176 2824 Ojdlkp32.exe 41 PID 2176 wrote to memory of 2568 2176 Olehbh32.exe 42 PID 2176 wrote to memory of 2568 2176 Olehbh32.exe 42 PID 2176 wrote to memory of 2568 2176 Olehbh32.exe 42 PID 2176 wrote to memory of 2568 2176 Olehbh32.exe 42 PID 2568 wrote to memory of 2156 2568 Oiiilm32.exe 43 PID 2568 wrote to memory of 2156 2568 Oiiilm32.exe 43 PID 2568 wrote to memory of 2156 2568 Oiiilm32.exe 43 PID 2568 wrote to memory of 2156 2568 Oiiilm32.exe 43 PID 2156 wrote to memory of 1928 2156 Onfadc32.exe 44 PID 2156 wrote to memory of 1928 2156 Onfadc32.exe 44 PID 2156 wrote to memory of 1928 2156 Onfadc32.exe 44 PID 2156 wrote to memory of 1928 2156 Onfadc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe"C:\Users\Admin\AppData\Local\Temp\75aee8f646dc2e4639a2c66d4e99b394f2d7975f2bee3123072c11c352173593.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe35⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe46⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe48⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe49⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe50⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe51⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe54⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe55⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe58⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe62⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe65⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe68⤵PID:920
-
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe69⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe70⤵PID:2600
-
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe71⤵PID:1592
-
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe73⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe74⤵PID:2372
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe75⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe77⤵PID:1092
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe78⤵PID:2200
-
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe79⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe80⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe81⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Gjpakdbl.exeC:\Windows\system32\Gjpakdbl.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe83⤵PID:2480
-
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe85⤵PID:2432
-
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe86⤵PID:2400
-
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe88⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe89⤵PID:1580
-
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe91⤵PID:1072
-
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe92⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe93⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe94⤵PID:2060
-
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Iflhjh32.exeC:\Windows\system32\Iflhjh32.exe96⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe97⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe99⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe103⤵PID:2196
-
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe104⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe106⤵PID:2624
-
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe107⤵PID:2912
-
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe108⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe109⤵PID:2536
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe111⤵PID:1968
-
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe112⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe113⤵PID:1484
-
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe114⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe115⤵PID:2764
-
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe116⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe117⤵PID:2644
-
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe118⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe119⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Lpmhgc32.exeC:\Windows\system32\Lpmhgc32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe121⤵
- Modifies registry class
PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-