Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe
-
Size
50KB
-
MD5
a046d1c8f7fdf7bbbca969cfe18c64a0
-
SHA1
23a747aa392de6f0f8748cc05ba2d01368479f96
-
SHA256
361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7
-
SHA512
77f3673679631a3988d21753ef8a78f144dc7429ec0d3925bd7113d1a6be10ec8a4576f29fa461656b9e29f61206da35a3a3487d2862148e31cfd202644e8341
-
SSDEEP
768:LTXeV2Qp3L9gCVY+LRdYRYJcjfc8R6jDFDTwhbSDvT45cqi2lPk1zL6xOcX/1H5:LDeVp3hrRuY8R6lAUDvT45zmzOxb9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhgfdho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegjomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebmbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbdcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giacca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpidck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglpibgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgkhlnbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgbhfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmmepfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggmge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhofmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkdhpjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhibni32.exe -
Executes dropped EXE 64 IoCs
pid Process 896 Jdhphkin.exe 380 Koekfc32.exe 1120 Kpidck32.exe 3600 Kolagb32.exe 3308 Lafmol32.exe 3996 Mgebmbmo.exe 3444 Mghobbkl.exe 4112 Mhihbeql.exe 3124 Mkjqcp32.exe 3976 Nnmfkkhl.exe 1968 Nomcen32.exe 4828 Nbnlfimp.exe 4436 Noalpmli.exe 3568 Oijqibbj.exe 4884 Oaeemepe.exe 4228 Oalknd32.exe 4468 Pejddb32.exe 1988 Pneebg32.exe 4528 Peajdajk.exe 4184 Pbekne32.exe 3332 Plmogkoe.exe 2436 Qbjdiedp.exe 5016 Aldegj32.exe 4192 Bibigmpl.exe 4308 Bidemmnj.exe 4216 Bhibni32.exe 4352 Cpgqpe32.exe 336 Caimgncj.exe 224 Capchmmb.exe 1084 Dlgdkeje.exe 3452 Dohmlp32.exe 4140 Efgodj32.exe 2024 Elagacbk.exe 1496 Ehhgfdho.exe 4072 Emjjgbjp.exe 1800 Fqhbmqqg.exe 1676 Fqmlhpla.exe 5080 Fodeolof.exe 4400 Giacca32.exe 3960 Gcggpj32.exe 5056 Gcidfi32.exe 5008 Gfhqbe32.exe 692 Hmdedo32.exe 3776 Habnjm32.exe 1136 Ibjqcd32.exe 3400 Imdnklfp.exe 1648 Jfdida32.exe 1308 Jfffjqdf.exe 3708 Jbmfoa32.exe 3316 Kdopod32.exe 3632 Kilhgk32.exe 2008 Kipabjil.exe 992 Lgkhlnbn.exe 744 Lddbqa32.exe 2520 Lknjmkdo.exe 1416 Mjcgohig.exe 1732 Mpmokb32.exe 1460 Mgidml32.exe 4868 Mdmegp32.exe 2964 Mkgmcjld.exe 548 Nnhfee32.exe 3652 Ndbnboqb.exe 1468 Nnmopdep.exe 2420 Njfmke32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fjbnapki.dll Onjegled.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Dakacjdb.exe Cgcmjd32.exe File created C:\Windows\SysWOW64\Addaif32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Pejddb32.exe Oalknd32.exe File created C:\Windows\SysWOW64\Ehhgfdho.exe Elagacbk.exe File created C:\Windows\SysWOW64\Kqfngd32.exe Knhakh32.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Oeehkn32.exe File created C:\Windows\SysWOW64\Gmnala32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Ddligq32.exe File created C:\Windows\SysWOW64\Ibingd32.dll Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Jkodhk32.exe Jeekkafl.exe File created C:\Windows\SysWOW64\Bpqhgk32.dll Gmcdffmq.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Capqggce.dll Bjlpjm32.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Ddjmba32.exe File created C:\Windows\SysWOW64\Mghobbkl.exe Mgebmbmo.exe File opened for modification C:\Windows\SysWOW64\Gfpcgpae.exe Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Hnoklk32.exe Gnkaalkd.exe File opened for modification C:\Windows\SysWOW64\Hghoeqmp.exe Hdicienl.exe File created C:\Windows\SysWOW64\Jkodhk32.exe Jeekkafl.exe File created C:\Windows\SysWOW64\Kijjbofj.exe Kflnfcgg.exe File opened for modification C:\Windows\SysWOW64\Nedjjj32.exe Ngmpcn32.exe File created C:\Windows\SysWOW64\Qkipkani.exe Qhkdof32.exe File created C:\Windows\SysWOW64\Emhmioko.dll Giacca32.exe File created C:\Windows\SysWOW64\Jfhlejnh.exe Jcioiood.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Gpelhd32.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Hemdlj32.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Eoideh32.exe File opened for modification C:\Windows\SysWOW64\Hoiafcic.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Mnkhmbin.dll Meiaib32.exe File created C:\Windows\SysWOW64\Fbackgod.dll Cgcmjd32.exe File created C:\Windows\SysWOW64\Mhoipb32.exe Maeachag.exe File created C:\Windows\SysWOW64\Lckiihok.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Nphihiif.dll Offnhpfo.exe File created C:\Windows\SysWOW64\Pjpdme32.dll Gfhqbe32.exe File created C:\Windows\SysWOW64\Nqbjqh32.dll Cklaknjd.exe File created C:\Windows\SysWOW64\Lobpkihi.dll Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Jglklggl.exe Iqbbpm32.exe File created C:\Windows\SysWOW64\Lnbklm32.exe Kkmioc32.exe File opened for modification C:\Windows\SysWOW64\Ikcdlmgf.exe Iiehpahb.exe File opened for modification C:\Windows\SysWOW64\Joiccj32.exe Ioambknl.exe File opened for modification C:\Windows\SysWOW64\Kjmmepfj.exe Kilpmh32.exe File created C:\Windows\SysWOW64\Lddgmbpb.exe Lmmolepp.exe File created C:\Windows\SysWOW64\Mobnnd32.dll Lmmolepp.exe File opened for modification C:\Windows\SysWOW64\Feoodn32.exe Fbpchb32.exe File opened for modification C:\Windows\SysWOW64\Mhihbeql.exe Mghobbkl.exe File opened for modification C:\Windows\SysWOW64\Qnkdhpjn.exe Pbddcoei.exe File opened for modification C:\Windows\SysWOW64\Jiiicf32.exe Ieidhh32.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Ekdnei32.exe Emoadlfo.exe File created C:\Windows\SysWOW64\Kpjcpkfo.dll Njfmke32.exe File opened for modification C:\Windows\SysWOW64\Ioambknl.exe Igjeanmj.exe File created C:\Windows\SysWOW64\Nijeec32.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Kaofbcjo.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Bkankc32.dll Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Pbddcoei.exe Pgopffec.exe File opened for modification C:\Windows\SysWOW64\Jefbfgig.exe Imdgqfbd.exe File opened for modification C:\Windows\SysWOW64\Nijeec32.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Efpomccg.exe Enigke32.exe File opened for modification C:\Windows\SysWOW64\Fqmlhpla.exe Fqhbmqqg.exe File created C:\Windows\SysWOW64\Blbknaib.exe Bdkcmdhp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7696 7568 WerFault.exe 538 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcphcfn.dll" Lafmol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgldj32.dll" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehldcbk.dll" Bblckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceoibflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll" Lenamdem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobnnd32.dll" Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holjqf32.dll" Mkjqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejogg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgbgamd.dll" Bbgeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfffjqdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgimkfi.dll" Eplnpeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chncif32.dll" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" Kfankifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeoooml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnkaalkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeai32.dll" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeekkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajneip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikgco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiiicf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offnhpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmogkoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noekdfjb.dll" Klifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Ojomcopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhphkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igleoo32.dll" Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll" Mckemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll" Hoiafcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legokici.dll" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglmjp32.dll" Fjhacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppelifin.dll" Qgciaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnfdoa.dll" Nmgjia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3128 wrote to memory of 896 3128 361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe 78 PID 3128 wrote to memory of 896 3128 361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe 78 PID 3128 wrote to memory of 896 3128 361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe 78 PID 896 wrote to memory of 380 896 Jdhphkin.exe 79 PID 896 wrote to memory of 380 896 Jdhphkin.exe 79 PID 896 wrote to memory of 380 896 Jdhphkin.exe 79 PID 380 wrote to memory of 1120 380 Koekfc32.exe 80 PID 380 wrote to memory of 1120 380 Koekfc32.exe 80 PID 380 wrote to memory of 1120 380 Koekfc32.exe 80 PID 1120 wrote to memory of 3600 1120 Kpidck32.exe 81 PID 1120 wrote to memory of 3600 1120 Kpidck32.exe 81 PID 1120 wrote to memory of 3600 1120 Kpidck32.exe 81 PID 3600 wrote to memory of 3308 3600 Kolagb32.exe 82 PID 3600 wrote to memory of 3308 3600 Kolagb32.exe 82 PID 3600 wrote to memory of 3308 3600 Kolagb32.exe 82 PID 3308 wrote to memory of 3996 3308 Lafmol32.exe 83 PID 3308 wrote to memory of 3996 3308 Lafmol32.exe 83 PID 3308 wrote to memory of 3996 3308 Lafmol32.exe 83 PID 3996 wrote to memory of 3444 3996 Mgebmbmo.exe 84 PID 3996 wrote to memory of 3444 3996 Mgebmbmo.exe 84 PID 3996 wrote to memory of 3444 3996 Mgebmbmo.exe 84 PID 3444 wrote to memory of 4112 3444 Mghobbkl.exe 85 PID 3444 wrote to memory of 4112 3444 Mghobbkl.exe 85 PID 3444 wrote to memory of 4112 3444 Mghobbkl.exe 85 PID 4112 wrote to memory of 3124 4112 Mhihbeql.exe 86 PID 4112 wrote to memory of 3124 4112 Mhihbeql.exe 86 PID 4112 wrote to memory of 3124 4112 Mhihbeql.exe 86 PID 3124 wrote to memory of 3976 3124 Mkjqcp32.exe 87 PID 3124 wrote to memory of 3976 3124 Mkjqcp32.exe 87 PID 3124 wrote to memory of 3976 3124 Mkjqcp32.exe 87 PID 3976 wrote to memory of 1968 3976 Nnmfkkhl.exe 88 PID 3976 wrote to memory of 1968 3976 Nnmfkkhl.exe 88 PID 3976 wrote to memory of 1968 3976 Nnmfkkhl.exe 88 PID 1968 wrote to memory of 4828 1968 Nomcen32.exe 89 PID 1968 wrote to memory of 4828 1968 Nomcen32.exe 89 PID 1968 wrote to memory of 4828 1968 Nomcen32.exe 89 PID 4828 wrote to memory of 4436 4828 Nbnlfimp.exe 90 PID 4828 wrote to memory of 4436 4828 Nbnlfimp.exe 90 PID 4828 wrote to memory of 4436 4828 Nbnlfimp.exe 90 PID 4436 wrote to memory of 3568 4436 Noalpmli.exe 91 PID 4436 wrote to memory of 3568 4436 Noalpmli.exe 91 PID 4436 wrote to memory of 3568 4436 Noalpmli.exe 91 PID 3568 wrote to memory of 4884 3568 Oijqibbj.exe 92 PID 3568 wrote to memory of 4884 3568 Oijqibbj.exe 92 PID 3568 wrote to memory of 4884 3568 Oijqibbj.exe 92 PID 4884 wrote to memory of 4228 4884 Oaeemepe.exe 93 PID 4884 wrote to memory of 4228 4884 Oaeemepe.exe 93 PID 4884 wrote to memory of 4228 4884 Oaeemepe.exe 93 PID 4228 wrote to memory of 4468 4228 Oalknd32.exe 94 PID 4228 wrote to memory of 4468 4228 Oalknd32.exe 94 PID 4228 wrote to memory of 4468 4228 Oalknd32.exe 94 PID 4468 wrote to memory of 1988 4468 Pejddb32.exe 95 PID 4468 wrote to memory of 1988 4468 Pejddb32.exe 95 PID 4468 wrote to memory of 1988 4468 Pejddb32.exe 95 PID 1988 wrote to memory of 4528 1988 Pneebg32.exe 96 PID 1988 wrote to memory of 4528 1988 Pneebg32.exe 96 PID 1988 wrote to memory of 4528 1988 Pneebg32.exe 96 PID 4528 wrote to memory of 4184 4528 Peajdajk.exe 97 PID 4528 wrote to memory of 4184 4528 Peajdajk.exe 97 PID 4528 wrote to memory of 4184 4528 Peajdajk.exe 97 PID 4184 wrote to memory of 3332 4184 Pbekne32.exe 98 PID 4184 wrote to memory of 3332 4184 Pbekne32.exe 98 PID 4184 wrote to memory of 3332 4184 Pbekne32.exe 98 PID 3332 wrote to memory of 2436 3332 Plmogkoe.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe"C:\Users\Admin\AppData\Local\Temp\361003b5c292a1ec6d7d3b5984142e008b43aae40dbc847145e31143b1fa69f7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Jdhphkin.exeC:\Windows\system32\Jdhphkin.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Koekfc32.exeC:\Windows\system32\Koekfc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Kpidck32.exeC:\Windows\system32\Kpidck32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Kolagb32.exeC:\Windows\system32\Kolagb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Lafmol32.exeC:\Windows\system32\Lafmol32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Mgebmbmo.exeC:\Windows\system32\Mgebmbmo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Mghobbkl.exeC:\Windows\system32\Mghobbkl.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Mhihbeql.exeC:\Windows\system32\Mhihbeql.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Mkjqcp32.exeC:\Windows\system32\Mkjqcp32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Nnmfkkhl.exeC:\Windows\system32\Nnmfkkhl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Nomcen32.exeC:\Windows\system32\Nomcen32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Nbnlfimp.exeC:\Windows\system32\Nbnlfimp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Noalpmli.exeC:\Windows\system32\Noalpmli.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Oijqibbj.exeC:\Windows\system32\Oijqibbj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Oaeemepe.exeC:\Windows\system32\Oaeemepe.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Oalknd32.exeC:\Windows\system32\Oalknd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe23⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe24⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe25⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe26⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe28⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe29⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe30⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe31⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe32⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe33⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe36⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe38⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe41⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe42⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe44⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe45⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe47⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe50⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe51⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe52⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe53⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe55⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe56⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe58⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe59⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe63⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe64⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe66⤵PID:4948
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe67⤵PID:3392
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe69⤵PID:3596
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe70⤵PID:852
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe71⤵PID:3188
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe73⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe75⤵PID:2532
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe76⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe77⤵PID:4012
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe78⤵PID:3216
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe80⤵PID:4560
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe84⤵PID:4804
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe85⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe86⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe87⤵
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe88⤵PID:1692
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe90⤵PID:1492
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe91⤵PID:2108
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe92⤵PID:1200
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe93⤵PID:1576
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe94⤵PID:1924
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe95⤵
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe96⤵PID:4200
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe97⤵
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe98⤵PID:316
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe99⤵PID:344
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe100⤵PID:4264
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe101⤵
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe102⤵PID:4212
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe103⤵PID:4596
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe105⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe106⤵
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe107⤵PID:4760
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe108⤵PID:2516
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe109⤵
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe110⤵PID:3772
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe111⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe112⤵PID:3756
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe113⤵PID:1312
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe114⤵PID:4344
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe115⤵PID:576
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe116⤵
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe117⤵PID:2972
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe118⤵PID:2396
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe119⤵PID:3032
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe120⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe121⤵PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-