Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 18:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe
-
Size
446KB
-
MD5
81dc88aa4de2a5903fb36aa81e4b014a
-
SHA1
51ff85188a18ff7b635c8d0517e6e2226e48e08b
-
SHA256
1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9
-
SHA512
eabc5dbb36cfab0235b8c1423317d88229be065065e0ebcf5d091ca6edc9aef0a2d80b13d4a14152de41f522c0e0d9c289c832b0e7f6400c99daeb8c4e5c9180
-
SSDEEP
6144:dfLHRfrHGPOwXYrMdlvkGr0f+uPOwXYrMdlsLS7De:dzZrhwIaJwIdSy
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflpgnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhibino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgpnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcqcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkhngdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakgefqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaebeoan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgpnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihiphln.exe -
Executes dropped EXE 64 IoCs
pid Process 2152 Lmjnak32.exe 2888 Ljnnko32.exe 2900 Lbicoamh.exe 2948 Mkaghg32.exe 2612 Mpopnejo.exe 2544 Ndhlhg32.exe 2624 Ndkhngdd.exe 2384 Nmcmgm32.exe 2848 Oeehln32.exe 2364 Okbpde32.exe 1736 Ohfqmi32.exe 1156 Omcifpnp.exe 908 Okgjodmi.exe 1780 Pljcllqe.exe 2368 Qfljkp32.exe 2756 Qackpado.exe 2216 Aknlofim.exe 1760 Afgmodel.exe 440 Afjjed32.exe 1132 Aobnniji.exe 1372 Aijbfo32.exe 1952 Bfncpcoc.exe 576 Bofgii32.exe 832 Biolanld.exe 1840 Bbgqjdce.exe 1048 Bnnaoe32.exe 860 Behilopf.exe 1908 Bkbaii32.exe 1612 Caaggpdh.exe 1388 Eggndi32.exe 3020 Eldglp32.exe 2656 Eklqcl32.exe 2936 Elkmmodo.exe 2920 Eaheeecg.exe 2540 Fajbke32.exe 2644 Fjegog32.exe 2640 Fpoolael.exe 2504 Fncpef32.exe 1892 Fgldnkkf.exe 1292 Fgnadkic.exe 1644 Goiehm32.exe 1244 Ghajacmo.exe 2140 Gbjojh32.exe 1124 Gkbcbn32.exe 2724 Gfhgpg32.exe 2688 Gncldi32.exe 2628 Ggkqmoma.exe 2060 Gbadjg32.exe 1100 Ggnmbn32.exe 632 Hcdnhoac.exe 1756 Hmmbqegc.exe 896 Hfegij32.exe 3012 Hmoofdea.exe 1076 Hldlga32.exe 1768 Hihlqeib.exe 1912 Hbaaik32.exe 560 Ihniaa32.exe 1668 Inhanl32.exe 1568 Ihpfgalh.exe 2304 Iahkpg32.exe 3028 Ijqoilii.exe 2928 Iakgefqe.exe 2884 Ifgpnmom.exe 2500 Idkpganf.exe -
Loads dropped DLL 64 IoCs
pid Process 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 2152 Lmjnak32.exe 2152 Lmjnak32.exe 2888 Ljnnko32.exe 2888 Ljnnko32.exe 2900 Lbicoamh.exe 2900 Lbicoamh.exe 2948 Mkaghg32.exe 2948 Mkaghg32.exe 2612 Mpopnejo.exe 2612 Mpopnejo.exe 2544 Ndhlhg32.exe 2544 Ndhlhg32.exe 2624 Ndkhngdd.exe 2624 Ndkhngdd.exe 2384 Nmcmgm32.exe 2384 Nmcmgm32.exe 2848 Oeehln32.exe 2848 Oeehln32.exe 2364 Okbpde32.exe 2364 Okbpde32.exe 1736 Ohfqmi32.exe 1736 Ohfqmi32.exe 1156 Omcifpnp.exe 1156 Omcifpnp.exe 908 Okgjodmi.exe 908 Okgjodmi.exe 1780 Pljcllqe.exe 1780 Pljcllqe.exe 2368 Qfljkp32.exe 2368 Qfljkp32.exe 2756 Qackpado.exe 2756 Qackpado.exe 2216 Aknlofim.exe 2216 Aknlofim.exe 1760 Afgmodel.exe 1760 Afgmodel.exe 440 Afjjed32.exe 440 Afjjed32.exe 1132 Aobnniji.exe 1132 Aobnniji.exe 1372 Aijbfo32.exe 1372 Aijbfo32.exe 1952 Bfncpcoc.exe 1952 Bfncpcoc.exe 576 Bofgii32.exe 576 Bofgii32.exe 832 Biolanld.exe 832 Biolanld.exe 1840 Bbgqjdce.exe 1840 Bbgqjdce.exe 1048 Bnnaoe32.exe 1048 Bnnaoe32.exe 860 Behilopf.exe 860 Behilopf.exe 1908 Bkbaii32.exe 1908 Bkbaii32.exe 1612 Caaggpdh.exe 1612 Caaggpdh.exe 1388 Eggndi32.exe 1388 Eggndi32.exe 3020 Eldglp32.exe 3020 Eldglp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Qbkalpla.dll Epeoaffo.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Dpklkgoj.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Inojhc32.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Iihiphln.exe Idkpganf.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bniajoic.exe File created C:\Windows\SysWOW64\Gimfed32.dll Epeekmjk.exe File created C:\Windows\SysWOW64\Hellqgnm.dll Gehiioaj.exe File opened for modification C:\Windows\SysWOW64\Aijbfo32.exe Aobnniji.exe File created C:\Windows\SysWOW64\Oljomn32.dll Ghajacmo.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Iahkpg32.exe File created C:\Windows\SysWOW64\Kglehp32.exe Kekiphge.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Pehcij32.exe Plpopddd.exe File created C:\Windows\SysWOW64\Ljnnko32.exe Lmjnak32.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Pleofj32.exe File created C:\Windows\SysWOW64\Jndjmifj.exe Jelfdc32.exe File created C:\Windows\SysWOW64\Hgciff32.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Iakgefqe.exe Ijqoilii.exe File created C:\Windows\SysWOW64\Lqapifjb.dll Fkhbgbkc.exe File opened for modification C:\Windows\SysWOW64\Ioeclg32.exe Ieponofk.exe File created C:\Windows\SysWOW64\Dhhgkj32.dll Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Kkeecogo.exe File created C:\Windows\SysWOW64\Calcpm32.exe Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Dinneo32.exe Dpcmgi32.exe File created C:\Windows\SysWOW64\Plpopddd.exe Pfbfhm32.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qiflohqk.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Kbjbge32.exe Jplfkjbd.exe File created C:\Windows\SysWOW64\Jkchmo32.exe Jolghndm.exe File created C:\Windows\SysWOW64\Nnleiipc.exe Ncfalqpm.exe File created C:\Windows\SysWOW64\Pfpibn32.exe Pacajg32.exe File opened for modification C:\Windows\SysWOW64\Cglalbbi.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Obobnb32.dll Jjpdmi32.exe File created C:\Windows\SysWOW64\Obeacl32.exe Olkifaen.exe File created C:\Windows\SysWOW64\Pacajg32.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Bfncpcoc.exe Aijbfo32.exe File created C:\Windows\SysWOW64\Folhgbid.exe Fhbpkh32.exe File created C:\Windows\SysWOW64\Jfmgba32.dll Hgciff32.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Pfpibn32.exe File created C:\Windows\SysWOW64\Hpfnbh32.dll Fkhibino.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe Lcblan32.exe File created C:\Windows\SysWOW64\Pdioqoen.dll Ncpdbohb.exe File created C:\Windows\SysWOW64\Qoeamo32.exe Qhkipdeb.exe File created C:\Windows\SysWOW64\Fgdgcfmb.exe Flocfmnl.exe File created C:\Windows\SysWOW64\Nfnidhlj.dll Fcpacf32.exe File created C:\Windows\SysWOW64\Dpnladjl.exe Ccgklc32.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Boljgg32.exe File created C:\Windows\SysWOW64\Qdncmgbj.exe Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Kijkje32.exe Kgkonj32.exe File created C:\Windows\SysWOW64\Nlbjim32.dll Pdjjag32.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Lfhhjklc.exe File created C:\Windows\SysWOW64\Bccmmf32.exe Bqeqqk32.exe File opened for modification C:\Windows\SysWOW64\Kjokokha.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Djfdob32.exe File created C:\Windows\SysWOW64\Kbbobkol.exe Kijkje32.exe File opened for modification C:\Windows\SysWOW64\Fhbpkh32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Mdaaomdi.dll Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Hmoofdea.exe Hfegij32.exe File created C:\Windows\SysWOW64\Aglfmjon.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Lanlcl32.dll Gckdgjeb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4932 4908 WerFault.exe 358 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnodlj.dll" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebqngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiqldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqokpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoamb32.dll" Bofgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhjff32.dll" Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Qackpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okbpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoeamo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagcpm32.dll" Mcfemmna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphaobfe.dll" Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkalpla.dll" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpgmhn.dll" Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Eemnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmkeb32.dll" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjibgc32.dll" Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdbhahq.dll" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Nqokpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnokgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklqcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkjheja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacajg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 2152 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 28 PID 1556 wrote to memory of 2152 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 28 PID 1556 wrote to memory of 2152 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 28 PID 1556 wrote to memory of 2152 1556 1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe 28 PID 2152 wrote to memory of 2888 2152 Lmjnak32.exe 29 PID 2152 wrote to memory of 2888 2152 Lmjnak32.exe 29 PID 2152 wrote to memory of 2888 2152 Lmjnak32.exe 29 PID 2152 wrote to memory of 2888 2152 Lmjnak32.exe 29 PID 2888 wrote to memory of 2900 2888 Ljnnko32.exe 30 PID 2888 wrote to memory of 2900 2888 Ljnnko32.exe 30 PID 2888 wrote to memory of 2900 2888 Ljnnko32.exe 30 PID 2888 wrote to memory of 2900 2888 Ljnnko32.exe 30 PID 2900 wrote to memory of 2948 2900 Lbicoamh.exe 31 PID 2900 wrote to memory of 2948 2900 Lbicoamh.exe 31 PID 2900 wrote to memory of 2948 2900 Lbicoamh.exe 31 PID 2900 wrote to memory of 2948 2900 Lbicoamh.exe 31 PID 2948 wrote to memory of 2612 2948 Mkaghg32.exe 32 PID 2948 wrote to memory of 2612 2948 Mkaghg32.exe 32 PID 2948 wrote to memory of 2612 2948 Mkaghg32.exe 32 PID 2948 wrote to memory of 2612 2948 Mkaghg32.exe 32 PID 2612 wrote to memory of 2544 2612 Mpopnejo.exe 33 PID 2612 wrote to memory of 2544 2612 Mpopnejo.exe 33 PID 2612 wrote to memory of 2544 2612 Mpopnejo.exe 33 PID 2612 wrote to memory of 2544 2612 Mpopnejo.exe 33 PID 2544 wrote to memory of 2624 2544 Ndhlhg32.exe 34 PID 2544 wrote to memory of 2624 2544 Ndhlhg32.exe 34 PID 2544 wrote to memory of 2624 2544 Ndhlhg32.exe 34 PID 2544 wrote to memory of 2624 2544 Ndhlhg32.exe 34 PID 2624 wrote to memory of 2384 2624 Ndkhngdd.exe 35 PID 2624 wrote to memory of 2384 2624 Ndkhngdd.exe 35 PID 2624 wrote to memory of 2384 2624 Ndkhngdd.exe 35 PID 2624 wrote to memory of 2384 2624 Ndkhngdd.exe 35 PID 2384 wrote to memory of 2848 2384 Nmcmgm32.exe 36 PID 2384 wrote to memory of 2848 2384 Nmcmgm32.exe 36 PID 2384 wrote to memory of 2848 2384 Nmcmgm32.exe 36 PID 2384 wrote to memory of 2848 2384 Nmcmgm32.exe 36 PID 2848 wrote to memory of 2364 2848 Oeehln32.exe 37 PID 2848 wrote to memory of 2364 2848 Oeehln32.exe 37 PID 2848 wrote to memory of 2364 2848 Oeehln32.exe 37 PID 2848 wrote to memory of 2364 2848 Oeehln32.exe 37 PID 2364 wrote to memory of 1736 2364 Okbpde32.exe 38 PID 2364 wrote to memory of 1736 2364 Okbpde32.exe 38 PID 2364 wrote to memory of 1736 2364 Okbpde32.exe 38 PID 2364 wrote to memory of 1736 2364 Okbpde32.exe 38 PID 1736 wrote to memory of 1156 1736 Ohfqmi32.exe 39 PID 1736 wrote to memory of 1156 1736 Ohfqmi32.exe 39 PID 1736 wrote to memory of 1156 1736 Ohfqmi32.exe 39 PID 1736 wrote to memory of 1156 1736 Ohfqmi32.exe 39 PID 1156 wrote to memory of 908 1156 Omcifpnp.exe 40 PID 1156 wrote to memory of 908 1156 Omcifpnp.exe 40 PID 1156 wrote to memory of 908 1156 Omcifpnp.exe 40 PID 1156 wrote to memory of 908 1156 Omcifpnp.exe 40 PID 908 wrote to memory of 1780 908 Okgjodmi.exe 41 PID 908 wrote to memory of 1780 908 Okgjodmi.exe 41 PID 908 wrote to memory of 1780 908 Okgjodmi.exe 41 PID 908 wrote to memory of 1780 908 Okgjodmi.exe 41 PID 1780 wrote to memory of 2368 1780 Pljcllqe.exe 42 PID 1780 wrote to memory of 2368 1780 Pljcllqe.exe 42 PID 1780 wrote to memory of 2368 1780 Pljcllqe.exe 42 PID 1780 wrote to memory of 2368 1780 Pljcllqe.exe 42 PID 2368 wrote to memory of 2756 2368 Qfljkp32.exe 43 PID 2368 wrote to memory of 2756 2368 Qfljkp32.exe 43 PID 2368 wrote to memory of 2756 2368 Qfljkp32.exe 43 PID 2368 wrote to memory of 2756 2368 Qfljkp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe"C:\Users\Admin\AppData\Local\Temp\1ca3e1027242931b9486b9c3f34302d64fec7243667fdd8367ea982533a5f7b9.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe35⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe36⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe37⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe38⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe40⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe41⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe44⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe45⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe47⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe48⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe52⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe55⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe56⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe57⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe58⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe60⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe67⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe68⤵PID:2324
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe69⤵PID:828
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe70⤵PID:2456
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe71⤵PID:1700
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe72⤵PID:2336
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe73⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe74⤵PID:1720
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe76⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe77⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe78⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe80⤵PID:1320
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe81⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe82⤵PID:1764
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe84⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe85⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe86⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe87⤵PID:1508
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe88⤵PID:2348
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe90⤵PID:2924
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe91⤵PID:1808
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe92⤵PID:2572
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe93⤵PID:1296
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe94⤵PID:2648
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe95⤵PID:2856
-
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe96⤵PID:2396
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe97⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe98⤵PID:2376
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe99⤵PID:1724
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe100⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe101⤵PID:2344
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe102⤵PID:1104
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe104⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe105⤵PID:1772
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe106⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe107⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe108⤵PID:1352
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe110⤵PID:2764
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe111⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe113⤵PID:2524
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe114⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe115⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe116⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe117⤵PID:2860
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe118⤵PID:1020
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe119⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe121⤵
- Modifies registry class
PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-