Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe
-
Size
64KB
-
MD5
4fbd054fe650c0e0e86ceda6296c444b
-
SHA1
f849b048600edf897c5874ce2b04c0585af1ba52
-
SHA256
ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df
-
SHA512
e51de11c4b4a0359a6cdca66d66fe61af7ca8baf0897bc0411cea4b3bb85a4cbeea1f5217dd1e0a81b3877531e54454a62712a5099275f296c529191d91d504d
-
SSDEEP
768:2fac3anbBCgVkqj0YOdF7fm698TpO/vXM6rgW9LqyRskW/1H5GYR6XJ1IwEGp9TY:2fOnHkwOXz8T6Vuy78sXUwXfzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akncimmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opodknco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeggbbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baneak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meabakda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgckjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmhaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgckjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpqlemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfippfej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anahqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opodknco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgokfnij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfahaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagkjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhpejbf.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Nlbgikia.exe 2852 Nmfqgbmm.exe 2504 Npgihn32.exe 2436 Ommfga32.exe 2400 Oehklddp.exe 2060 Ocllehcj.exe 684 Oaaifdhb.exe 1608 Poeipifl.exe 2640 Pkljdj32.exe 3028 Pgckjk32.exe 1808 Phbgcnig.exe 824 Pnopldgn.exe 928 Pnalad32.exe 880 Qjhmfekp.exe 2076 Qqbecp32.exe 2728 Qjkjle32.exe 3004 Abfnpg32.exe 2248 Akncimmh.exe 940 Aeggbbci.exe 696 Anolkh32.exe 1612 Aeidgbaf.exe 1984 Anahqh32.exe 888 Aigmnqgm.exe 3048 Aboaff32.exe 2940 Ajjfkh32.exe 2772 Bgnfdm32.exe 1504 Bnhoag32.exe 2428 Bbjdjjdn.exe 2788 Bidlgdlk.exe 2544 Bncaekhp.exe 3064 Cemjae32.exe 2704 Cepfgdnj.exe 2488 Cbdgqimc.exe 2380 Cmmhaf32.exe 2784 Ckahkk32.exe 960 Cdjmcpnl.exe 1216 Cmbalfem.exe 2792 Dgjfek32.exe 1716 Dpcjnabn.exe 2032 Dpegcq32.exe 1068 Dllhhaep.exe 1936 Daipqhdg.exe 1752 Dkadjn32.exe 2736 Eoompl32.exe 2724 Eamilh32.exe 2896 Eoajel32.exe 1284 Fqlicclo.exe 3016 Fbmfkkbm.exe 2768 Fhgnge32.exe 600 Foccjood.exe 2740 Fgohna32.exe 1740 Fnipkkdl.exe 920 Fkmqdpce.exe 2204 Gqiimfam.exe 2532 Gkomjo32.exe 2500 Gegabegc.exe 2572 Gjdjklek.exe 2512 Gmbfggdo.exe 2776 Gghkdp32.exe 332 Gmecmg32.exe 536 Gcokiaji.exe 1856 Gljpncgc.exe 1452 Gbdhjm32.exe 2320 Hinqgg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 2632 Nlbgikia.exe 2632 Nlbgikia.exe 2852 Nmfqgbmm.exe 2852 Nmfqgbmm.exe 2504 Npgihn32.exe 2504 Npgihn32.exe 2436 Ommfga32.exe 2436 Ommfga32.exe 2400 Oehklddp.exe 2400 Oehklddp.exe 2060 Ocllehcj.exe 2060 Ocllehcj.exe 684 Oaaifdhb.exe 684 Oaaifdhb.exe 1608 Poeipifl.exe 1608 Poeipifl.exe 2640 Pkljdj32.exe 2640 Pkljdj32.exe 3028 Pgckjk32.exe 3028 Pgckjk32.exe 1808 Phbgcnig.exe 1808 Phbgcnig.exe 824 Pnopldgn.exe 824 Pnopldgn.exe 928 Pnalad32.exe 928 Pnalad32.exe 880 Qjhmfekp.exe 880 Qjhmfekp.exe 2076 Qqbecp32.exe 2076 Qqbecp32.exe 2728 Qjkjle32.exe 2728 Qjkjle32.exe 3004 Abfnpg32.exe 3004 Abfnpg32.exe 2248 Akncimmh.exe 2248 Akncimmh.exe 940 Aeggbbci.exe 940 Aeggbbci.exe 696 Anolkh32.exe 696 Anolkh32.exe 1612 Aeidgbaf.exe 1612 Aeidgbaf.exe 1984 Anahqh32.exe 1984 Anahqh32.exe 888 Aigmnqgm.exe 888 Aigmnqgm.exe 3048 Aboaff32.exe 3048 Aboaff32.exe 2940 Ajjfkh32.exe 2940 Ajjfkh32.exe 2772 Bgnfdm32.exe 2772 Bgnfdm32.exe 1504 Bnhoag32.exe 1504 Bnhoag32.exe 2428 Bbjdjjdn.exe 2428 Bbjdjjdn.exe 2788 Bidlgdlk.exe 2788 Bidlgdlk.exe 2544 Bncaekhp.exe 2544 Bncaekhp.exe 3064 Cemjae32.exe 3064 Cemjae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nbniid32.exe Nallalep.exe File opened for modification C:\Windows\SysWOW64\Jhbold32.exe Jgabdlfb.exe File created C:\Windows\SysWOW64\Oeaqig32.exe Nlilqbgp.exe File created C:\Windows\SysWOW64\Bbjpil32.exe Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Dfhdnn32.exe Cmppehkh.exe File opened for modification C:\Windows\SysWOW64\Cemjae32.exe Bncaekhp.exe File created C:\Windows\SysWOW64\Idbfpfoc.dll Ilofhffj.exe File created C:\Windows\SysWOW64\Oifckj32.dll Ommfga32.exe File created C:\Windows\SysWOW64\Acpchmhl.dll Dqfabdaf.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Laaabo32.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fnjnkkbk.exe File opened for modification C:\Windows\SysWOW64\Npgihn32.exe Nmfqgbmm.exe File created C:\Windows\SysWOW64\Clgmpqdg.dll Cmppehkh.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Ndlpdbnj.exe Nkclkl32.exe File created C:\Windows\SysWOW64\Hidgoh32.dll Eaqkcimg.exe File created C:\Windows\SysWOW64\Pimkbbpi.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Qbobaf32.exe Qifnhaho.exe File opened for modification C:\Windows\SysWOW64\Gagkjbaf.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Aiaoclgl.exe Addfkeid.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Pjlgle32.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Ajldkhjh.exe File created C:\Windows\SysWOW64\Jflomd32.dll Gqaafn32.exe File created C:\Windows\SysWOW64\Ekjpaefk.dll Bngfmhbj.exe File created C:\Windows\SysWOW64\Mainndaq.exe Mhqjen32.exe File opened for modification C:\Windows\SysWOW64\Offpbi32.exe Ofdclinq.exe File opened for modification C:\Windows\SysWOW64\Dbmkfh32.exe Dlpbna32.exe File opened for modification C:\Windows\SysWOW64\Dhkkbmnp.exe Dobgihgp.exe File created C:\Windows\SysWOW64\Jjkkbjln.exe Jpajbl32.exe File opened for modification C:\Windows\SysWOW64\Jgjkfi32.exe Iamfdo32.exe File created C:\Windows\SysWOW64\Hkdgecna.exe Halcmn32.exe File created C:\Windows\SysWOW64\Njdfnb32.dll Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Fjjpjgjj.exe Flfpabkp.exe File created C:\Windows\SysWOW64\Jojfgkfk.dll Ghajacmo.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gmqkml32.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lohjnf32.exe File opened for modification C:\Windows\SysWOW64\Bkpeci32.exe Bajqfq32.exe File created C:\Windows\SysWOW64\Hefnockl.dll Nkclkl32.exe File opened for modification C:\Windows\SysWOW64\Agolnbok.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Indnnfdn.exe Heliepmn.exe File opened for modification C:\Windows\SysWOW64\Emifeqid.exe Epeekmjk.exe File opened for modification C:\Windows\SysWOW64\Mjfphf32.exe Mdigoo32.exe File opened for modification C:\Windows\SysWOW64\Halcmn32.exe Hgfooe32.exe File created C:\Windows\SysWOW64\Dmbcen32.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Dipjkn32.exe File created C:\Windows\SysWOW64\Npgihn32.exe Nmfqgbmm.exe File created C:\Windows\SysWOW64\Nndemg32.exe Ndlpdbnj.exe File opened for modification C:\Windows\SysWOW64\Bnhoag32.exe Bgnfdm32.exe File opened for modification C:\Windows\SysWOW64\Dmgoif32.exe Dfngll32.exe File opened for modification C:\Windows\SysWOW64\Nldahn32.exe Nfjildbp.exe File opened for modification C:\Windows\SysWOW64\Poeipifl.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Lefejmjq.dll Poeipifl.exe File opened for modification C:\Windows\SysWOW64\Jhoice32.exe Jaeafklf.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Klehgh32.exe File created C:\Windows\SysWOW64\Aeidgbaf.exe Anolkh32.exe File created C:\Windows\SysWOW64\Kbnhpdke.exe Kiecgo32.exe File created C:\Windows\SysWOW64\Dccpbd32.dll Aldfcpjn.exe File opened for modification C:\Windows\SysWOW64\Ebappk32.exe Ekghcq32.exe File created C:\Windows\SysWOW64\Chlgid32.exe Codbqonk.exe File created C:\Windows\SysWOW64\Cmjjmp32.dll Dfngll32.exe File created C:\Windows\SysWOW64\Omlncc32.exe Ogofkm32.exe File created C:\Windows\SysWOW64\Fgohna32.exe Foccjood.exe File created C:\Windows\SysWOW64\Ppddpd32.exe Ojglhm32.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Jfohgepi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3352 3708 WerFault.exe 700 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflghlp.dll" Gmqkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdghpph.dll" Pgckjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlpbna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" Lohccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmogqde.dll" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpiog32.dll" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmikj32.dll" Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldahfej.dll" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbiaemkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjboh32.dll" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inalmqgb.dll" Qpniokan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coefaghp.dll" Pjahakgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipgifcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkgnjmo.dll" Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpihjem.dll" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll" Miocmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajcdjca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaimipjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omlncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidgoh32.dll" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" Eqngcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoebgcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkihofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdjljo.dll" Ammmlcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmpi32.dll" Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkcje32.dll" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhebgh32.dll" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agngji32.dll" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioeclg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndlpdbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkfclo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2632 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 28 PID 1664 wrote to memory of 2632 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 28 PID 1664 wrote to memory of 2632 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 28 PID 1664 wrote to memory of 2632 1664 ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe 28 PID 2632 wrote to memory of 2852 2632 Nlbgikia.exe 29 PID 2632 wrote to memory of 2852 2632 Nlbgikia.exe 29 PID 2632 wrote to memory of 2852 2632 Nlbgikia.exe 29 PID 2632 wrote to memory of 2852 2632 Nlbgikia.exe 29 PID 2852 wrote to memory of 2504 2852 Nmfqgbmm.exe 30 PID 2852 wrote to memory of 2504 2852 Nmfqgbmm.exe 30 PID 2852 wrote to memory of 2504 2852 Nmfqgbmm.exe 30 PID 2852 wrote to memory of 2504 2852 Nmfqgbmm.exe 30 PID 2504 wrote to memory of 2436 2504 Npgihn32.exe 31 PID 2504 wrote to memory of 2436 2504 Npgihn32.exe 31 PID 2504 wrote to memory of 2436 2504 Npgihn32.exe 31 PID 2504 wrote to memory of 2436 2504 Npgihn32.exe 31 PID 2436 wrote to memory of 2400 2436 Ommfga32.exe 32 PID 2436 wrote to memory of 2400 2436 Ommfga32.exe 32 PID 2436 wrote to memory of 2400 2436 Ommfga32.exe 32 PID 2436 wrote to memory of 2400 2436 Ommfga32.exe 32 PID 2400 wrote to memory of 2060 2400 Oehklddp.exe 33 PID 2400 wrote to memory of 2060 2400 Oehklddp.exe 33 PID 2400 wrote to memory of 2060 2400 Oehklddp.exe 33 PID 2400 wrote to memory of 2060 2400 Oehklddp.exe 33 PID 2060 wrote to memory of 684 2060 Ocllehcj.exe 34 PID 2060 wrote to memory of 684 2060 Ocllehcj.exe 34 PID 2060 wrote to memory of 684 2060 Ocllehcj.exe 34 PID 2060 wrote to memory of 684 2060 Ocllehcj.exe 34 PID 684 wrote to memory of 1608 684 Oaaifdhb.exe 35 PID 684 wrote to memory of 1608 684 Oaaifdhb.exe 35 PID 684 wrote to memory of 1608 684 Oaaifdhb.exe 35 PID 684 wrote to memory of 1608 684 Oaaifdhb.exe 35 PID 1608 wrote to memory of 2640 1608 Poeipifl.exe 36 PID 1608 wrote to memory of 2640 1608 Poeipifl.exe 36 PID 1608 wrote to memory of 2640 1608 Poeipifl.exe 36 PID 1608 wrote to memory of 2640 1608 Poeipifl.exe 36 PID 2640 wrote to memory of 3028 2640 Pkljdj32.exe 37 PID 2640 wrote to memory of 3028 2640 Pkljdj32.exe 37 PID 2640 wrote to memory of 3028 2640 Pkljdj32.exe 37 PID 2640 wrote to memory of 3028 2640 Pkljdj32.exe 37 PID 3028 wrote to memory of 1808 3028 Pgckjk32.exe 38 PID 3028 wrote to memory of 1808 3028 Pgckjk32.exe 38 PID 3028 wrote to memory of 1808 3028 Pgckjk32.exe 38 PID 3028 wrote to memory of 1808 3028 Pgckjk32.exe 38 PID 1808 wrote to memory of 824 1808 Phbgcnig.exe 39 PID 1808 wrote to memory of 824 1808 Phbgcnig.exe 39 PID 1808 wrote to memory of 824 1808 Phbgcnig.exe 39 PID 1808 wrote to memory of 824 1808 Phbgcnig.exe 39 PID 824 wrote to memory of 928 824 Pnopldgn.exe 40 PID 824 wrote to memory of 928 824 Pnopldgn.exe 40 PID 824 wrote to memory of 928 824 Pnopldgn.exe 40 PID 824 wrote to memory of 928 824 Pnopldgn.exe 40 PID 928 wrote to memory of 880 928 Pnalad32.exe 41 PID 928 wrote to memory of 880 928 Pnalad32.exe 41 PID 928 wrote to memory of 880 928 Pnalad32.exe 41 PID 928 wrote to memory of 880 928 Pnalad32.exe 41 PID 880 wrote to memory of 2076 880 Qjhmfekp.exe 42 PID 880 wrote to memory of 2076 880 Qjhmfekp.exe 42 PID 880 wrote to memory of 2076 880 Qjhmfekp.exe 42 PID 880 wrote to memory of 2076 880 Qjhmfekp.exe 42 PID 2076 wrote to memory of 2728 2076 Qqbecp32.exe 43 PID 2076 wrote to memory of 2728 2076 Qqbecp32.exe 43 PID 2076 wrote to memory of 2728 2076 Qqbecp32.exe 43 PID 2076 wrote to memory of 2728 2076 Qqbecp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe"C:\Users\Admin\AppData\Local\Temp\ef7652952e2ebd7ea4095b440886909096a45cd04803f61bf269dabcac70d8df.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe34⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe36⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe37⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe38⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe39⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe40⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe41⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe42⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe43⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe45⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe47⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe48⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe50⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe53⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe54⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe57⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe58⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe59⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe60⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe61⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe64⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe65⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe66⤵PID:1704
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe67⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe68⤵PID:476
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe69⤵PID:916
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe70⤵PID:2208
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe71⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe72⤵PID:1972
-
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe73⤵PID:2196
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe74⤵PID:2416
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe75⤵PID:2816
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe76⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe77⤵PID:2884
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe79⤵PID:2484
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe80⤵PID:1212
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe81⤵PID:2472
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe82⤵PID:628
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe83⤵PID:1100
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe84⤵PID:1960
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe85⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe86⤵PID:1748
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe87⤵PID:1644
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe88⤵PID:2872
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe89⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe90⤵PID:2128
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe91⤵PID:1144
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe92⤵PID:2996
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe93⤵PID:1988
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe94⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe95⤵PID:2820
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe96⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe97⤵PID:2712
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe98⤵PID:2372
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe99⤵PID:2424
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe100⤵PID:1108
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe101⤵PID:2328
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe102⤵PID:2156
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe103⤵PID:2000
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe104⤵PID:1948
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe105⤵PID:1916
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe106⤵PID:2892
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe107⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe108⤵PID:1784
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe109⤵PID:2348
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe110⤵PID:2104
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe111⤵PID:2556
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe112⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe113⤵PID:2780
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe114⤵PID:1392
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe115⤵PID:1460
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe117⤵PID:620
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe118⤵PID:932
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe119⤵PID:1800
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe120⤵PID:3012
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe121⤵PID:744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-