Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 05:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe
-
Size
422KB
-
MD5
c052e4457314498d487431403921f953
-
SHA1
653c2b0586d22a4c3ab3dd8a33bec75b908f52f2
-
SHA256
fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a
-
SHA512
cb5c9207df6dcff1cc97c106f4f2817012e75ba5f30eee9650e1faa29eab89bdb7ed563a916b8017cb5de0c98a531956e822993c02b60e3115132fb4bb1e5deb
-
SSDEEP
6144:j2p42GTbabO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:j2p4NGaXgA4XfczXgA4XA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe -
Executes dropped EXE 64 IoCs
pid Process 2156 Mkjica32.exe 2376 Magnek32.exe 2768 Nplkfgoe.exe 2628 Npnhlg32.exe 2648 Nghphaeo.exe 2532 Nofabc32.exe 3012 Nkmbgdfl.exe 2804 Okoomd32.exe 2028 Oomhcbjp.exe 2208 Odjpkihg.exe 1956 Ondajnme.exe 2404 Oenifh32.exe 2148 Pipopl32.exe 2104 Pfdpip32.exe 2088 Pfflopdh.exe 1476 Pelipl32.exe 1792 Plfamfpm.exe 912 Pijbfj32.exe 2216 Qbbfopeg.exe 268 Qaefjm32.exe 600 Qdccfh32.exe 1612 Ajphib32.exe 1032 Ankdiqih.exe 2128 Ampqjm32.exe 2908 Afiecb32.exe 1868 Ajdadamj.exe 1568 Afkbib32.exe 3036 Amejeljk.exe 2656 Ailkjmpo.exe 2904 Aljgfioc.exe 2548 Bhahlj32.exe 2756 Blmdlhmp.exe 2436 Bokphdld.exe 2336 Bkaqmeah.exe 1608 Bghabf32.exe 2828 Banepo32.exe 1040 Baqbenep.exe 1616 Bcaomf32.exe 2200 Cdakgibq.exe 376 Cfbhnaho.exe 2320 Cfeddafl.exe 3024 Clomqk32.exe 536 Cciemedf.exe 584 Cjbmjplb.exe 1092 Claifkkf.exe 2480 Copfbfjj.exe 2072 Cfinoq32.exe 1344 Chhjkl32.exe 3048 Cobbhfhg.exe 2292 Dbpodagk.exe 628 Dkhcmgnl.exe 2256 Dqelenlc.exe 2244 Ddagfm32.exe 2172 Dbehoa32.exe 1504 Dcfdgiid.exe 2736 Dkmmhf32.exe 2664 Dmoipopd.exe 2684 Ddeaalpg.exe 2564 Dgdmmgpj.exe 2572 Dqlafm32.exe 2820 Dcknbh32.exe 2308 Djefobmk.exe 1432 Eqonkmdh.exe 1724 Ebpkce32.exe -
Loads dropped DLL 64 IoCs
pid Process 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 2156 Mkjica32.exe 2156 Mkjica32.exe 2376 Magnek32.exe 2376 Magnek32.exe 2768 Nplkfgoe.exe 2768 Nplkfgoe.exe 2628 Npnhlg32.exe 2628 Npnhlg32.exe 2648 Nghphaeo.exe 2648 Nghphaeo.exe 2532 Nofabc32.exe 2532 Nofabc32.exe 3012 Nkmbgdfl.exe 3012 Nkmbgdfl.exe 2804 Okoomd32.exe 2804 Okoomd32.exe 2028 Oomhcbjp.exe 2028 Oomhcbjp.exe 2208 Odjpkihg.exe 2208 Odjpkihg.exe 1956 Ondajnme.exe 1956 Ondajnme.exe 2404 Oenifh32.exe 2404 Oenifh32.exe 2148 Pipopl32.exe 2148 Pipopl32.exe 2104 Pfdpip32.exe 2104 Pfdpip32.exe 2088 Pfflopdh.exe 2088 Pfflopdh.exe 1476 Pelipl32.exe 1476 Pelipl32.exe 1792 Plfamfpm.exe 1792 Plfamfpm.exe 912 Pijbfj32.exe 912 Pijbfj32.exe 2216 Qbbfopeg.exe 2216 Qbbfopeg.exe 268 Qaefjm32.exe 268 Qaefjm32.exe 600 Qdccfh32.exe 600 Qdccfh32.exe 1612 Ajphib32.exe 1612 Ajphib32.exe 1032 Ankdiqih.exe 1032 Ankdiqih.exe 2128 Ampqjm32.exe 2128 Ampqjm32.exe 2908 Afiecb32.exe 2908 Afiecb32.exe 1868 Ajdadamj.exe 1868 Ajdadamj.exe 1568 Afkbib32.exe 1568 Afkbib32.exe 3036 Amejeljk.exe 3036 Amejeljk.exe 2656 Ailkjmpo.exe 2656 Ailkjmpo.exe 2904 Aljgfioc.exe 2904 Aljgfioc.exe 2548 Bhahlj32.exe 2548 Bhahlj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kfegbj32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Lfobiqka.dll Apalea32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Idhopq32.exe File created C:\Windows\SysWOW64\Imhjppim.dll Cdakgibq.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Claifkkf.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Dbehoa32.exe File created C:\Windows\SysWOW64\Bbdoqc32.dll Oenifh32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Mooaljkh.exe Mlaeonld.exe File opened for modification C:\Windows\SysWOW64\Alhmjbhj.exe Amelne32.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Pikkiijf.exe Pgioaa32.exe File created C:\Windows\SysWOW64\Gohjaf32.exe Gpejeihi.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Pggbla32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hckcmjep.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Idceea32.exe File created C:\Windows\SysWOW64\Knklagmb.exe Kklpekno.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Bjdplm32.exe File opened for modification C:\Windows\SysWOW64\Ecpgmhai.exe Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gdniqh32.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pelipl32.exe File opened for modification C:\Windows\SysWOW64\Qbcpbo32.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Ombapedi.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Ganpomec.exe File created C:\Windows\SysWOW64\Bhahlj32.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Baqbenep.exe File created C:\Windows\SysWOW64\Ilqpdm32.exe Iheddndj.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Pfdpip32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Pciifc32.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Idnhde32.dll Pikkiijf.exe File created C:\Windows\SysWOW64\Odoloalf.exe Onecbg32.exe File created C:\Windows\SysWOW64\Cfinoq32.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Hdnaeh32.dll Jbnhng32.exe File created C:\Windows\SysWOW64\Effcma32.exe Eqijej32.exe File created C:\Windows\SysWOW64\Nljddpfe.exe Nilhhdga.exe File opened for modification C:\Windows\SysWOW64\Qkhpkoen.exe Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File created C:\Windows\SysWOW64\Ngibaj32.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Ckmkcoqd.dll Ndpfkdmf.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jbgbni32.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Iggkllpe.exe Idhopq32.exe File created C:\Windows\SysWOW64\Jqnejn32.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Bgpkceld.dll Aljgfioc.exe File created C:\Windows\SysWOW64\Pokieo32.exe Pmlmic32.exe File created C:\Windows\SysWOW64\Bmhideol.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nigome32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5812 5868 WerFault.exe 563 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdipg32.dll" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegbheiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghcajge.dll" fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfigjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maedhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Inifnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Anlfbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagmdc32.dll" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll" Mbmjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqdgkecq.dll" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Gfmemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipgcaob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" Bejdiffp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2156 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 28 PID 1848 wrote to memory of 2156 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 28 PID 1848 wrote to memory of 2156 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 28 PID 1848 wrote to memory of 2156 1848 fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe 28 PID 2156 wrote to memory of 2376 2156 Mkjica32.exe 29 PID 2156 wrote to memory of 2376 2156 Mkjica32.exe 29 PID 2156 wrote to memory of 2376 2156 Mkjica32.exe 29 PID 2156 wrote to memory of 2376 2156 Mkjica32.exe 29 PID 2376 wrote to memory of 2768 2376 Magnek32.exe 30 PID 2376 wrote to memory of 2768 2376 Magnek32.exe 30 PID 2376 wrote to memory of 2768 2376 Magnek32.exe 30 PID 2376 wrote to memory of 2768 2376 Magnek32.exe 30 PID 2768 wrote to memory of 2628 2768 Nplkfgoe.exe 31 PID 2768 wrote to memory of 2628 2768 Nplkfgoe.exe 31 PID 2768 wrote to memory of 2628 2768 Nplkfgoe.exe 31 PID 2768 wrote to memory of 2628 2768 Nplkfgoe.exe 31 PID 2628 wrote to memory of 2648 2628 Npnhlg32.exe 32 PID 2628 wrote to memory of 2648 2628 Npnhlg32.exe 32 PID 2628 wrote to memory of 2648 2628 Npnhlg32.exe 32 PID 2628 wrote to memory of 2648 2628 Npnhlg32.exe 32 PID 2648 wrote to memory of 2532 2648 Nghphaeo.exe 33 PID 2648 wrote to memory of 2532 2648 Nghphaeo.exe 33 PID 2648 wrote to memory of 2532 2648 Nghphaeo.exe 33 PID 2648 wrote to memory of 2532 2648 Nghphaeo.exe 33 PID 2532 wrote to memory of 3012 2532 Nofabc32.exe 34 PID 2532 wrote to memory of 3012 2532 Nofabc32.exe 34 PID 2532 wrote to memory of 3012 2532 Nofabc32.exe 34 PID 2532 wrote to memory of 3012 2532 Nofabc32.exe 34 PID 3012 wrote to memory of 2804 3012 Nkmbgdfl.exe 35 PID 3012 wrote to memory of 2804 3012 Nkmbgdfl.exe 35 PID 3012 wrote to memory of 2804 3012 Nkmbgdfl.exe 35 PID 3012 wrote to memory of 2804 3012 Nkmbgdfl.exe 35 PID 2804 wrote to memory of 2028 2804 Okoomd32.exe 36 PID 2804 wrote to memory of 2028 2804 Okoomd32.exe 36 PID 2804 wrote to memory of 2028 2804 Okoomd32.exe 36 PID 2804 wrote to memory of 2028 2804 Okoomd32.exe 36 PID 2028 wrote to memory of 2208 2028 Oomhcbjp.exe 37 PID 2028 wrote to memory of 2208 2028 Oomhcbjp.exe 37 PID 2028 wrote to memory of 2208 2028 Oomhcbjp.exe 37 PID 2028 wrote to memory of 2208 2028 Oomhcbjp.exe 37 PID 2208 wrote to memory of 1956 2208 Odjpkihg.exe 38 PID 2208 wrote to memory of 1956 2208 Odjpkihg.exe 38 PID 2208 wrote to memory of 1956 2208 Odjpkihg.exe 38 PID 2208 wrote to memory of 1956 2208 Odjpkihg.exe 38 PID 1956 wrote to memory of 2404 1956 Ondajnme.exe 39 PID 1956 wrote to memory of 2404 1956 Ondajnme.exe 39 PID 1956 wrote to memory of 2404 1956 Ondajnme.exe 39 PID 1956 wrote to memory of 2404 1956 Ondajnme.exe 39 PID 2404 wrote to memory of 2148 2404 Oenifh32.exe 40 PID 2404 wrote to memory of 2148 2404 Oenifh32.exe 40 PID 2404 wrote to memory of 2148 2404 Oenifh32.exe 40 PID 2404 wrote to memory of 2148 2404 Oenifh32.exe 40 PID 2148 wrote to memory of 2104 2148 Pipopl32.exe 41 PID 2148 wrote to memory of 2104 2148 Pipopl32.exe 41 PID 2148 wrote to memory of 2104 2148 Pipopl32.exe 41 PID 2148 wrote to memory of 2104 2148 Pipopl32.exe 41 PID 2104 wrote to memory of 2088 2104 Pfdpip32.exe 42 PID 2104 wrote to memory of 2088 2104 Pfdpip32.exe 42 PID 2104 wrote to memory of 2088 2104 Pfdpip32.exe 42 PID 2104 wrote to memory of 2088 2104 Pfdpip32.exe 42 PID 2088 wrote to memory of 1476 2088 Pfflopdh.exe 43 PID 2088 wrote to memory of 1476 2088 Pfflopdh.exe 43 PID 2088 wrote to memory of 1476 2088 Pfflopdh.exe 43 PID 2088 wrote to memory of 1476 2088 Pfflopdh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe"C:\Users\Admin\AppData\Local\Temp\fc9c6a9c2a3ddbbdc2654181fb580f488ad3e403999b5eeb45239ec71aeebf9a.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe36⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe42⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe43⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe44⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe45⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe48⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe49⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe50⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe52⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe53⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe54⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe57⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe61⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe62⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe64⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe65⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe66⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe67⤵PID:2552
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe69⤵PID:1468
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe70⤵PID:448
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe71⤵PID:1296
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe73⤵PID:1564
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe74⤵PID:2304
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe75⤵PID:2380
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe76⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe78⤵PID:2536
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe79⤵PID:2632
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe80⤵PID:2832
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe81⤵PID:2140
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe82⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe83⤵PID:272
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe85⤵PID:2916
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe86⤵PID:772
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe87⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe88⤵PID:1132
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe90⤵PID:1360
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe91⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe92⤵PID:1732
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe93⤵PID:2144
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe96⤵PID:2864
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe97⤵PID:2516
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe98⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe99⤵PID:1784
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe100⤵PID:1972
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe101⤵PID:1676
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe102⤵PID:308
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe103⤵PID:2240
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe104⤵
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe105⤵PID:2160
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe106⤵PID:1048
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe107⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe109⤵PID:2116
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe110⤵PID:1536
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe111⤵PID:2512
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe112⤵PID:2808
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe113⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe114⤵PID:2252
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe115⤵PID:2976
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe116⤵PID:1012
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe117⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe118⤵PID:1160
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe119⤵PID:876
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe120⤵PID:1692
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe121⤵PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-