Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe
-
Size
62KB
-
MD5
41b6ac1317795f815648bc057bcfdfe1
-
SHA1
d936f709a80e31e716dc77b0a119f6b0ab79aaa2
-
SHA256
c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77
-
SHA512
6d55aa2a656e0b108ec4570d9a03b79194ea7eb0af1e42dafc8b4f330b80bcf9cc082e5ff779efdf80888d1956ce20b2a659e5f6955b21ea6cbc98ee7bc98c23
-
SSDEEP
1536:s5m70zZkTOHgywB0ApREFyLvy+9ve8Cy:z0zO0AnLvJ9ve8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoffmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkmnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljgfioc.exe -
Executes dropped EXE 64 IoCs
pid Process 3028 Mlgigdoh.exe 2588 Mdcnlglc.exe 2276 Mohbip32.exe 2732 Magnek32.exe 2468 Mgcgmb32.exe 2440 Nnnojlpa.exe 2132 Nkaocp32.exe 2692 Nlblkhei.exe 2764 Ndjdlffl.exe 548 Nghphaeo.exe 1912 Njgldmdc.exe 2540 Nleiqhcg.exe 1536 Nocemcbj.exe 2280 Ngkmnacm.exe 1296 Njiijlbp.exe 536 Nlgefh32.exe 1488 Nofabc32.exe 3000 Ncancbha.exe 3064 Nbdnoo32.exe 1808 Njkfpl32.exe 1572 Nohnhc32.exe 952 Nccjhafn.exe 908 Ofbfdmeb.exe 2868 Odegpj32.exe 2176 Omloag32.exe 2056 Oojknblb.exe 2600 Ofdcjm32.exe 2656 Ogfpbeim.exe 2356 Okalbc32.exe 2612 Oghlgdgk.exe 2372 Oqqapjnk.exe 2364 Oelmai32.exe 1824 Ogjimd32.exe 816 Ondajnme.exe 2884 Oqcnfjli.exe 1504 Oenifh32.exe 1980 Ofpfnqjp.exe 1444 Ojkboo32.exe 588 Pminkk32.exe 1660 Paejki32.exe 1344 Pccfge32.exe 1140 Pfbccp32.exe 480 Pjmodopf.exe 916 Pipopl32.exe 2076 Paggai32.exe 2996 Ppjglfon.exe 1680 Pbiciana.exe 2648 Pfdpip32.exe 2824 Piblek32.exe 2268 Pmnhfjmg.exe 792 Plahag32.exe 2476 Ppmdbe32.exe 2668 Pchpbded.exe 2616 Pfflopdh.exe 344 Pfflopdh.exe 2760 Peiljl32.exe 2200 Piehkkcl.exe 2092 Pmqdkj32.exe 764 Plcdgfbo.exe 2376 Ppoqge32.exe 2508 Pbmmcq32.exe 2272 Pfiidobe.exe 1092 Pelipl32.exe 992 Pigeqkai.exe -
Loads dropped DLL 64 IoCs
pid Process 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 3028 Mlgigdoh.exe 3028 Mlgigdoh.exe 2588 Mdcnlglc.exe 2588 Mdcnlglc.exe 2276 Mohbip32.exe 2276 Mohbip32.exe 2732 Magnek32.exe 2732 Magnek32.exe 2468 Mgcgmb32.exe 2468 Mgcgmb32.exe 2440 Nnnojlpa.exe 2440 Nnnojlpa.exe 2132 Nkaocp32.exe 2132 Nkaocp32.exe 2692 Nlblkhei.exe 2692 Nlblkhei.exe 2764 Ndjdlffl.exe 2764 Ndjdlffl.exe 548 Nghphaeo.exe 548 Nghphaeo.exe 1912 Njgldmdc.exe 1912 Njgldmdc.exe 2540 Nleiqhcg.exe 2540 Nleiqhcg.exe 1536 Nocemcbj.exe 1536 Nocemcbj.exe 2280 Ngkmnacm.exe 2280 Ngkmnacm.exe 1296 Njiijlbp.exe 1296 Njiijlbp.exe 536 Nlgefh32.exe 536 Nlgefh32.exe 1488 Nofabc32.exe 1488 Nofabc32.exe 3000 Ncancbha.exe 3000 Ncancbha.exe 3064 Nbdnoo32.exe 3064 Nbdnoo32.exe 1808 Njkfpl32.exe 1808 Njkfpl32.exe 1572 Nohnhc32.exe 1572 Nohnhc32.exe 952 Nccjhafn.exe 952 Nccjhafn.exe 908 Ofbfdmeb.exe 908 Ofbfdmeb.exe 2868 Odegpj32.exe 2868 Odegpj32.exe 2176 Omloag32.exe 2176 Omloag32.exe 2056 Oojknblb.exe 2056 Oojknblb.exe 2600 Ofdcjm32.exe 2600 Ofdcjm32.exe 2656 Ogfpbeim.exe 2656 Ogfpbeim.exe 2356 Okalbc32.exe 2356 Okalbc32.exe 2612 Oghlgdgk.exe 2612 Oghlgdgk.exe 2372 Oqqapjnk.exe 2372 Oqqapjnk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Pndniaop.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cfbhnaho.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Dhflmk32.dll Dchali32.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Dbpodagk.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aehboi32.exe File created C:\Windows\SysWOW64\Chpmpg32.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Ffbicfoc.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Odobjg32.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Aplpai32.exe Amndem32.exe File opened for modification C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File created C:\Windows\SysWOW64\Iiciogbn.dll Cljcelan.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pabjem32.exe File created C:\Windows\SysWOW64\Admemg32.exe Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Amhpnkch.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cohigamf.exe File created C:\Windows\SysWOW64\Addnil32.dll Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File created C:\Windows\SysWOW64\Dknekeef.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Ppoqge32.exe Plcdgfbo.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Epieghdk.exe Elmigj32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hiqbndpb.exe File created C:\Windows\SysWOW64\Dfnfdcqd.dll Mpfkqb32.exe File created C:\Windows\SysWOW64\Focnmm32.dll Dbkknojp.exe File opened for modification C:\Windows\SysWOW64\Jchafg32.dll Dogefd32.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Bhhnli32.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Kgbggnhc.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Hpjbaocl.dll Meccii32.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Jokcgmee.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File created C:\Windows\SysWOW64\Kjljhjkl.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Qonlfkdd.dll Peiljl32.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Ccngld32.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dfffnn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7936 7912 WerFault.exe 741 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Magnek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiakjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcnlglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdhhh32.dll" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihnh32.dll" Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfbogcn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 3028 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 28 PID 2040 wrote to memory of 3028 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 28 PID 2040 wrote to memory of 3028 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 28 PID 2040 wrote to memory of 3028 2040 c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe 28 PID 3028 wrote to memory of 2588 3028 Mlgigdoh.exe 29 PID 3028 wrote to memory of 2588 3028 Mlgigdoh.exe 29 PID 3028 wrote to memory of 2588 3028 Mlgigdoh.exe 29 PID 3028 wrote to memory of 2588 3028 Mlgigdoh.exe 29 PID 2588 wrote to memory of 2276 2588 Mdcnlglc.exe 30 PID 2588 wrote to memory of 2276 2588 Mdcnlglc.exe 30 PID 2588 wrote to memory of 2276 2588 Mdcnlglc.exe 30 PID 2588 wrote to memory of 2276 2588 Mdcnlglc.exe 30 PID 2276 wrote to memory of 2732 2276 Mohbip32.exe 31 PID 2276 wrote to memory of 2732 2276 Mohbip32.exe 31 PID 2276 wrote to memory of 2732 2276 Mohbip32.exe 31 PID 2276 wrote to memory of 2732 2276 Mohbip32.exe 31 PID 2732 wrote to memory of 2468 2732 Magnek32.exe 32 PID 2732 wrote to memory of 2468 2732 Magnek32.exe 32 PID 2732 wrote to memory of 2468 2732 Magnek32.exe 32 PID 2732 wrote to memory of 2468 2732 Magnek32.exe 32 PID 2468 wrote to memory of 2440 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2440 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2440 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2440 2468 Mgcgmb32.exe 33 PID 2440 wrote to memory of 2132 2440 Nnnojlpa.exe 34 PID 2440 wrote to memory of 2132 2440 Nnnojlpa.exe 34 PID 2440 wrote to memory of 2132 2440 Nnnojlpa.exe 34 PID 2440 wrote to memory of 2132 2440 Nnnojlpa.exe 34 PID 2132 wrote to memory of 2692 2132 Nkaocp32.exe 35 PID 2132 wrote to memory of 2692 2132 Nkaocp32.exe 35 PID 2132 wrote to memory of 2692 2132 Nkaocp32.exe 35 PID 2132 wrote to memory of 2692 2132 Nkaocp32.exe 35 PID 2692 wrote to memory of 2764 2692 Nlblkhei.exe 36 PID 2692 wrote to memory of 2764 2692 Nlblkhei.exe 36 PID 2692 wrote to memory of 2764 2692 Nlblkhei.exe 36 PID 2692 wrote to memory of 2764 2692 Nlblkhei.exe 36 PID 2764 wrote to memory of 548 2764 Ndjdlffl.exe 37 PID 2764 wrote to memory of 548 2764 Ndjdlffl.exe 37 PID 2764 wrote to memory of 548 2764 Ndjdlffl.exe 37 PID 2764 wrote to memory of 548 2764 Ndjdlffl.exe 37 PID 548 wrote to memory of 1912 548 Nghphaeo.exe 38 PID 548 wrote to memory of 1912 548 Nghphaeo.exe 38 PID 548 wrote to memory of 1912 548 Nghphaeo.exe 38 PID 548 wrote to memory of 1912 548 Nghphaeo.exe 38 PID 1912 wrote to memory of 2540 1912 Njgldmdc.exe 39 PID 1912 wrote to memory of 2540 1912 Njgldmdc.exe 39 PID 1912 wrote to memory of 2540 1912 Njgldmdc.exe 39 PID 1912 wrote to memory of 2540 1912 Njgldmdc.exe 39 PID 2540 wrote to memory of 1536 2540 Nleiqhcg.exe 40 PID 2540 wrote to memory of 1536 2540 Nleiqhcg.exe 40 PID 2540 wrote to memory of 1536 2540 Nleiqhcg.exe 40 PID 2540 wrote to memory of 1536 2540 Nleiqhcg.exe 40 PID 1536 wrote to memory of 2280 1536 Nocemcbj.exe 41 PID 1536 wrote to memory of 2280 1536 Nocemcbj.exe 41 PID 1536 wrote to memory of 2280 1536 Nocemcbj.exe 41 PID 1536 wrote to memory of 2280 1536 Nocemcbj.exe 41 PID 2280 wrote to memory of 1296 2280 Ngkmnacm.exe 42 PID 2280 wrote to memory of 1296 2280 Ngkmnacm.exe 42 PID 2280 wrote to memory of 1296 2280 Ngkmnacm.exe 42 PID 2280 wrote to memory of 1296 2280 Ngkmnacm.exe 42 PID 1296 wrote to memory of 536 1296 Njiijlbp.exe 43 PID 1296 wrote to memory of 536 1296 Njiijlbp.exe 43 PID 1296 wrote to memory of 536 1296 Njiijlbp.exe 43 PID 1296 wrote to memory of 536 1296 Njiijlbp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe"C:\Users\Admin\AppData\Local\Temp\c05ed1f761d01bbdf53ff8e1e2053e8c7a10febe9139e714079550414e20ae77.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe33⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe34⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe35⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe36⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe37⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe38⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe39⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe40⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe41⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe42⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe44⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe45⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe46⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe47⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe48⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe49⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe51⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe53⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe58⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe61⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe62⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe63⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe64⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe65⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe66⤵PID:360
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe67⤵PID:1056
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe68⤵PID:1956
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe69⤵PID:1620
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe70⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe71⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe72⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe73⤵PID:960
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe74⤵PID:2448
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe76⤵PID:2576
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe77⤵PID:1612
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe78⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe79⤵PID:2560
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe80⤵PID:2284
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe81⤵PID:2892
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe82⤵PID:784
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe83⤵PID:1480
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe84⤵PID:2960
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe85⤵PID:680
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe86⤵PID:1812
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe87⤵PID:2976
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe88⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe90⤵PID:1644
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe91⤵PID:1804
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe92⤵PID:2580
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe93⤵PID:2932
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe95⤵PID:2772
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe96⤵PID:1768
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe97⤵PID:2496
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe98⤵PID:2676
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe100⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe101⤵PID:2844
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe102⤵PID:1352
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe103⤵PID:2228
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe104⤵PID:2836
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe105⤵PID:2524
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe106⤵PID:1764
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe108⤵PID:2180
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe109⤵PID:2684
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe110⤵PID:3032
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe112⤵PID:1720
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe113⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe114⤵PID:2244
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe115⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe116⤵PID:2108
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe117⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe118⤵PID:2412
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe119⤵PID:2520
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe120⤵PID:2336
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe121⤵PID:356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-