Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 21:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe
-
Size
128KB
-
MD5
3e12c13c13d30cc723c7995df1c95e4c
-
SHA1
0a1b9a7a382f2949e175cf91b4e3928027652ac4
-
SHA256
5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c
-
SHA512
ea11011bb37ec346b9a17649f65315bdc118231ef6592081a0b72e8b13ae3c55d2b6157671e87a9b544d5ce859e775f2302e5276c5663e940295cce66b6b8502
-
SSDEEP
1536:OMOkMthI2FuscoTIo6UbzhALdh6M0KKw1oRQDZRfRa9HprmRfRJCLIXG:OM9MC86mtApeKieDZ5wkpHxG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfokbnip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhigphio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgidao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqabkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnbacbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Madapkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cahail32.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Madapkmp.exe 2740 Mkmfhacp.exe 2664 Mpjoqhah.exe 2920 Mkobnqan.exe 2736 Nplkfgoe.exe 1748 Ngfcca32.exe 2608 Njdpomfe.exe 2224 Ndjdlffl.exe 1768 Ndjdlffl.exe 2000 Njgldmdc.exe 2880 Ngkmnacm.exe 2436 Nhlifi32.exe 1620 Nofabc32.exe 1776 Nbdnoo32.exe 2108 Nkmbgdfl.exe 1872 Nbfjdn32.exe 776 Omloag32.exe 1504 Okoomd32.exe 1876 Obigjnkf.exe 1040 Ofdcjm32.exe 1764 Okalbc32.exe 2992 Obkdonic.exe 1196 Okchhc32.exe 1948 Ojficpfn.exe 2856 Oqqapjnk.exe 2944 Ocomlemo.exe 2272 Ondajnme.exe 2768 Oqcnfjli.exe 2848 Oenifh32.exe 1380 Ofpfnqjp.exe 940 Ongnonkb.exe 2584 Pccfge32.exe 2052 Pjmodopf.exe 2076 Ppjglfon.exe 2116 Pcfcmd32.exe 2804 Pbiciana.exe 2816 Plahag32.exe 3060 Pbkpna32.exe 1680 Pfflopdh.exe 1900 Plcdgfbo.exe 2064 Pnbacbac.exe 2240 Phjelg32.exe 1172 Ppamme32.exe 2320 Penfelgm.exe 3036 Pijbfj32.exe 1008 Qnfjna32.exe 1048 Qbbfopeg.exe 2396 Qdccfh32.exe 872 Qljkhe32.exe 2408 Qnigda32.exe 2056 Qagcpljo.exe 2760 Qecoqk32.exe 1892 Ahakmf32.exe 2712 Ankdiqih.exe 848 Aajpelhl.exe 2488 Ahchbf32.exe 2948 Ajbdna32.exe 1920 Ampqjm32.exe 2876 Apomfh32.exe 2260 Adjigg32.exe 2300 Afiecb32.exe 2244 Ambmpmln.exe 2008 Alenki32.exe 572 Aiinen32.exe -
Loads dropped DLL 64 IoCs
pid Process 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 2632 Madapkmp.exe 2632 Madapkmp.exe 2740 Mkmfhacp.exe 2740 Mkmfhacp.exe 2664 Mpjoqhah.exe 2664 Mpjoqhah.exe 2920 Mkobnqan.exe 2920 Mkobnqan.exe 2736 Nplkfgoe.exe 2736 Nplkfgoe.exe 1748 Ngfcca32.exe 1748 Ngfcca32.exe 2608 Njdpomfe.exe 2608 Njdpomfe.exe 2224 Ndjdlffl.exe 2224 Ndjdlffl.exe 1768 Ndjdlffl.exe 1768 Ndjdlffl.exe 2000 Njgldmdc.exe 2000 Njgldmdc.exe 2880 Ngkmnacm.exe 2880 Ngkmnacm.exe 2436 Nhlifi32.exe 2436 Nhlifi32.exe 1620 Nofabc32.exe 1620 Nofabc32.exe 1776 Nbdnoo32.exe 1776 Nbdnoo32.exe 2108 Nkmbgdfl.exe 2108 Nkmbgdfl.exe 1872 Nbfjdn32.exe 1872 Nbfjdn32.exe 776 Omloag32.exe 776 Omloag32.exe 1504 Okoomd32.exe 1504 Okoomd32.exe 1876 Obigjnkf.exe 1876 Obigjnkf.exe 1040 Ofdcjm32.exe 1040 Ofdcjm32.exe 1764 Okalbc32.exe 1764 Okalbc32.exe 2992 Obkdonic.exe 2992 Obkdonic.exe 1196 Okchhc32.exe 1196 Okchhc32.exe 1948 Ojficpfn.exe 1948 Ojficpfn.exe 2856 Oqqapjnk.exe 2856 Oqqapjnk.exe 2944 Ocomlemo.exe 2944 Ocomlemo.exe 2272 Ondajnme.exe 2272 Ondajnme.exe 2768 Oqcnfjli.exe 2768 Oqcnfjli.exe 2848 Oenifh32.exe 2848 Oenifh32.exe 1380 Ofpfnqjp.exe 1380 Ofpfnqjp.exe 940 Ongnonkb.exe 940 Ongnonkb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Peinaf32.dll Nplkfgoe.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File created C:\Windows\SysWOW64\Mgnfhlin.exe Mgljbm32.exe File created C:\Windows\SysWOW64\Nondgn32.exe Nkbhgojk.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Cibgai32.dll Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Cpeofk32.exe Cljcelan.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hcnpbi32.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Nkemkhcd.dll Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File created C:\Windows\SysWOW64\Niaokh32.dll Ikddbj32.exe File created C:\Windows\SysWOW64\Fqiaclmk.dll Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Bokphdld.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Ebbgid32.exe Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Cahail32.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Ddbkoipg.dll Ofpfnqjp.exe File created C:\Windows\SysWOW64\Bgmefakc.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Jeahel32.dll Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Jgidao32.exe Jifdebic.exe File created C:\Windows\SysWOW64\Kgkafo32.exe Kihqkagp.exe File created C:\Windows\SysWOW64\Lklohbmo.dll Cjfccn32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Albjlcao.exe File created C:\Windows\SysWOW64\Geiiogja.dll Bmkmdk32.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Qpecfc32.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Kafbec32.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kfbkmk32.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Oqcnfjli.exe Ondajnme.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ofpfnqjp.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Chemfl32.exe File created C:\Windows\SysWOW64\Joplbl32.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Ecmkgokh.dll Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Kfegbj32.exe Kgbggnhc.exe File opened for modification C:\Windows\SysWOW64\Pcfcmd32.exe Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oqideepg.exe File created C:\Windows\SysWOW64\Oqmmpd32.exe Ohfeog32.exe File created C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Aadloj32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Emnndlod.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5124 6092 WerFault.exe 567 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aamfnkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kneicieh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkncmmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Ifcbodli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgdbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cghggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbnhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lafndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blbfjg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2632 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 28 PID 2344 wrote to memory of 2632 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 28 PID 2344 wrote to memory of 2632 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 28 PID 2344 wrote to memory of 2632 2344 5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe 28 PID 2632 wrote to memory of 2740 2632 Madapkmp.exe 29 PID 2632 wrote to memory of 2740 2632 Madapkmp.exe 29 PID 2632 wrote to memory of 2740 2632 Madapkmp.exe 29 PID 2632 wrote to memory of 2740 2632 Madapkmp.exe 29 PID 2740 wrote to memory of 2664 2740 Mkmfhacp.exe 30 PID 2740 wrote to memory of 2664 2740 Mkmfhacp.exe 30 PID 2740 wrote to memory of 2664 2740 Mkmfhacp.exe 30 PID 2740 wrote to memory of 2664 2740 Mkmfhacp.exe 30 PID 2664 wrote to memory of 2920 2664 Mpjoqhah.exe 31 PID 2664 wrote to memory of 2920 2664 Mpjoqhah.exe 31 PID 2664 wrote to memory of 2920 2664 Mpjoqhah.exe 31 PID 2664 wrote to memory of 2920 2664 Mpjoqhah.exe 31 PID 2920 wrote to memory of 2736 2920 Mkobnqan.exe 32 PID 2920 wrote to memory of 2736 2920 Mkobnqan.exe 32 PID 2920 wrote to memory of 2736 2920 Mkobnqan.exe 32 PID 2920 wrote to memory of 2736 2920 Mkobnqan.exe 32 PID 2736 wrote to memory of 1748 2736 Nplkfgoe.exe 33 PID 2736 wrote to memory of 1748 2736 Nplkfgoe.exe 33 PID 2736 wrote to memory of 1748 2736 Nplkfgoe.exe 33 PID 2736 wrote to memory of 1748 2736 Nplkfgoe.exe 33 PID 1748 wrote to memory of 2608 1748 Ngfcca32.exe 34 PID 1748 wrote to memory of 2608 1748 Ngfcca32.exe 34 PID 1748 wrote to memory of 2608 1748 Ngfcca32.exe 34 PID 1748 wrote to memory of 2608 1748 Ngfcca32.exe 34 PID 2608 wrote to memory of 2224 2608 Njdpomfe.exe 35 PID 2608 wrote to memory of 2224 2608 Njdpomfe.exe 35 PID 2608 wrote to memory of 2224 2608 Njdpomfe.exe 35 PID 2608 wrote to memory of 2224 2608 Njdpomfe.exe 35 PID 2224 wrote to memory of 1768 2224 Ndjdlffl.exe 36 PID 2224 wrote to memory of 1768 2224 Ndjdlffl.exe 36 PID 2224 wrote to memory of 1768 2224 Ndjdlffl.exe 36 PID 2224 wrote to memory of 1768 2224 Ndjdlffl.exe 36 PID 1768 wrote to memory of 2000 1768 Ndjdlffl.exe 37 PID 1768 wrote to memory of 2000 1768 Ndjdlffl.exe 37 PID 1768 wrote to memory of 2000 1768 Ndjdlffl.exe 37 PID 1768 wrote to memory of 2000 1768 Ndjdlffl.exe 37 PID 2000 wrote to memory of 2880 2000 Njgldmdc.exe 38 PID 2000 wrote to memory of 2880 2000 Njgldmdc.exe 38 PID 2000 wrote to memory of 2880 2000 Njgldmdc.exe 38 PID 2000 wrote to memory of 2880 2000 Njgldmdc.exe 38 PID 2880 wrote to memory of 2436 2880 Ngkmnacm.exe 39 PID 2880 wrote to memory of 2436 2880 Ngkmnacm.exe 39 PID 2880 wrote to memory of 2436 2880 Ngkmnacm.exe 39 PID 2880 wrote to memory of 2436 2880 Ngkmnacm.exe 39 PID 2436 wrote to memory of 1620 2436 Nhlifi32.exe 40 PID 2436 wrote to memory of 1620 2436 Nhlifi32.exe 40 PID 2436 wrote to memory of 1620 2436 Nhlifi32.exe 40 PID 2436 wrote to memory of 1620 2436 Nhlifi32.exe 40 PID 1620 wrote to memory of 1776 1620 Nofabc32.exe 41 PID 1620 wrote to memory of 1776 1620 Nofabc32.exe 41 PID 1620 wrote to memory of 1776 1620 Nofabc32.exe 41 PID 1620 wrote to memory of 1776 1620 Nofabc32.exe 41 PID 1776 wrote to memory of 2108 1776 Nbdnoo32.exe 42 PID 1776 wrote to memory of 2108 1776 Nbdnoo32.exe 42 PID 1776 wrote to memory of 2108 1776 Nbdnoo32.exe 42 PID 1776 wrote to memory of 2108 1776 Nbdnoo32.exe 42 PID 2108 wrote to memory of 1872 2108 Nkmbgdfl.exe 43 PID 2108 wrote to memory of 1872 2108 Nkmbgdfl.exe 43 PID 2108 wrote to memory of 1872 2108 Nkmbgdfl.exe 43 PID 2108 wrote to memory of 1872 2108 Nkmbgdfl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe"C:\Users\Admin\AppData\Local\Temp\5b4427d85d182f695e3f856eb67208d4e5878d61c2f1fbde1329a69d5d94229c.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe36⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe37⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe38⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe39⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe40⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe41⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe43⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe44⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe47⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe51⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe52⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe53⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe54⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe55⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe56⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe59⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe60⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe61⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe62⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe66⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe68⤵PID:304
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe69⤵PID:1132
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe70⤵PID:2256
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe71⤵PID:2692
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe72⤵PID:3000
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe74⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe75⤵PID:1788
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe76⤵PID:2928
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe78⤵PID:1364
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe79⤵PID:2068
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe80⤵PID:476
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe81⤵PID:2452
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe82⤵PID:2220
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe83⤵PID:1512
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe84⤵PID:1088
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe86⤵PID:2672
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe87⤵PID:2700
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe88⤵PID:2536
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe89⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe90⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe91⤵PID:2916
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe92⤵PID:2312
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe94⤵PID:532
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe96⤵PID:1636
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe97⤵PID:2228
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe98⤵PID:328
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe99⤵PID:876
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe100⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe101⤵PID:2828
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe102⤵PID:2708
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe103⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe104⤵PID:2072
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe105⤵PID:1772
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe106⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe107⤵PID:3024
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe108⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe109⤵PID:1460
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe111⤵PID:2364
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe112⤵PID:3012
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe113⤵PID:2572
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe114⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe115⤵PID:2716
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe116⤵PID:1672
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe117⤵PID:3032
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe118⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe119⤵PID:1436
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe120⤵PID:1600
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-