Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 21:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe
-
Size
81KB
-
MD5
49f8857e5ac88e15863be67be6772d30
-
SHA1
e71dfb0187f723f1250dc9f3b62021029fc76025
-
SHA256
5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a
-
SHA512
61a6b3423dab5a1dfb94ad88a3dddf9d8fb1d9cc9cc4122ae466b6ad448b280dd0a8aaa366c09ee8c873ac9b99866b97e05412eb9ec5a67a09f3da333c46e481
-
SSDEEP
1536:BaDW4PuSffP3/Y7I4vi7m4LO++/+1m6KadhYxU33HX0L:0DPfP3g7I4vi/LrCimBaH8UH30L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naoniipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emieil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Ncjgbcoi.exe 1684 Njdpomfe.exe 2764 Ndjdlffl.exe 2292 Nfkpdn32.exe 2536 Nocemcbj.exe 2508 Ngkmnacm.exe 3052 Nhlifi32.exe 2160 Nofabc32.exe 2884 Nfpjomgd.exe 1032 Nhnfkigh.exe 1300 Nccjhafn.exe 2404 Ofbfdmeb.exe 2708 Omloag32.exe 328 Oojknblb.exe 2280 Odgcfijj.exe 2040 Ogfpbeim.exe 536 Obkdonic.exe 1164 Oqndkj32.exe 1840 Oiellh32.exe 324 Oghlgdgk.exe 2312 Onbddoog.exe 1732 Obnqem32.exe 2028 Ocomlemo.exe 2004 Ogjimd32.exe 912 Omgaek32.exe 888 Oenifh32.exe 2128 Ocajbekl.exe 2352 Pminkk32.exe 2600 Pfbccp32.exe 2788 Pipopl32.exe 2808 Pmlkpjpj.exe 2572 Pcfcmd32.exe 2580 Pfdpip32.exe 2700 Plahag32.exe 2856 Pfflopdh.exe 2996 Pmqdkj32.exe 1996 Pmqdkj32.exe 1396 Pfiidobe.exe 1268 Pfiidobe.exe 1444 Plfamfpm.exe 1156 Pndniaop.exe 1744 Penfelgm.exe 1748 Qlhnbf32.exe 264 Qnfjna32.exe 1036 Qjmkcbcb.exe 1500 Qnigda32.exe 448 Afdlhchf.exe 2204 Ankdiqih.exe 1852 Aajpelhl.exe 604 Adhlaggp.exe 1384 Ahchbf32.exe 2372 Affhncfc.exe 2756 Ajbdna32.exe 2924 Ampqjm32.exe 2832 Aalmklfi.exe 2684 Adjigg32.exe 2540 Afiecb32.exe 2868 Aigaon32.exe 1700 Ambmpmln.exe 1256 Admemg32.exe 1724 Abpfhcje.exe 1280 Aenbdoii.exe 2568 Amejeljk.exe 1612 Aoffmd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 2096 Ncjgbcoi.exe 2096 Ncjgbcoi.exe 1684 Njdpomfe.exe 1684 Njdpomfe.exe 2764 Ndjdlffl.exe 2764 Ndjdlffl.exe 2292 Nfkpdn32.exe 2292 Nfkpdn32.exe 2536 Nocemcbj.exe 2536 Nocemcbj.exe 2508 Ngkmnacm.exe 2508 Ngkmnacm.exe 3052 Nhlifi32.exe 3052 Nhlifi32.exe 2160 Nofabc32.exe 2160 Nofabc32.exe 2884 Nfpjomgd.exe 2884 Nfpjomgd.exe 1032 Nhnfkigh.exe 1032 Nhnfkigh.exe 1300 Nccjhafn.exe 1300 Nccjhafn.exe 2404 Ofbfdmeb.exe 2404 Ofbfdmeb.exe 2708 Omloag32.exe 2708 Omloag32.exe 328 Oojknblb.exe 328 Oojknblb.exe 2280 Odgcfijj.exe 2280 Odgcfijj.exe 2040 Ogfpbeim.exe 2040 Ogfpbeim.exe 536 Obkdonic.exe 536 Obkdonic.exe 1164 Oqndkj32.exe 1164 Oqndkj32.exe 1840 Oiellh32.exe 1840 Oiellh32.exe 324 Oghlgdgk.exe 324 Oghlgdgk.exe 2312 Onbddoog.exe 2312 Onbddoog.exe 1732 Obnqem32.exe 1732 Obnqem32.exe 2028 Ocomlemo.exe 2028 Ocomlemo.exe 2004 Ogjimd32.exe 2004 Ogjimd32.exe 912 Omgaek32.exe 912 Omgaek32.exe 888 Oenifh32.exe 888 Oenifh32.exe 2128 Ocajbekl.exe 2128 Ocajbekl.exe 2352 Pminkk32.exe 2352 Pminkk32.exe 2600 Pfbccp32.exe 2600 Pfbccp32.exe 2788 Pipopl32.exe 2788 Pipopl32.exe 2808 Pmlkpjpj.exe 2808 Pmlkpjpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ampqjm32.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Bfadgq32.exe Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Ffihah32.dll Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Jcbellac.exe Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Pmmokmik.dll Ocimgp32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Abpfhcje.exe File created C:\Windows\SysWOW64\Njqaac32.dll Ebpkce32.exe File created C:\Windows\SysWOW64\Fkiqoh32.dll Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Endhhp32.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Omloag32.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Nkeelohh.exe Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Omgaek32.exe Ogjimd32.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Cadhnmnm.exe File created C:\Windows\SysWOW64\Cojiha32.dll Qlhnbf32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Kmmcjehm.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Doehqead.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Kblhgk32.exe Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Oqkqkdne.exe Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cahail32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eqijej32.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dqlafm32.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bkommo32.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bbhela32.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Piphee32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Niaokh32.dll Ijgdngmf.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Ndkmpe32.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pfbccp32.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Kfegbj32.exe Kcfkfo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5464 5412 WerFault.exe 562 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cljcelan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejhecaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjnfniii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdijm32.dll" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adpkee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haloha32.dll" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnplna32.dll" Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Ddgjdk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2096 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 28 PID 2420 wrote to memory of 2096 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 28 PID 2420 wrote to memory of 2096 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 28 PID 2420 wrote to memory of 2096 2420 5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe 28 PID 2096 wrote to memory of 1684 2096 Ncjgbcoi.exe 29 PID 2096 wrote to memory of 1684 2096 Ncjgbcoi.exe 29 PID 2096 wrote to memory of 1684 2096 Ncjgbcoi.exe 29 PID 2096 wrote to memory of 1684 2096 Ncjgbcoi.exe 29 PID 1684 wrote to memory of 2764 1684 Njdpomfe.exe 30 PID 1684 wrote to memory of 2764 1684 Njdpomfe.exe 30 PID 1684 wrote to memory of 2764 1684 Njdpomfe.exe 30 PID 1684 wrote to memory of 2764 1684 Njdpomfe.exe 30 PID 2764 wrote to memory of 2292 2764 Ndjdlffl.exe 31 PID 2764 wrote to memory of 2292 2764 Ndjdlffl.exe 31 PID 2764 wrote to memory of 2292 2764 Ndjdlffl.exe 31 PID 2764 wrote to memory of 2292 2764 Ndjdlffl.exe 31 PID 2292 wrote to memory of 2536 2292 Nfkpdn32.exe 32 PID 2292 wrote to memory of 2536 2292 Nfkpdn32.exe 32 PID 2292 wrote to memory of 2536 2292 Nfkpdn32.exe 32 PID 2292 wrote to memory of 2536 2292 Nfkpdn32.exe 32 PID 2536 wrote to memory of 2508 2536 Nocemcbj.exe 33 PID 2536 wrote to memory of 2508 2536 Nocemcbj.exe 33 PID 2536 wrote to memory of 2508 2536 Nocemcbj.exe 33 PID 2536 wrote to memory of 2508 2536 Nocemcbj.exe 33 PID 2508 wrote to memory of 3052 2508 Ngkmnacm.exe 34 PID 2508 wrote to memory of 3052 2508 Ngkmnacm.exe 34 PID 2508 wrote to memory of 3052 2508 Ngkmnacm.exe 34 PID 2508 wrote to memory of 3052 2508 Ngkmnacm.exe 34 PID 3052 wrote to memory of 2160 3052 Nhlifi32.exe 35 PID 3052 wrote to memory of 2160 3052 Nhlifi32.exe 35 PID 3052 wrote to memory of 2160 3052 Nhlifi32.exe 35 PID 3052 wrote to memory of 2160 3052 Nhlifi32.exe 35 PID 2160 wrote to memory of 2884 2160 Nofabc32.exe 36 PID 2160 wrote to memory of 2884 2160 Nofabc32.exe 36 PID 2160 wrote to memory of 2884 2160 Nofabc32.exe 36 PID 2160 wrote to memory of 2884 2160 Nofabc32.exe 36 PID 2884 wrote to memory of 1032 2884 Nfpjomgd.exe 37 PID 2884 wrote to memory of 1032 2884 Nfpjomgd.exe 37 PID 2884 wrote to memory of 1032 2884 Nfpjomgd.exe 37 PID 2884 wrote to memory of 1032 2884 Nfpjomgd.exe 37 PID 1032 wrote to memory of 1300 1032 Nhnfkigh.exe 38 PID 1032 wrote to memory of 1300 1032 Nhnfkigh.exe 38 PID 1032 wrote to memory of 1300 1032 Nhnfkigh.exe 38 PID 1032 wrote to memory of 1300 1032 Nhnfkigh.exe 38 PID 1300 wrote to memory of 2404 1300 Nccjhafn.exe 39 PID 1300 wrote to memory of 2404 1300 Nccjhafn.exe 39 PID 1300 wrote to memory of 2404 1300 Nccjhafn.exe 39 PID 1300 wrote to memory of 2404 1300 Nccjhafn.exe 39 PID 2404 wrote to memory of 2708 2404 Ofbfdmeb.exe 40 PID 2404 wrote to memory of 2708 2404 Ofbfdmeb.exe 40 PID 2404 wrote to memory of 2708 2404 Ofbfdmeb.exe 40 PID 2404 wrote to memory of 2708 2404 Ofbfdmeb.exe 40 PID 2708 wrote to memory of 328 2708 Omloag32.exe 41 PID 2708 wrote to memory of 328 2708 Omloag32.exe 41 PID 2708 wrote to memory of 328 2708 Omloag32.exe 41 PID 2708 wrote to memory of 328 2708 Omloag32.exe 41 PID 328 wrote to memory of 2280 328 Oojknblb.exe 42 PID 328 wrote to memory of 2280 328 Oojknblb.exe 42 PID 328 wrote to memory of 2280 328 Oojknblb.exe 42 PID 328 wrote to memory of 2280 328 Oojknblb.exe 42 PID 2280 wrote to memory of 2040 2280 Odgcfijj.exe 43 PID 2280 wrote to memory of 2040 2280 Odgcfijj.exe 43 PID 2280 wrote to memory of 2040 2280 Odgcfijj.exe 43 PID 2280 wrote to memory of 2040 2280 Odgcfijj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe"C:\Users\Admin\AppData\Local\Temp\5a1cc9b2885bfd9ec974914ab87fe51ea9c0b5658e9383b61e2d9f44bd39bd1a.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe37⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe39⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe40⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe42⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe43⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe45⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe46⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe48⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe49⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe50⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe51⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe52⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe53⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe55⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe57⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe58⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe59⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe60⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe61⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe63⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe66⤵PID:332
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe69⤵PID:1264
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe70⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe72⤵PID:1560
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe73⤵PID:2240
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe74⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe76⤵PID:2676
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe77⤵PID:2876
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe78⤵PID:1924
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe79⤵PID:1768
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe80⤵PID:316
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe81⤵PID:2488
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe84⤵PID:2000
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe85⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe86⤵PID:1728
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe87⤵PID:2516
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe88⤵PID:3040
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe89⤵PID:1964
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe91⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe92⤵PID:1060
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe93⤵PID:844
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe95⤵PID:2396
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe96⤵PID:1844
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe97⤵PID:1484
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe98⤵PID:952
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe99⤵PID:1540
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe100⤵PID:1092
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe101⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe102⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe103⤵PID:2520
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe104⤵PID:2584
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe105⤵PID:2872
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe106⤵PID:1816
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe107⤵PID:2716
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe108⤵
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe110⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe111⤵PID:2476
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe112⤵PID:2264
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe113⤵PID:2368
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe114⤵PID:1524
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe115⤵PID:2400
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe116⤵PID:2652
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe117⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe118⤵PID:1932
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe119⤵PID:1432
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe120⤵PID:1900
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe121⤵PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-