Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe
-
Size
669KB
-
MD5
f9b451ad20b8e7740cab87c43388c2f3
-
SHA1
afee3138301348013609d29aec2553d3e3268935
-
SHA256
f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2
-
SHA512
2a4b4d4ff7213dfef234f5a900e00fe8fac92ef7effe2da08569554ac52d8b1f9b6db72833a494edad8f249549bcb6753decc743409c1390963bf38d808a3879
-
SSDEEP
12288:or1UeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:o5/chMpQnqrdX72LbY6x46uR/qYglMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbdlbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipgcaob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamimc32.exe -
Executes dropped EXE 64 IoCs
pid Process 3020 Ladeqhjd.exe 2512 Lmkfei32.exe 2540 Meigpkka.exe 2628 Mabejlob.exe 2468 Mgcgmb32.exe 2972 Njdpomfe.exe 2760 Nghphaeo.exe 356 Nnbhek32.exe 1652 Ncoamb32.exe 1256 Nlgefh32.exe 2656 Nbdnoo32.exe 1240 Nhnfkigh.exe 2348 Nohnhc32.exe 1860 Ofbfdmeb.exe 484 Okoomd32.exe 808 Ofdcjm32.exe 1548 Ogfpbeim.exe 448 Onphoo32.exe 2388 Oqndkj32.exe 948 Oghlgdgk.exe 2304 Ojficpfn.exe 2884 Oqqapjnk.exe 3004 Ocomlemo.exe 1448 Ojieip32.exe 1424 Omgaek32.exe 3008 Oenifh32.exe 1640 Ofpfnqjp.exe 2064 Pminkk32.exe 2700 Pgobhcac.exe 2524 Pmlkpjpj.exe 2192 Ppjglfon.exe 2420 Pfdpip32.exe 2576 Pmnhfjmg.exe 2772 Pchpbded.exe 2964 Piehkkcl.exe 2932 Ppoqge32.exe 1236 Pfiidobe.exe 2984 Plfamfpm.exe 624 Penfelgm.exe 2876 Qlhnbf32.exe 1628 Qaefjm32.exe 1244 Qhooggdn.exe 1572 Qjmkcbcb.exe 2840 Qagcpljo.exe 1708 Ahakmf32.exe 1788 Aajpelhl.exe 1520 Adhlaggp.exe 1928 Affhncfc.exe 2556 Ampqjm32.exe 1504 Apomfh32.exe 2796 Adjigg32.exe 2284 Ambmpmln.exe 2868 Admemg32.exe 2036 Afkbib32.exe 2288 Apcfahio.exe 1104 Abbbnchb.exe 3016 Ailkjmpo.exe 1696 Bpfcgg32.exe 2332 Bebkpn32.exe 2636 Blmdlhmp.exe 2996 Bbflib32.exe 2088 Beehencq.exe 2888 Bommnc32.exe 2716 Bghabf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 3020 Ladeqhjd.exe 3020 Ladeqhjd.exe 2512 Lmkfei32.exe 2512 Lmkfei32.exe 2540 Meigpkka.exe 2540 Meigpkka.exe 2628 Mabejlob.exe 2628 Mabejlob.exe 2468 Mgcgmb32.exe 2468 Mgcgmb32.exe 2972 Njdpomfe.exe 2972 Njdpomfe.exe 2760 Nghphaeo.exe 2760 Nghphaeo.exe 356 Nnbhek32.exe 356 Nnbhek32.exe 1652 Ncoamb32.exe 1652 Ncoamb32.exe 1256 Nlgefh32.exe 1256 Nlgefh32.exe 2656 Nbdnoo32.exe 2656 Nbdnoo32.exe 1240 Nhnfkigh.exe 1240 Nhnfkigh.exe 2348 Nohnhc32.exe 2348 Nohnhc32.exe 1860 Ofbfdmeb.exe 1860 Ofbfdmeb.exe 484 Okoomd32.exe 484 Okoomd32.exe 808 Ofdcjm32.exe 808 Ofdcjm32.exe 1548 Ogfpbeim.exe 1548 Ogfpbeim.exe 448 Onphoo32.exe 448 Onphoo32.exe 2388 Oqndkj32.exe 2388 Oqndkj32.exe 948 Oghlgdgk.exe 948 Oghlgdgk.exe 2304 Ojficpfn.exe 2304 Ojficpfn.exe 2884 Oqqapjnk.exe 2884 Oqqapjnk.exe 3004 Ocomlemo.exe 3004 Ocomlemo.exe 1448 Ojieip32.exe 1448 Ojieip32.exe 1424 Omgaek32.exe 1424 Omgaek32.exe 3008 Oenifh32.exe 3008 Oenifh32.exe 1640 Ofpfnqjp.exe 1640 Ofpfnqjp.exe 2064 Pminkk32.exe 2064 Pminkk32.exe 2700 Pgobhcac.exe 2700 Pgobhcac.exe 2524 Pmlkpjpj.exe 2524 Pmlkpjpj.exe 2192 Ppjglfon.exe 2192 Ppjglfon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ccfhhffh.exe Cnippoha.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Lijfoo32.dll Pefijfii.exe File created C:\Windows\SysWOW64\Knklagmb.exe Kohkfj32.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kgemplap.exe File created C:\Windows\SysWOW64\Llohjo32.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Jflhaaje.dll Meigpkka.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Pchpbded.exe File created C:\Windows\SysWOW64\Jnclnihj.exe Jgidao32.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hkhnle32.exe File opened for modification C:\Windows\SysWOW64\Ambmpmln.exe Adjigg32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Jijdkh32.dll Fidoim32.exe File opened for modification C:\Windows\SysWOW64\Kbdklf32.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bdlblj32.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Apimacnn.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Ckcmac32.dll Jfcnngnd.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Jgagfi32.exe Jqgoiokm.exe File created C:\Windows\SysWOW64\Clcflkic.exe Cckace32.exe File created C:\Windows\SysWOW64\Dogefd32.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Monhhk32.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Iooklook.dll Amhpnkch.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Feeiob32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nhiffc32.exe File created C:\Windows\SysWOW64\Jchafg32.dll Djklnnaj.exe File created C:\Windows\SysWOW64\Nbdnoo32.exe Nlgefh32.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bpfcgg32.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Fpngfgle.exe Fidoim32.exe File opened for modification C:\Windows\SysWOW64\Mabejlob.exe Meigpkka.exe File created C:\Windows\SysWOW64\Ojieip32.exe Ocomlemo.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Iianmb32.dll Igchlf32.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Onhgbmfb.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Geiiogja.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Illjbiak.dll Egoife32.exe File created C:\Windows\SysWOW64\Mncfoa32.dll Gpqpjj32.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Hokefmej.dll Affhncfc.exe File created C:\Windows\SysWOW64\Ggpimica.exe Geolea32.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Lanaiahq.exe Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Mdcpdp32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Kkjjld32.dll Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Malllmgi.dll Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File created C:\Windows\SysWOW64\Ladeqhjd.exe f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe File created C:\Windows\SysWOW64\Dialipcb.dll Pfdpip32.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Lanaiahq.exe File opened for modification C:\Windows\SysWOW64\Jejhecaj.exe Jnqphi32.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pcnbablo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5068 5048 WerFault.exe 429 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppoqeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpejeihi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeogebm.dll" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcmac32.dll" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddcahee.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmncbj.dll" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgbmh32.dll" Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njdpomfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffnl32.dll" Igihbknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkqqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebfbaj.dll" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkepg32.dll" Fmmkcoap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll" Igchlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojficpfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhaaje.dll" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Kemejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gmjaic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 3020 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 28 PID 2012 wrote to memory of 3020 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 28 PID 2012 wrote to memory of 3020 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 28 PID 2012 wrote to memory of 3020 2012 f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe 28 PID 3020 wrote to memory of 2512 3020 Ladeqhjd.exe 29 PID 3020 wrote to memory of 2512 3020 Ladeqhjd.exe 29 PID 3020 wrote to memory of 2512 3020 Ladeqhjd.exe 29 PID 3020 wrote to memory of 2512 3020 Ladeqhjd.exe 29 PID 2512 wrote to memory of 2540 2512 Lmkfei32.exe 30 PID 2512 wrote to memory of 2540 2512 Lmkfei32.exe 30 PID 2512 wrote to memory of 2540 2512 Lmkfei32.exe 30 PID 2512 wrote to memory of 2540 2512 Lmkfei32.exe 30 PID 2540 wrote to memory of 2628 2540 Meigpkka.exe 31 PID 2540 wrote to memory of 2628 2540 Meigpkka.exe 31 PID 2540 wrote to memory of 2628 2540 Meigpkka.exe 31 PID 2540 wrote to memory of 2628 2540 Meigpkka.exe 31 PID 2628 wrote to memory of 2468 2628 Mabejlob.exe 32 PID 2628 wrote to memory of 2468 2628 Mabejlob.exe 32 PID 2628 wrote to memory of 2468 2628 Mabejlob.exe 32 PID 2628 wrote to memory of 2468 2628 Mabejlob.exe 32 PID 2468 wrote to memory of 2972 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2972 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2972 2468 Mgcgmb32.exe 33 PID 2468 wrote to memory of 2972 2468 Mgcgmb32.exe 33 PID 2972 wrote to memory of 2760 2972 Njdpomfe.exe 34 PID 2972 wrote to memory of 2760 2972 Njdpomfe.exe 34 PID 2972 wrote to memory of 2760 2972 Njdpomfe.exe 34 PID 2972 wrote to memory of 2760 2972 Njdpomfe.exe 34 PID 2760 wrote to memory of 356 2760 Nghphaeo.exe 35 PID 2760 wrote to memory of 356 2760 Nghphaeo.exe 35 PID 2760 wrote to memory of 356 2760 Nghphaeo.exe 35 PID 2760 wrote to memory of 356 2760 Nghphaeo.exe 35 PID 356 wrote to memory of 1652 356 Nnbhek32.exe 36 PID 356 wrote to memory of 1652 356 Nnbhek32.exe 36 PID 356 wrote to memory of 1652 356 Nnbhek32.exe 36 PID 356 wrote to memory of 1652 356 Nnbhek32.exe 36 PID 1652 wrote to memory of 1256 1652 Ncoamb32.exe 37 PID 1652 wrote to memory of 1256 1652 Ncoamb32.exe 37 PID 1652 wrote to memory of 1256 1652 Ncoamb32.exe 37 PID 1652 wrote to memory of 1256 1652 Ncoamb32.exe 37 PID 1256 wrote to memory of 2656 1256 Nlgefh32.exe 38 PID 1256 wrote to memory of 2656 1256 Nlgefh32.exe 38 PID 1256 wrote to memory of 2656 1256 Nlgefh32.exe 38 PID 1256 wrote to memory of 2656 1256 Nlgefh32.exe 38 PID 2656 wrote to memory of 1240 2656 Nbdnoo32.exe 39 PID 2656 wrote to memory of 1240 2656 Nbdnoo32.exe 39 PID 2656 wrote to memory of 1240 2656 Nbdnoo32.exe 39 PID 2656 wrote to memory of 1240 2656 Nbdnoo32.exe 39 PID 1240 wrote to memory of 2348 1240 Nhnfkigh.exe 40 PID 1240 wrote to memory of 2348 1240 Nhnfkigh.exe 40 PID 1240 wrote to memory of 2348 1240 Nhnfkigh.exe 40 PID 1240 wrote to memory of 2348 1240 Nhnfkigh.exe 40 PID 2348 wrote to memory of 1860 2348 Nohnhc32.exe 41 PID 2348 wrote to memory of 1860 2348 Nohnhc32.exe 41 PID 2348 wrote to memory of 1860 2348 Nohnhc32.exe 41 PID 2348 wrote to memory of 1860 2348 Nohnhc32.exe 41 PID 1860 wrote to memory of 484 1860 Ofbfdmeb.exe 42 PID 1860 wrote to memory of 484 1860 Ofbfdmeb.exe 42 PID 1860 wrote to memory of 484 1860 Ofbfdmeb.exe 42 PID 1860 wrote to memory of 484 1860 Ofbfdmeb.exe 42 PID 484 wrote to memory of 808 484 Okoomd32.exe 43 PID 484 wrote to memory of 808 484 Okoomd32.exe 43 PID 484 wrote to memory of 808 484 Okoomd32.exe 43 PID 484 wrote to memory of 808 484 Okoomd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe"C:\Users\Admin\AppData\Local\Temp\f1de56c4a6952cfe4fab4f9520a2c73f66848670069cfee2b8b5be9628fcf2a2.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe36⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe39⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe42⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe44⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe45⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe46⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe47⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe51⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe53⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe55⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe56⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe57⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe58⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe60⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe61⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe63⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe64⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe66⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe67⤵PID:1532
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe69⤵PID:1044
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe70⤵PID:1404
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe71⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe73⤵PID:1632
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe74⤵PID:2336
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe75⤵PID:536
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe76⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe78⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe80⤵PID:1920
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe82⤵PID:2904
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe83⤵PID:856
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe84⤵PID:1856
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe85⤵PID:788
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe86⤵PID:1584
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe87⤵PID:1312
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe88⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe89⤵PID:2032
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe90⤵PID:1516
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe91⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe92⤵PID:2484
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe93⤵PID:2988
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe95⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe96⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe97⤵PID:896
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe98⤵PID:1728
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe99⤵PID:3032
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe100⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe101⤵PID:2112
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe102⤵PID:1940
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe103⤵PID:2644
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe104⤵PID:2648
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe105⤵PID:852
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe106⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe107⤵PID:280
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe109⤵PID:332
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe110⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe112⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe113⤵PID:2568
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe115⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe116⤵PID:2004
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe117⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe119⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe120⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe121⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-