Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 00:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe
-
Size
576KB
-
MD5
b75efbfa9fd9659737a912875959558e
-
SHA1
b83dbf3eca737f032a4ccf712bf3a40a10502240
-
SHA256
6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232
-
SHA512
19420a3dab9bb1a00cb4675e53504b044684ba7b9c23592e808be62e9e4636bef8147929cb397955842dabaf76243f0cff9e338adbce3546bf44ccb25e03cc2a
-
SSDEEP
12288:ve/DtdGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:ArGyXsGG1ws5ipX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nallalep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcjdkpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgdnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baojapfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfebnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe -
Executes dropped EXE 64 IoCs
pid Process 1680 Mlkjne32.exe 2112 Nnkcpq32.exe 2220 Niedqnen.exe 2760 Nallalep.exe 2708 Nmcmgm32.exe 2912 Nfnneb32.exe 2824 Opfbngfb.exe 2652 Oajlkojn.exe 1116 Odhhgkib.exe 2784 Olophhjd.exe 1768 Oonldcih.exe 2884 Oalhqohl.exe 2944 Odjdmjgo.exe 2976 Okdmjdol.exe 2224 Omcifpnp.exe 2184 Oanefo32.exe 444 Ohhmcinf.exe 2216 Okgjodmi.exe 1968 Omefkplm.exe 832 Ppcbgkka.exe 2880 Pcbncfjd.exe 772 Pkifdd32.exe 1568 Pmgbao32.exe 2512 Ppfomk32.exe 2868 Pcdkif32.exe 2036 Pecgea32.exe 2400 Pcghof32.exe 2076 Peedka32.exe 2316 Plolgk32.exe 2812 Pomhcg32.exe 2904 Pegqpacp.exe 2044 Panaeb32.exe 2620 Phhjblpa.exe 656 Qobbofgn.exe 2508 Qdojgmfe.exe 2152 Qgmfchei.exe 2924 Qododfek.exe 1664 Qackpado.exe 868 Qhmcmk32.exe 2344 Akkoig32.exe 1868 Ajnpecbj.exe 2248 Aqhhanig.exe 1840 Acfdnihk.exe 2096 Agbpnh32.exe 1532 Anlhkbhq.exe 2396 Amohfo32.exe 2456 Adfqgl32.exe 2668 Agdmdg32.exe 2656 Ajcipc32.exe 2596 Amaelomh.exe 1452 Aopahjll.exe 1704 Aggiigmn.exe 1032 Aihfap32.exe 2864 Aqonbm32.exe 1540 Acnjnh32.exe 2700 Aflfjc32.exe 1588 Aijbfo32.exe 844 Akiobk32.exe 2532 Bbbgod32.exe 1012 Bfncpcoc.exe 2432 Bmhkmm32.exe 1472 Bkklhjnk.exe 2856 Bbeded32.exe 1296 Becpap32.exe -
Loads dropped DLL 64 IoCs
pid Process 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 1680 Mlkjne32.exe 1680 Mlkjne32.exe 2112 Nnkcpq32.exe 2112 Nnkcpq32.exe 2220 Niedqnen.exe 2220 Niedqnen.exe 2760 Nallalep.exe 2760 Nallalep.exe 2708 Nmcmgm32.exe 2708 Nmcmgm32.exe 2912 Nfnneb32.exe 2912 Nfnneb32.exe 2824 Opfbngfb.exe 2824 Opfbngfb.exe 2652 Oajlkojn.exe 2652 Oajlkojn.exe 1116 Odhhgkib.exe 1116 Odhhgkib.exe 2784 Olophhjd.exe 2784 Olophhjd.exe 1768 Oonldcih.exe 1768 Oonldcih.exe 2884 Oalhqohl.exe 2884 Oalhqohl.exe 2944 Odjdmjgo.exe 2944 Odjdmjgo.exe 2976 Okdmjdol.exe 2976 Okdmjdol.exe 2224 Omcifpnp.exe 2224 Omcifpnp.exe 2184 Oanefo32.exe 2184 Oanefo32.exe 444 Ohhmcinf.exe 444 Ohhmcinf.exe 2216 Okgjodmi.exe 2216 Okgjodmi.exe 1968 Omefkplm.exe 1968 Omefkplm.exe 832 Ppcbgkka.exe 832 Ppcbgkka.exe 2880 Pcbncfjd.exe 2880 Pcbncfjd.exe 772 Pkifdd32.exe 772 Pkifdd32.exe 1568 Pmgbao32.exe 1568 Pmgbao32.exe 2512 Ppfomk32.exe 2512 Ppfomk32.exe 2868 Pcdkif32.exe 2868 Pcdkif32.exe 2036 Pecgea32.exe 2036 Pecgea32.exe 2400 Pcghof32.exe 2400 Pcghof32.exe 2076 Peedka32.exe 2076 Peedka32.exe 2316 Plolgk32.exe 2316 Plolgk32.exe 2812 Pomhcg32.exe 2812 Pomhcg32.exe 2904 Pegqpacp.exe 2904 Pegqpacp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmlnjo32.dll Acnjnh32.exe File created C:\Windows\SysWOW64\Onhlmh32.dll Eddeladm.exe File created C:\Windows\SysWOW64\Oljomn32.dll Golbnm32.exe File created C:\Windows\SysWOW64\Kpicle32.exe Klngkfge.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Qaemhl32.dll Hkiicmdh.exe File opened for modification C:\Windows\SysWOW64\Nlcibc32.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cnimiblo.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Famope32.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Obokcqhk.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Dfqnol32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Nefamd32.dll Cgoelh32.exe File created C:\Windows\SysWOW64\Ohmaibil.dll Edfbaabj.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Ccjoli32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bgcbhd32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cinafkkd.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Alqnah32.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Iflmjihl.exe Hbaaik32.exe File opened for modification C:\Windows\SysWOW64\Deollamj.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Fdkehipd.dll Flhmfbim.exe File opened for modification C:\Windows\SysWOW64\Jajcdjca.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Kdnild32.exe Kaompi32.exe File created C:\Windows\SysWOW64\Idgcbbda.dll Bgffhkoj.exe File opened for modification C:\Windows\SysWOW64\Dobgihgp.exe Dejbqb32.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eijdkcgn.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Aggiigmn.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qcogbdkg.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hpkompgg.exe File created C:\Windows\SysWOW64\Hpkompgg.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Loefnpnn.exe File created C:\Windows\SysWOW64\Jidmcq32.dll Cepipm32.exe File created C:\Windows\SysWOW64\Edgeao32.dll Eacljf32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Jfkgbapp.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Eepejpil.dll Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Ajnpecbj.exe Akkoig32.exe File created C:\Windows\SysWOW64\Ajcbch32.dll Hcigco32.exe File created C:\Windows\SysWOW64\Adkqmpip.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hfegij32.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Ldpbpgoh.exe Locjhqpa.exe File created C:\Windows\SysWOW64\Iedfqeka.exe Ijnbcmkk.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qndkpmkm.exe File created C:\Windows\SysWOW64\Elajgpmj.exe Dmojkc32.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hldlga32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File created C:\Windows\SysWOW64\Pecgea32.exe Pcdkif32.exe File opened for modification C:\Windows\SysWOW64\Hboddk32.exe Hldlga32.exe File created C:\Windows\SysWOW64\Nfahomfd.exe Mklcadfn.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nbhhdnlh.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Akabgebj.exe File opened for modification C:\Windows\SysWOW64\Mlkjne32.exe 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Amaelomh.exe File opened for modification C:\Windows\SysWOW64\Gmpcgace.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5076 5044 WerFault.exe 352 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll" Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qlgkki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojomdoof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pomhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhnop32.dll" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglhlfm.dll" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjacjifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmaeh32.dll" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhmhm32.dll" Eoepnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmhdkdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjgoje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkqnoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclcfm32.dll" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqonbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchqdi32.dll" Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdjgoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qndkpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjdmjgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hcigco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbefcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aqonbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebmjo32.dll" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dklqidif.dll" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdjgoha.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 768 wrote to memory of 1680 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 30 PID 768 wrote to memory of 1680 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 30 PID 768 wrote to memory of 1680 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 30 PID 768 wrote to memory of 1680 768 6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe 30 PID 1680 wrote to memory of 2112 1680 Mlkjne32.exe 31 PID 1680 wrote to memory of 2112 1680 Mlkjne32.exe 31 PID 1680 wrote to memory of 2112 1680 Mlkjne32.exe 31 PID 1680 wrote to memory of 2112 1680 Mlkjne32.exe 31 PID 2112 wrote to memory of 2220 2112 Nnkcpq32.exe 32 PID 2112 wrote to memory of 2220 2112 Nnkcpq32.exe 32 PID 2112 wrote to memory of 2220 2112 Nnkcpq32.exe 32 PID 2112 wrote to memory of 2220 2112 Nnkcpq32.exe 32 PID 2220 wrote to memory of 2760 2220 Niedqnen.exe 33 PID 2220 wrote to memory of 2760 2220 Niedqnen.exe 33 PID 2220 wrote to memory of 2760 2220 Niedqnen.exe 33 PID 2220 wrote to memory of 2760 2220 Niedqnen.exe 33 PID 2760 wrote to memory of 2708 2760 Nallalep.exe 34 PID 2760 wrote to memory of 2708 2760 Nallalep.exe 34 PID 2760 wrote to memory of 2708 2760 Nallalep.exe 34 PID 2760 wrote to memory of 2708 2760 Nallalep.exe 34 PID 2708 wrote to memory of 2912 2708 Nmcmgm32.exe 35 PID 2708 wrote to memory of 2912 2708 Nmcmgm32.exe 35 PID 2708 wrote to memory of 2912 2708 Nmcmgm32.exe 35 PID 2708 wrote to memory of 2912 2708 Nmcmgm32.exe 35 PID 2912 wrote to memory of 2824 2912 Nfnneb32.exe 36 PID 2912 wrote to memory of 2824 2912 Nfnneb32.exe 36 PID 2912 wrote to memory of 2824 2912 Nfnneb32.exe 36 PID 2912 wrote to memory of 2824 2912 Nfnneb32.exe 36 PID 2824 wrote to memory of 2652 2824 Opfbngfb.exe 37 PID 2824 wrote to memory of 2652 2824 Opfbngfb.exe 37 PID 2824 wrote to memory of 2652 2824 Opfbngfb.exe 37 PID 2824 wrote to memory of 2652 2824 Opfbngfb.exe 37 PID 2652 wrote to memory of 1116 2652 Oajlkojn.exe 38 PID 2652 wrote to memory of 1116 2652 Oajlkojn.exe 38 PID 2652 wrote to memory of 1116 2652 Oajlkojn.exe 38 PID 2652 wrote to memory of 1116 2652 Oajlkojn.exe 38 PID 1116 wrote to memory of 2784 1116 Odhhgkib.exe 39 PID 1116 wrote to memory of 2784 1116 Odhhgkib.exe 39 PID 1116 wrote to memory of 2784 1116 Odhhgkib.exe 39 PID 1116 wrote to memory of 2784 1116 Odhhgkib.exe 39 PID 2784 wrote to memory of 1768 2784 Olophhjd.exe 40 PID 2784 wrote to memory of 1768 2784 Olophhjd.exe 40 PID 2784 wrote to memory of 1768 2784 Olophhjd.exe 40 PID 2784 wrote to memory of 1768 2784 Olophhjd.exe 40 PID 1768 wrote to memory of 2884 1768 Oonldcih.exe 41 PID 1768 wrote to memory of 2884 1768 Oonldcih.exe 41 PID 1768 wrote to memory of 2884 1768 Oonldcih.exe 41 PID 1768 wrote to memory of 2884 1768 Oonldcih.exe 41 PID 2884 wrote to memory of 2944 2884 Oalhqohl.exe 42 PID 2884 wrote to memory of 2944 2884 Oalhqohl.exe 42 PID 2884 wrote to memory of 2944 2884 Oalhqohl.exe 42 PID 2884 wrote to memory of 2944 2884 Oalhqohl.exe 42 PID 2944 wrote to memory of 2976 2944 Odjdmjgo.exe 43 PID 2944 wrote to memory of 2976 2944 Odjdmjgo.exe 43 PID 2944 wrote to memory of 2976 2944 Odjdmjgo.exe 43 PID 2944 wrote to memory of 2976 2944 Odjdmjgo.exe 43 PID 2976 wrote to memory of 2224 2976 Okdmjdol.exe 44 PID 2976 wrote to memory of 2224 2976 Okdmjdol.exe 44 PID 2976 wrote to memory of 2224 2976 Okdmjdol.exe 44 PID 2976 wrote to memory of 2224 2976 Okdmjdol.exe 44 PID 2224 wrote to memory of 2184 2224 Omcifpnp.exe 45 PID 2224 wrote to memory of 2184 2224 Omcifpnp.exe 45 PID 2224 wrote to memory of 2184 2224 Omcifpnp.exe 45 PID 2224 wrote to memory of 2184 2224 Omcifpnp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe"C:\Users\Admin\AppData\Local\Temp\6fee77eb863a219144fde2b248a7b5769007fc60d4fe0b04a5fa124181476232.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe33⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe34⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe35⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe37⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe39⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe40⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe42⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe43⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe44⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe47⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe48⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe52⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe54⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe57⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe61⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe62⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe65⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe66⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe67⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe68⤵PID:2804
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe69⤵PID:3016
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe70⤵PID:1432
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe71⤵PID:1916
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe73⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe76⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe77⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe78⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe79⤵PID:1036
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe82⤵PID:948
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe83⤵PID:2188
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe84⤵PID:1696
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe85⤵PID:2132
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe86⤵PID:2352
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe91⤵PID:404
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe92⤵PID:2644
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe93⤵PID:2752
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe95⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe96⤵PID:2312
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe97⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe99⤵PID:2024
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe100⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe101⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe102⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe103⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe104⤵PID:2524
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe105⤵PID:1096
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe106⤵PID:2928
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe107⤵PID:1256
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe108⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe109⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe110⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe111⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe112⤵PID:2072
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe114⤵
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe115⤵PID:984
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe116⤵PID:1300
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe117⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe119⤵PID:1732
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe120⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe121⤵
- Modifies registry class
PID:1884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-