Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 23:37 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
410d4b86b8ae936f6ac7cd7bf347c0e0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
410d4b86b8ae936f6ac7cd7bf347c0e0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
410d4b86b8ae936f6ac7cd7bf347c0e0N.exe
-
Size
96KB
-
MD5
410d4b86b8ae936f6ac7cd7bf347c0e0
-
SHA1
52125a6d2b35918f52b725639545f03dc4e951af
-
SHA256
a255bc7a70710c14d3cdb0fe58d1a8f8becc512db57d5c4f7964e5dfd665b3b7
-
SHA512
7c0c2bcfaf29fa4e1528f4cfbac3544b6220a1642658811e43143219fc5a3a473a48a5cb843fb161091b20b2d02cc6811acc5d09a50ca064c28757221b321387
-
SSDEEP
1536:vxi8v/GK79Yq0gJkfXLXme8wCQxBs2LUZS/FCb4noaJSNzJO/:vZvp7mq0gkXme9CQ/lUZSs4noakXO/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblpnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmekg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhnqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qahlpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denglpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfdffll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledgkfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhebij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngdadoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpnakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfnlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgcff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghkppbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aflkiapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgkkppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkookd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbandfkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdmekne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahancp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkconepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oamohenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igomfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnagehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkbcpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbmcjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deimaa32.exe -
Executes dropped EXE 64 IoCs
pid Process 2320 Moflkfca.exe 2176 Mqjehngm.exe 2744 Mnneabff.exe 2740 Nijcgp32.exe 2808 Npfhjifm.exe 2788 Nnkekfkd.exe 2680 Nhdjdk32.exe 2492 Nlabjj32.exe 2992 Oelcho32.exe 3008 Opfdim32.exe 2856 Ofpmegpe.exe 2100 Ofbikf32.exe 1480 Omonmpcm.exe 2148 Pfgcff32.exe 2240 Pelpgb32.exe 984 Pacqlcdi.exe 1444 Peaibajp.exe 1096 Pgbejj32.exe 2160 Qgdbpi32.exe 1380 Qckcdj32.exe 1532 Qnagbc32.exe 2040 Ancdgcab.exe 936 Aogmdk32.exe 968 Ahoamplo.exe 2452 Ahancp32.exe 2124 Afeold32.exe 556 Akbgdkgm.exe 1592 Bqambacb.exe 2412 Bqciha32.exe 2824 Bnhjae32.exe 2892 Bmmgbbeq.exe 952 Cicggcke.exe 1072 Ccileljk.exe 2408 Copljmpo.exe 2348 Cfjdfg32.exe 2944 Cgmndokg.exe 3048 Cngfqi32.exe 1868 Cmmcae32.exe 940 Fhfihd32.exe 1824 Fhifmcfa.exe 1332 Gocnjn32.exe 2112 Gnhkkjbf.exe 1640 Gklkdn32.exe 608 Gjahfkfg.exe 1616 Gjcekj32.exe 276 Hggeeo32.exe 1628 Hhhblgim.exe 2292 Hobjia32.exe 1976 Hfmbfkhf.exe 1760 Hkiknb32.exe 2520 Hdapggln.exe 2700 Hnjdpm32.exe 1796 Hiphmf32.exe 2836 Hojqjp32.exe 2888 Hqkmahpp.exe 2624 Hjcajn32.exe 2312 Iggbdb32.exe 1740 Imdjlida.exe 2364 Igioiacg.exe 2872 Incgfl32.exe 3040 Iglkoaad.exe 1284 Iadphghe.exe 860 Ibeloo32.exe 2108 Imkqmh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 2320 Moflkfca.exe 2320 Moflkfca.exe 2176 Mqjehngm.exe 2176 Mqjehngm.exe 2744 Mnneabff.exe 2744 Mnneabff.exe 2740 Nijcgp32.exe 2740 Nijcgp32.exe 2808 Npfhjifm.exe 2808 Npfhjifm.exe 2788 Nnkekfkd.exe 2788 Nnkekfkd.exe 2680 Nhdjdk32.exe 2680 Nhdjdk32.exe 2492 Nlabjj32.exe 2492 Nlabjj32.exe 2992 Oelcho32.exe 2992 Oelcho32.exe 3008 Opfdim32.exe 3008 Opfdim32.exe 2856 Ofpmegpe.exe 2856 Ofpmegpe.exe 2100 Ofbikf32.exe 2100 Ofbikf32.exe 1480 Omonmpcm.exe 1480 Omonmpcm.exe 2148 Pfgcff32.exe 2148 Pfgcff32.exe 2240 Pelpgb32.exe 2240 Pelpgb32.exe 984 Pacqlcdi.exe 984 Pacqlcdi.exe 1444 Peaibajp.exe 1444 Peaibajp.exe 1096 Pgbejj32.exe 1096 Pgbejj32.exe 2160 Qgdbpi32.exe 2160 Qgdbpi32.exe 1380 Qckcdj32.exe 1380 Qckcdj32.exe 1532 Qnagbc32.exe 1532 Qnagbc32.exe 2040 Ancdgcab.exe 2040 Ancdgcab.exe 936 Aogmdk32.exe 936 Aogmdk32.exe 968 Ahoamplo.exe 968 Ahoamplo.exe 2452 Ahancp32.exe 2452 Ahancp32.exe 2124 Afeold32.exe 2124 Afeold32.exe 556 Akbgdkgm.exe 556 Akbgdkgm.exe 1592 Bqambacb.exe 1592 Bqambacb.exe 2412 Bqciha32.exe 2412 Bqciha32.exe 2824 Bnhjae32.exe 2824 Bnhjae32.exe 2892 Bmmgbbeq.exe 2892 Bmmgbbeq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cmfdmc32.dll Pneiaidn.exe File created C:\Windows\SysWOW64\Dbfaopqo.exe Chmlfj32.exe File created C:\Windows\SysWOW64\Fbpihafp.exe Eelinm32.exe File opened for modification C:\Windows\SysWOW64\Ifljcanj.exe Ikfffh32.exe File created C:\Windows\SysWOW64\Fhifmcfa.exe Fhfihd32.exe File created C:\Windows\SysWOW64\Icnealbb.exe Iggdmkmn.exe File opened for modification C:\Windows\SysWOW64\Fbpihafp.exe Eelinm32.exe File created C:\Windows\SysWOW64\Joagkd32.exe Jdlcnkfg.exe File opened for modification C:\Windows\SysWOW64\Engnno32.exe Dbpmin32.exe File created C:\Windows\SysWOW64\Dclbgadl.dll Njlopkmg.exe File opened for modification C:\Windows\SysWOW64\Jbhkngcd.exe Igojmjgf.exe File opened for modification C:\Windows\SysWOW64\Pfmgmm32.exe Pmecdgbk.exe File created C:\Windows\SysWOW64\Gqebij32.dll Fallil32.exe File created C:\Windows\SysWOW64\Cffmoh32.dll Geqnho32.exe File opened for modification C:\Windows\SysWOW64\Mdbloobc.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Hjegejfl.dll Chfffk32.exe File opened for modification C:\Windows\SysWOW64\Jgdmkhnp.exe Jbgdcapi.exe File created C:\Windows\SysWOW64\Moloidjl.exe Mhbflj32.exe File created C:\Windows\SysWOW64\Bnkpjd32.exe Bgagnjbi.exe File opened for modification C:\Windows\SysWOW64\Chmlfj32.exe Coehnecn.exe File opened for modification C:\Windows\SysWOW64\Kdgane32.exe Kiamql32.exe File created C:\Windows\SysWOW64\Cqqbgoba.exe Cfknjfbl.exe File opened for modification C:\Windows\SysWOW64\Fhfbmn32.exe Fmpnpe32.exe File created C:\Windows\SysWOW64\Ccbpjqqq.dll Gllabp32.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jocceo32.exe File opened for modification C:\Windows\SysWOW64\Gaiijgbi.exe Gllabp32.exe File created C:\Windows\SysWOW64\Cqlhlo32.exe Cnmlpd32.exe File created C:\Windows\SysWOW64\Pdqfaiab.dll Bnafjo32.exe File created C:\Windows\SysWOW64\Eelinm32.exe Epopff32.exe File created C:\Windows\SysWOW64\Fdhlphff.exe Fnkchahn.exe File opened for modification C:\Windows\SysWOW64\Egedebgc.exe Enmplm32.exe File created C:\Windows\SysWOW64\Ejkdfong.dll Lklmoccl.exe File created C:\Windows\SysWOW64\Gohqhl32.exe Gngdadoj.exe File created C:\Windows\SysWOW64\Dgeoapde.dll Jjmchhhe.exe File created C:\Windows\SysWOW64\Abodlk32.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Gjcekj32.exe Gjahfkfg.exe File created C:\Windows\SysWOW64\Obpkabjb.dll Igojmjgf.exe File created C:\Windows\SysWOW64\Gledgkfn.exe Fblpnepn.exe File opened for modification C:\Windows\SysWOW64\Jiiikq32.exe Jennjblp.exe File created C:\Windows\SysWOW64\Nakjff32.dll Jhndcd32.exe File created C:\Windows\SysWOW64\Hobecd32.dll Dohnfc32.exe File created C:\Windows\SysWOW64\Ipjlgf32.dll Nppceo32.exe File opened for modification C:\Windows\SysWOW64\Nnfeep32.exe Moahdd32.exe File opened for modification C:\Windows\SysWOW64\Kefmnp32.exe Kkmhej32.exe File created C:\Windows\SysWOW64\Jdlcnkfg.exe Jhebij32.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hqkmahpp.exe File created C:\Windows\SysWOW64\Lklmoccl.exe Kadhen32.exe File created C:\Windows\SysWOW64\Fgmncb32.dll Aajedn32.exe File opened for modification C:\Windows\SysWOW64\Qckcdj32.exe Qgdbpi32.exe File opened for modification C:\Windows\SysWOW64\Hojqjp32.exe Hiphmf32.exe File created C:\Windows\SysWOW64\Djffihmp.exe Deimaa32.exe File opened for modification C:\Windows\SysWOW64\Bmmgbbeq.exe Bnhjae32.exe File opened for modification C:\Windows\SysWOW64\Cccgni32.exe Cfpgee32.exe File opened for modification C:\Windows\SysWOW64\Dafchi32.exe Dgqokp32.exe File created C:\Windows\SysWOW64\Ebenhifo.dll Ofqonp32.exe File opened for modification C:\Windows\SysWOW64\Aeahjn32.exe Aogpmcmb.exe File created C:\Windows\SysWOW64\Neicdg32.dll Gkaghf32.exe File created C:\Windows\SysWOW64\Jjhecdda.dll Ffeoid32.exe File created C:\Windows\SysWOW64\Jfdnao32.dll Jiiikq32.exe File created C:\Windows\SysWOW64\Nffhad32.dll Pacqlcdi.exe File opened for modification C:\Windows\SysWOW64\Cpkaai32.exe Cgcmiclk.exe File created C:\Windows\SysWOW64\Mkconepp.exe Mdigakic.exe File opened for modification C:\Windows\SysWOW64\Amaiklki.exe Qhdabemb.exe File created C:\Windows\SysWOW64\Copljmpo.exe Ccileljk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2128 1588 WerFault.exe 544 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaopnk32.dll" Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpaic32.dll" Gdmcbojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeahjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoecelol.dll" Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiaikl32.dll" Lldhldpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll" Jbhkngcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gldakn32.dll" Lmmaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaijbd32.dll" Ofpmegpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemkai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djffihmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjoaane.dll" Iodolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blelpeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikfmama.dll" Egedebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngfqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deimaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpiikml.dll" Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll" Fmmjpoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joohmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmphgbf.dll" Mggoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmoade32.dll" Jflfbdqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnlqcee.dll" Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpnakfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pneiaidn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddiafqpq.dll" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbpcn32.dll" Pqlfjfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkihaqji.dll" Iomhkgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnknqpgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfnlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinelbbc.dll" Plbaafak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkpfcnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcendc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbonmjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbdbomn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfoffmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhdabemb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfeljlqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifelfni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nodnmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbhgadc.dll" Mdqclpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnielf32.dll" Apheke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkakad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohnmm32.dll" Clphjc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2320 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 29 PID 2064 wrote to memory of 2320 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 29 PID 2064 wrote to memory of 2320 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 29 PID 2064 wrote to memory of 2320 2064 410d4b86b8ae936f6ac7cd7bf347c0e0N.exe 29 PID 2320 wrote to memory of 2176 2320 Moflkfca.exe 30 PID 2320 wrote to memory of 2176 2320 Moflkfca.exe 30 PID 2320 wrote to memory of 2176 2320 Moflkfca.exe 30 PID 2320 wrote to memory of 2176 2320 Moflkfca.exe 30 PID 2176 wrote to memory of 2744 2176 Mqjehngm.exe 31 PID 2176 wrote to memory of 2744 2176 Mqjehngm.exe 31 PID 2176 wrote to memory of 2744 2176 Mqjehngm.exe 31 PID 2176 wrote to memory of 2744 2176 Mqjehngm.exe 31 PID 2744 wrote to memory of 2740 2744 Mnneabff.exe 32 PID 2744 wrote to memory of 2740 2744 Mnneabff.exe 32 PID 2744 wrote to memory of 2740 2744 Mnneabff.exe 32 PID 2744 wrote to memory of 2740 2744 Mnneabff.exe 32 PID 2740 wrote to memory of 2808 2740 Nijcgp32.exe 33 PID 2740 wrote to memory of 2808 2740 Nijcgp32.exe 33 PID 2740 wrote to memory of 2808 2740 Nijcgp32.exe 33 PID 2740 wrote to memory of 2808 2740 Nijcgp32.exe 33 PID 2808 wrote to memory of 2788 2808 Npfhjifm.exe 34 PID 2808 wrote to memory of 2788 2808 Npfhjifm.exe 34 PID 2808 wrote to memory of 2788 2808 Npfhjifm.exe 34 PID 2808 wrote to memory of 2788 2808 Npfhjifm.exe 34 PID 2788 wrote to memory of 2680 2788 Nnkekfkd.exe 35 PID 2788 wrote to memory of 2680 2788 Nnkekfkd.exe 35 PID 2788 wrote to memory of 2680 2788 Nnkekfkd.exe 35 PID 2788 wrote to memory of 2680 2788 Nnkekfkd.exe 35 PID 2680 wrote to memory of 2492 2680 Nhdjdk32.exe 36 PID 2680 wrote to memory of 2492 2680 Nhdjdk32.exe 36 PID 2680 wrote to memory of 2492 2680 Nhdjdk32.exe 36 PID 2680 wrote to memory of 2492 2680 Nhdjdk32.exe 36 PID 2492 wrote to memory of 2992 2492 Nlabjj32.exe 37 PID 2492 wrote to memory of 2992 2492 Nlabjj32.exe 37 PID 2492 wrote to memory of 2992 2492 Nlabjj32.exe 37 PID 2492 wrote to memory of 2992 2492 Nlabjj32.exe 37 PID 2992 wrote to memory of 3008 2992 Oelcho32.exe 38 PID 2992 wrote to memory of 3008 2992 Oelcho32.exe 38 PID 2992 wrote to memory of 3008 2992 Oelcho32.exe 38 PID 2992 wrote to memory of 3008 2992 Oelcho32.exe 38 PID 3008 wrote to memory of 2856 3008 Opfdim32.exe 39 PID 3008 wrote to memory of 2856 3008 Opfdim32.exe 39 PID 3008 wrote to memory of 2856 3008 Opfdim32.exe 39 PID 3008 wrote to memory of 2856 3008 Opfdim32.exe 39 PID 2856 wrote to memory of 2100 2856 Ofpmegpe.exe 40 PID 2856 wrote to memory of 2100 2856 Ofpmegpe.exe 40 PID 2856 wrote to memory of 2100 2856 Ofpmegpe.exe 40 PID 2856 wrote to memory of 2100 2856 Ofpmegpe.exe 40 PID 2100 wrote to memory of 1480 2100 Ofbikf32.exe 41 PID 2100 wrote to memory of 1480 2100 Ofbikf32.exe 41 PID 2100 wrote to memory of 1480 2100 Ofbikf32.exe 41 PID 2100 wrote to memory of 1480 2100 Ofbikf32.exe 41 PID 1480 wrote to memory of 2148 1480 Omonmpcm.exe 42 PID 1480 wrote to memory of 2148 1480 Omonmpcm.exe 42 PID 1480 wrote to memory of 2148 1480 Omonmpcm.exe 42 PID 1480 wrote to memory of 2148 1480 Omonmpcm.exe 42 PID 2148 wrote to memory of 2240 2148 Pfgcff32.exe 43 PID 2148 wrote to memory of 2240 2148 Pfgcff32.exe 43 PID 2148 wrote to memory of 2240 2148 Pfgcff32.exe 43 PID 2148 wrote to memory of 2240 2148 Pfgcff32.exe 43 PID 2240 wrote to memory of 984 2240 Pelpgb32.exe 44 PID 2240 wrote to memory of 984 2240 Pelpgb32.exe 44 PID 2240 wrote to memory of 984 2240 Pelpgb32.exe 44 PID 2240 wrote to memory of 984 2240 Pelpgb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\410d4b86b8ae936f6ac7cd7bf347c0e0N.exe"C:\Users\Admin\AppData\Local\Temp\410d4b86b8ae936f6ac7cd7bf347c0e0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Ahoamplo.exeC:\Windows\system32\Ahoamplo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe35⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe39⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe41⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe46⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe48⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe49⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe50⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe51⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe52⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe53⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe58⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe59⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Igioiacg.exeC:\Windows\system32\Igioiacg.exe60⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe61⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe62⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe63⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe64⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe66⤵PID:2204
-
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe67⤵PID:2436
-
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe69⤵PID:944
-
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe70⤵PID:776
-
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe71⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe72⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe76⤵PID:2864
-
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe77⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe78⤵PID:3004
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe79⤵PID:1036
-
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe81⤵PID:1848
-
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe82⤵PID:2152
-
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe83⤵PID:2332
-
C:\Windows\SysWOW64\Kadhen32.exeC:\Windows\system32\Kadhen32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Lklmoccl.exeC:\Windows\system32\Lklmoccl.exe85⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe86⤵PID:1028
-
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe88⤵PID:1832
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe89⤵PID:2236
-
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe90⤵PID:296
-
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe92⤵PID:2008
-
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe93⤵PID:904
-
C:\Windows\SysWOW64\Ldndng32.exeC:\Windows\system32\Ldndng32.exe94⤵PID:2848
-
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe95⤵PID:1316
-
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe96⤵PID:2928
-
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe97⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Mhbflj32.exeC:\Windows\system32\Mhbflj32.exe98⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe99⤵PID:1988
-
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe100⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe102⤵PID:892
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe103⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe104⤵PID:2720
-
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe105⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe107⤵PID:2988
-
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe108⤵PID:992
-
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe109⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe110⤵PID:560
-
C:\Windows\SysWOW64\Nmpkal32.exeC:\Windows\system32\Nmpkal32.exe111⤵PID:2212
-
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe113⤵PID:896
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe114⤵PID:2316
-
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe115⤵PID:2156
-
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe116⤵PID:948
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe117⤵PID:832
-
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe118⤵PID:2652
-
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe119⤵PID:2600
-
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe120⤵PID:2512
-
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe121⤵PID:2464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-