Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 21:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe
-
Size
192KB
-
MD5
bd117ac1a92a5e2e606b0303f072c10c
-
SHA1
c882434b4f67b5490b4c288d163fb009962414cf
-
SHA256
a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf
-
SHA512
c0ccb6e1628bc7c323f8a8bb1bc02c26a32a1a5210d6c97cde96e8d3080fc217c433b3d1213c6998efd6bf57d7374348d1fbe041fb8419cad918a31207e0932a
-
SSDEEP
3072:tdU+leuWsAqJfnRigyYq4YJH681+jq2832dp5Xp+7+10K0k7SS6S+psBB6sS:X5MDsfnRBTsa81+jq4peBK02SjSM0zS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojgfemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpgio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Naikkk32.exe 2096 Ndgggf32.exe 2652 Nlblkhei.exe 2848 Ncmdhb32.exe 2772 Nnbhek32.exe 2448 Nocemcbj.exe 3012 Ngkmnacm.exe 2516 Nlgefh32.exe 2752 Nbdnoo32.exe 1384 Nmjblg32.exe 1872 Nccjhafn.exe 1028 Ohqbqhde.exe 1132 Okoomd32.exe 2544 Oojknblb.exe 2428 Oicpfh32.exe 1628 Obkdonic.exe 1168 Odjpkihg.exe 1104 Okchhc32.exe 2832 Onbddoog.exe 1184 Oelmai32.exe 3032 Okfencna.exe 2004 Oenifh32.exe 2008 Ofpfnqjp.exe 892 Ongnonkb.exe 2212 Pminkk32.exe 1584 Pccfge32.exe 2840 Pipopl32.exe 2592 Paggai32.exe 2480 Pcfcmd32.exe 2724 Pfdpip32.exe 2512 Piblek32.exe 2496 Pbkpna32.exe 2692 Peiljl32.exe 1916 Pmqdkj32.exe 2684 Plcdgfbo.exe 1720 Pnbacbac.exe 860 Pfiidobe.exe 2164 Pigeqkai.exe 1988 Phjelg32.exe 2196 Pndniaop.exe 1824 Pabjem32.exe 636 Qhmbagfa.exe 1408 Qjknnbed.exe 900 Qbbfopeg.exe 2084 Qaefjm32.exe 532 Qdccfh32.exe 1868 Qhooggdn.exe 2288 Qjmkcbcb.exe 3056 Qnigda32.exe 3064 Qagcpljo.exe 2648 Ahakmf32.exe 2800 Afdlhchf.exe 2936 Ankdiqih.exe 2456 Aajpelhl.exe 2136 Adhlaggp.exe 2644 Ahchbf32.exe 2784 Ajbdna32.exe 2464 Aiedjneg.exe 1324 Ampqjm32.exe 2484 Apomfh32.exe 2948 Afiecb32.exe 1464 Ajdadamj.exe 2880 Ambmpmln.exe 1512 Apajlhka.exe -
Loads dropped DLL 64 IoCs
pid Process 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 2900 Naikkk32.exe 2900 Naikkk32.exe 2096 Ndgggf32.exe 2096 Ndgggf32.exe 2652 Nlblkhei.exe 2652 Nlblkhei.exe 2848 Ncmdhb32.exe 2848 Ncmdhb32.exe 2772 Nnbhek32.exe 2772 Nnbhek32.exe 2448 Nocemcbj.exe 2448 Nocemcbj.exe 3012 Ngkmnacm.exe 3012 Ngkmnacm.exe 2516 Nlgefh32.exe 2516 Nlgefh32.exe 2752 Nbdnoo32.exe 2752 Nbdnoo32.exe 1384 Nmjblg32.exe 1384 Nmjblg32.exe 1872 Nccjhafn.exe 1872 Nccjhafn.exe 1028 Ohqbqhde.exe 1028 Ohqbqhde.exe 1132 Okoomd32.exe 1132 Okoomd32.exe 2544 Oojknblb.exe 2544 Oojknblb.exe 2428 Oicpfh32.exe 2428 Oicpfh32.exe 1628 Obkdonic.exe 1628 Obkdonic.exe 1168 Odjpkihg.exe 1168 Odjpkihg.exe 1104 Okchhc32.exe 1104 Okchhc32.exe 2832 Onbddoog.exe 2832 Onbddoog.exe 1184 Oelmai32.exe 1184 Oelmai32.exe 3032 Okfencna.exe 3032 Okfencna.exe 2004 Oenifh32.exe 2004 Oenifh32.exe 2008 Ofpfnqjp.exe 2008 Ofpfnqjp.exe 892 Ongnonkb.exe 892 Ongnonkb.exe 2212 Pminkk32.exe 2212 Pminkk32.exe 1584 Pccfge32.exe 1584 Pccfge32.exe 2840 Pipopl32.exe 2840 Pipopl32.exe 2592 Paggai32.exe 2592 Paggai32.exe 2480 Pcfcmd32.exe 2480 Pcfcmd32.exe 2724 Pfdpip32.exe 2724 Pfdpip32.exe 2512 Piblek32.exe 2512 Piblek32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bpjiammk.dll Admemg32.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cnippoha.exe File created C:\Windows\SysWOW64\Milokblc.dll Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Flehkhai.exe Fmbhok32.exe File opened for modification C:\Windows\SysWOW64\Ffklhqao.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Gpbgnedh.dll Mieeibkn.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Iefhhbef.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Eqijej32.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Higeofeq.dll Gffoldhp.exe File created C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Niebhf32.exe Nkbalifo.exe File created C:\Windows\SysWOW64\Bagmdc32.dll Apomfh32.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File opened for modification C:\Windows\SysWOW64\Gpqpjj32.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Jnkpbcjg.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Bpafkknm.exe Bkdmcdoe.exe File opened for modification C:\Windows\SysWOW64\Hdlhjl32.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Fanjadqp.dll Qlkdkd32.exe File created C:\Windows\SysWOW64\Kjifhc32.exe Kfmjgeaj.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cciemedf.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jejhecaj.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Naikkk32.exe a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Heglio32.exe Hakphqja.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Nkpegi32.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dnilobkm.exe File created C:\Windows\SysWOW64\Eicieohp.dll Jocflgga.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Ikddbj32.exe Idklfpon.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Noqamn32.exe File created C:\Windows\SysWOW64\Qlkdkd32.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Bjlqhoba.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Bgfgbaoo.dll Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Mkhofjoj.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iqopea32.exe File created C:\Windows\SysWOW64\Miikgeea.dll Nhkbkc32.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Fenmdm32.exe Ffklhqao.exe File created C:\Windows\SysWOW64\Kgdjgo32.dll Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File created C:\Windows\SysWOW64\Igkdgk32.exe Idmhkpml.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Febfomdd.exe Fagjnn32.exe File opened for modification C:\Windows\SysWOW64\Jjdmmdnh.exe Jfiale32.exe File created C:\Windows\SysWOW64\Mlfojn32.exe Melfncqb.exe File created C:\Windows\SysWOW64\Midahn32.dll Eeempocb.exe File created C:\Windows\SysWOW64\Imehcohk.dll Edpmjj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdniqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbellac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjapjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klaoplan.dll" Jejhecaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhbnkpn.dll" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll" Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmamaoln.dll" Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpmjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoikeh32.dll" Gfmemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjnom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmkghcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkbkc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2900 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 28 PID 1940 wrote to memory of 2900 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 28 PID 1940 wrote to memory of 2900 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 28 PID 1940 wrote to memory of 2900 1940 a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe 28 PID 2900 wrote to memory of 2096 2900 Naikkk32.exe 29 PID 2900 wrote to memory of 2096 2900 Naikkk32.exe 29 PID 2900 wrote to memory of 2096 2900 Naikkk32.exe 29 PID 2900 wrote to memory of 2096 2900 Naikkk32.exe 29 PID 2096 wrote to memory of 2652 2096 Ndgggf32.exe 30 PID 2096 wrote to memory of 2652 2096 Ndgggf32.exe 30 PID 2096 wrote to memory of 2652 2096 Ndgggf32.exe 30 PID 2096 wrote to memory of 2652 2096 Ndgggf32.exe 30 PID 2652 wrote to memory of 2848 2652 Nlblkhei.exe 31 PID 2652 wrote to memory of 2848 2652 Nlblkhei.exe 31 PID 2652 wrote to memory of 2848 2652 Nlblkhei.exe 31 PID 2652 wrote to memory of 2848 2652 Nlblkhei.exe 31 PID 2848 wrote to memory of 2772 2848 Ncmdhb32.exe 32 PID 2848 wrote to memory of 2772 2848 Ncmdhb32.exe 32 PID 2848 wrote to memory of 2772 2848 Ncmdhb32.exe 32 PID 2848 wrote to memory of 2772 2848 Ncmdhb32.exe 32 PID 2772 wrote to memory of 2448 2772 Nnbhek32.exe 33 PID 2772 wrote to memory of 2448 2772 Nnbhek32.exe 33 PID 2772 wrote to memory of 2448 2772 Nnbhek32.exe 33 PID 2772 wrote to memory of 2448 2772 Nnbhek32.exe 33 PID 2448 wrote to memory of 3012 2448 Nocemcbj.exe 34 PID 2448 wrote to memory of 3012 2448 Nocemcbj.exe 34 PID 2448 wrote to memory of 3012 2448 Nocemcbj.exe 34 PID 2448 wrote to memory of 3012 2448 Nocemcbj.exe 34 PID 3012 wrote to memory of 2516 3012 Ngkmnacm.exe 35 PID 3012 wrote to memory of 2516 3012 Ngkmnacm.exe 35 PID 3012 wrote to memory of 2516 3012 Ngkmnacm.exe 35 PID 3012 wrote to memory of 2516 3012 Ngkmnacm.exe 35 PID 2516 wrote to memory of 2752 2516 Nlgefh32.exe 36 PID 2516 wrote to memory of 2752 2516 Nlgefh32.exe 36 PID 2516 wrote to memory of 2752 2516 Nlgefh32.exe 36 PID 2516 wrote to memory of 2752 2516 Nlgefh32.exe 36 PID 2752 wrote to memory of 1384 2752 Nbdnoo32.exe 37 PID 2752 wrote to memory of 1384 2752 Nbdnoo32.exe 37 PID 2752 wrote to memory of 1384 2752 Nbdnoo32.exe 37 PID 2752 wrote to memory of 1384 2752 Nbdnoo32.exe 37 PID 1384 wrote to memory of 1872 1384 Nmjblg32.exe 38 PID 1384 wrote to memory of 1872 1384 Nmjblg32.exe 38 PID 1384 wrote to memory of 1872 1384 Nmjblg32.exe 38 PID 1384 wrote to memory of 1872 1384 Nmjblg32.exe 38 PID 1872 wrote to memory of 1028 1872 Nccjhafn.exe 39 PID 1872 wrote to memory of 1028 1872 Nccjhafn.exe 39 PID 1872 wrote to memory of 1028 1872 Nccjhafn.exe 39 PID 1872 wrote to memory of 1028 1872 Nccjhafn.exe 39 PID 1028 wrote to memory of 1132 1028 Ohqbqhde.exe 40 PID 1028 wrote to memory of 1132 1028 Ohqbqhde.exe 40 PID 1028 wrote to memory of 1132 1028 Ohqbqhde.exe 40 PID 1028 wrote to memory of 1132 1028 Ohqbqhde.exe 40 PID 1132 wrote to memory of 2544 1132 Okoomd32.exe 41 PID 1132 wrote to memory of 2544 1132 Okoomd32.exe 41 PID 1132 wrote to memory of 2544 1132 Okoomd32.exe 41 PID 1132 wrote to memory of 2544 1132 Okoomd32.exe 41 PID 2544 wrote to memory of 2428 2544 Oojknblb.exe 42 PID 2544 wrote to memory of 2428 2544 Oojknblb.exe 42 PID 2544 wrote to memory of 2428 2544 Oojknblb.exe 42 PID 2544 wrote to memory of 2428 2544 Oojknblb.exe 42 PID 2428 wrote to memory of 1628 2428 Oicpfh32.exe 43 PID 2428 wrote to memory of 1628 2428 Oicpfh32.exe 43 PID 2428 wrote to memory of 1628 2428 Oicpfh32.exe 43 PID 2428 wrote to memory of 1628 2428 Oicpfh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe"C:\Users\Admin\AppData\Local\Temp\a1d43cc6da4407069093437a9d58bc632c2c08ab0ab0e38a6cb84d1c4e240acf.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe33⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe34⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe35⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe36⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe37⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe38⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe39⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe40⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe42⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe43⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe44⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe45⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe46⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe47⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe50⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe51⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe52⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe55⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe56⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe59⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe60⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe62⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe63⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe64⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe65⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe66⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe68⤵PID:1804
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe69⤵PID:696
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe70⤵PID:2268
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe71⤵PID:2908
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe73⤵PID:2632
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe74⤵PID:2104
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe75⤵PID:2716
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe76⤵PID:2368
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe79⤵PID:2820
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe81⤵PID:1924
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe82⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe84⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe86⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe87⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe88⤵PID:2228
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe89⤵PID:2340
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe90⤵PID:1364
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe91⤵PID:1660
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe93⤵PID:2460
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe96⤵PID:1768
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe97⤵PID:1664
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe98⤵PID:2024
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe99⤵PID:2868
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe101⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe102⤵PID:1564
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe103⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe104⤵PID:2888
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe106⤵PID:2836
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe108⤵PID:1412
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe109⤵PID:1064
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe110⤵PID:2548
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe111⤵PID:2508
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe113⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe114⤵PID:2072
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe115⤵PID:1780
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe116⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe117⤵PID:1572
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe118⤵PID:2452
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe119⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe121⤵PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-