Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 04:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe
-
Size
94KB
-
MD5
854681db113d19608e7c66aa8e7b8dc7
-
SHA1
a0739a7242c6bf5ff868f2c151f3e49e0282163b
-
SHA256
de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b
-
SHA512
e630b543e9391aed61a6ac01f2ad0437da43b464db9f166f11dfd3a5cbe43d54ae90df26bfd5a729f85c6da803e3884a1a25e36f5d2cafb302e5fad38fcf07d1
-
SSDEEP
1536:+1mcoADg2l9wbmAUMsx7TvzPbET1d1kiTl62L+aIZTJ+7LhkiB0MPiKeEAgv:+kcod2EbmLxLPbEJd1kiTlH+aMU7uihX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccbqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojieip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphkb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Mdejaf32.exe 2564 Mkobnqan.exe 2608 Naikkk32.exe 2756 Ncjgbcoi.exe 2056 Nnplpl32.exe 2528 Nlblkhei.exe 2600 Ncmdhb32.exe 2476 Nghphaeo.exe 2468 Nqqdag32.exe 1756 Ncoamb32.exe 936 Nfmmin32.exe 1896 Nofabc32.exe 2940 Nbdnoo32.exe 2328 Nmjblg32.exe 2104 Nkmbgdfl.exe 1324 Omloag32.exe 2364 Obigjnkf.exe 828 Ofdcjm32.exe 2896 Ogfpbeim.exe 908 Oomhcbjp.exe 2112 Oqndkj32.exe 1380 Oghlgdgk.exe 1744 Ojficpfn.exe 2084 Onbddoog.exe 1596 Oelmai32.exe 1080 Ojieip32.exe 2680 Ondajnme.exe 2884 Ojkboo32.exe 2868 Paejki32.exe 2760 Pphjgfqq.exe 2544 Pfbccp32.exe 1712 Pjmodopf.exe 1724 Pbiciana.exe 1760 Pfdpip32.exe 2456 Piblek32.exe 2816 Ppmdbe32.exe 1648 Pbkpna32.exe 1628 Peiljl32.exe 2296 Piehkkcl.exe 324 Pmqdkj32.exe 2312 Plcdgfbo.exe 704 Pnbacbac.exe 2836 Pfiidobe.exe 2880 Pelipl32.exe 980 Phjelg32.exe 560 Ppamme32.exe 2164 Pndniaop.exe 1512 Pbpjiphi.exe 2400 Penfelgm.exe 2388 Qhmbagfa.exe 2396 Qnfjna32.exe 2588 Qbbfopeg.exe 2640 Qeqbkkej.exe 2792 Qdccfh32.exe 2100 Qljkhe32.exe 2960 Qjmkcbcb.exe 1996 Qnigda32.exe 1580 Qagcpljo.exe 2832 Qecoqk32.exe 1736 Adeplhib.exe 1904 Afdlhchf.exe 2316 Ajphib32.exe 2132 Ankdiqih.exe 584 Amndem32.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 1752 Mdejaf32.exe 1752 Mdejaf32.exe 2564 Mkobnqan.exe 2564 Mkobnqan.exe 2608 Naikkk32.exe 2608 Naikkk32.exe 2756 Ncjgbcoi.exe 2756 Ncjgbcoi.exe 2056 Nnplpl32.exe 2056 Nnplpl32.exe 2528 Nlblkhei.exe 2528 Nlblkhei.exe 2600 Ncmdhb32.exe 2600 Ncmdhb32.exe 2476 Nghphaeo.exe 2476 Nghphaeo.exe 2468 Nqqdag32.exe 2468 Nqqdag32.exe 1756 Ncoamb32.exe 1756 Ncoamb32.exe 936 Nfmmin32.exe 936 Nfmmin32.exe 1896 Nofabc32.exe 1896 Nofabc32.exe 2940 Nbdnoo32.exe 2940 Nbdnoo32.exe 2328 Nmjblg32.exe 2328 Nmjblg32.exe 2104 Nkmbgdfl.exe 2104 Nkmbgdfl.exe 1324 Omloag32.exe 1324 Omloag32.exe 2364 Obigjnkf.exe 2364 Obigjnkf.exe 828 Ofdcjm32.exe 828 Ofdcjm32.exe 2896 Ogfpbeim.exe 2896 Ogfpbeim.exe 908 Oomhcbjp.exe 908 Oomhcbjp.exe 2112 Oqndkj32.exe 2112 Oqndkj32.exe 1380 Oghlgdgk.exe 1380 Oghlgdgk.exe 1744 Ojficpfn.exe 1744 Ojficpfn.exe 2084 Onbddoog.exe 2084 Onbddoog.exe 1596 Oelmai32.exe 1596 Oelmai32.exe 1080 Ojieip32.exe 1080 Ojieip32.exe 2680 Ondajnme.exe 2680 Ondajnme.exe 2884 Ojkboo32.exe 2884 Ojkboo32.exe 2868 Paejki32.exe 2868 Paejki32.exe 2760 Pphjgfqq.exe 2760 Pphjgfqq.exe 2544 Pfbccp32.exe 2544 Pfbccp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fnfamcoj.exe Fpcqaf32.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fhneehek.exe File created C:\Windows\SysWOW64\Mhdffl32.dll Jjdmmdnh.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Ilcbjpbn.dll Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Boqbfb32.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Mkmhaj32.exe Mholen32.exe File created C:\Windows\SysWOW64\Pnalpimd.dll Oeeecekc.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Amkpegnj.exe File created C:\Windows\SysWOW64\Npojdpef.exe Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Aaloddnn.exe File created C:\Windows\SysWOW64\Lafcif32.dll Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Nofabc32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Limilm32.dll Kcfkfo32.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hapicp32.exe File created C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File opened for modification C:\Windows\SysWOW64\Pedleg32.exe Pqhpdhcc.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kmefooki.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Jchhkjhn.exe Jdehon32.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pfikmh32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Gffoldhp.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Ihjnom32.exe File opened for modification C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Ijbdha32.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Ddigjkid.exe Dfffnn32.exe File opened for modification C:\Windows\SysWOW64\Kbbngf32.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Bmnbjfam.dll Process not Found File created C:\Windows\SysWOW64\Jolfcj32.dll Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Jkjfah32.exe Jgojpjem.exe File created C:\Windows\SysWOW64\Peiljl32.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File created C:\Windows\SysWOW64\Nbfphc32.dll Fcjcfe32.exe File opened for modification C:\Windows\SysWOW64\Ldahol32.dll Gejcjbah.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Nkmbgdfl.exe Nmjblg32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Afkdakjb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjmodopf.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Clomqk32.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bhahlj32.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File created C:\Windows\SysWOW64\Alegac32.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dkcofe32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10136 8816 Process not Found 1106 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkhh32.dll" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdebncjd.dll" Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhlblil.dll" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mencccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbcbk32.dll" Iimjmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhghcb32.dll" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolhan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfaijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iheddndj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1752 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 28 PID 2012 wrote to memory of 1752 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 28 PID 2012 wrote to memory of 1752 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 28 PID 2012 wrote to memory of 1752 2012 de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe 28 PID 1752 wrote to memory of 2564 1752 Mdejaf32.exe 29 PID 1752 wrote to memory of 2564 1752 Mdejaf32.exe 29 PID 1752 wrote to memory of 2564 1752 Mdejaf32.exe 29 PID 1752 wrote to memory of 2564 1752 Mdejaf32.exe 29 PID 2564 wrote to memory of 2608 2564 Mkobnqan.exe 30 PID 2564 wrote to memory of 2608 2564 Mkobnqan.exe 30 PID 2564 wrote to memory of 2608 2564 Mkobnqan.exe 30 PID 2564 wrote to memory of 2608 2564 Mkobnqan.exe 30 PID 2608 wrote to memory of 2756 2608 Naikkk32.exe 31 PID 2608 wrote to memory of 2756 2608 Naikkk32.exe 31 PID 2608 wrote to memory of 2756 2608 Naikkk32.exe 31 PID 2608 wrote to memory of 2756 2608 Naikkk32.exe 31 PID 2756 wrote to memory of 2056 2756 Ncjgbcoi.exe 32 PID 2756 wrote to memory of 2056 2756 Ncjgbcoi.exe 32 PID 2756 wrote to memory of 2056 2756 Ncjgbcoi.exe 32 PID 2756 wrote to memory of 2056 2756 Ncjgbcoi.exe 32 PID 2056 wrote to memory of 2528 2056 Nnplpl32.exe 33 PID 2056 wrote to memory of 2528 2056 Nnplpl32.exe 33 PID 2056 wrote to memory of 2528 2056 Nnplpl32.exe 33 PID 2056 wrote to memory of 2528 2056 Nnplpl32.exe 33 PID 2528 wrote to memory of 2600 2528 Nlblkhei.exe 34 PID 2528 wrote to memory of 2600 2528 Nlblkhei.exe 34 PID 2528 wrote to memory of 2600 2528 Nlblkhei.exe 34 PID 2528 wrote to memory of 2600 2528 Nlblkhei.exe 34 PID 2600 wrote to memory of 2476 2600 Ncmdhb32.exe 35 PID 2600 wrote to memory of 2476 2600 Ncmdhb32.exe 35 PID 2600 wrote to memory of 2476 2600 Ncmdhb32.exe 35 PID 2600 wrote to memory of 2476 2600 Ncmdhb32.exe 35 PID 2476 wrote to memory of 2468 2476 Nghphaeo.exe 36 PID 2476 wrote to memory of 2468 2476 Nghphaeo.exe 36 PID 2476 wrote to memory of 2468 2476 Nghphaeo.exe 36 PID 2476 wrote to memory of 2468 2476 Nghphaeo.exe 36 PID 2468 wrote to memory of 1756 2468 Nqqdag32.exe 37 PID 2468 wrote to memory of 1756 2468 Nqqdag32.exe 37 PID 2468 wrote to memory of 1756 2468 Nqqdag32.exe 37 PID 2468 wrote to memory of 1756 2468 Nqqdag32.exe 37 PID 1756 wrote to memory of 936 1756 Ncoamb32.exe 38 PID 1756 wrote to memory of 936 1756 Ncoamb32.exe 38 PID 1756 wrote to memory of 936 1756 Ncoamb32.exe 38 PID 1756 wrote to memory of 936 1756 Ncoamb32.exe 38 PID 936 wrote to memory of 1896 936 Nfmmin32.exe 39 PID 936 wrote to memory of 1896 936 Nfmmin32.exe 39 PID 936 wrote to memory of 1896 936 Nfmmin32.exe 39 PID 936 wrote to memory of 1896 936 Nfmmin32.exe 39 PID 1896 wrote to memory of 2940 1896 Nofabc32.exe 40 PID 1896 wrote to memory of 2940 1896 Nofabc32.exe 40 PID 1896 wrote to memory of 2940 1896 Nofabc32.exe 40 PID 1896 wrote to memory of 2940 1896 Nofabc32.exe 40 PID 2940 wrote to memory of 2328 2940 Nbdnoo32.exe 41 PID 2940 wrote to memory of 2328 2940 Nbdnoo32.exe 41 PID 2940 wrote to memory of 2328 2940 Nbdnoo32.exe 41 PID 2940 wrote to memory of 2328 2940 Nbdnoo32.exe 41 PID 2328 wrote to memory of 2104 2328 Nmjblg32.exe 42 PID 2328 wrote to memory of 2104 2328 Nmjblg32.exe 42 PID 2328 wrote to memory of 2104 2328 Nmjblg32.exe 42 PID 2328 wrote to memory of 2104 2328 Nmjblg32.exe 42 PID 2104 wrote to memory of 1324 2104 Nkmbgdfl.exe 43 PID 2104 wrote to memory of 1324 2104 Nkmbgdfl.exe 43 PID 2104 wrote to memory of 1324 2104 Nkmbgdfl.exe 43 PID 2104 wrote to memory of 1324 2104 Nkmbgdfl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe"C:\Users\Admin\AppData\Local\Temp\de60a80b2fa41d660c689f42b5ea41e0ac51fa87bc91f44621d823a08b9f908b.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe33⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe34⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe35⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe36⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe39⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe40⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe41⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe43⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe44⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe46⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe47⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe52⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe56⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe57⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe59⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe61⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe62⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe63⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe64⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe65⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe66⤵PID:640
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe67⤵PID:2664
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe68⤵PID:2892
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe69⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe70⤵PID:3048
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe71⤵PID:2436
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe73⤵PID:760
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe74⤵PID:1468
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe75⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe76⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe77⤵PID:2716
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe79⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe80⤵PID:1680
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe81⤵PID:1888
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe82⤵PID:2540
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe83⤵PID:1536
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe84⤵PID:1560
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe85⤵PID:864
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe86⤵PID:1336
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe87⤵PID:1328
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe88⤵PID:3036
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe90⤵PID:1952
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe91⤵PID:1184
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe92⤵PID:380
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe94⤵PID:2060
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe95⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe96⤵PID:2800
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe97⤵PID:2764
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe98⤵PID:2824
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe99⤵PID:2796
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe100⤵PID:1776
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe101⤵PID:1612
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe102⤵PID:1884
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe103⤵PID:764
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe104⤵PID:2340
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe105⤵PID:1056
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe106⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe108⤵PID:2212
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe109⤵PID:2848
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe111⤵PID:2244
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe112⤵PID:2480
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe113⤵PID:840
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe114⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe115⤵PID:1900
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe116⤵PID:1224
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe117⤵PID:1020
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe118⤵PID:2160
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe119⤵PID:1144
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe120⤵PID:2304
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe121⤵PID:1600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-