Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 20:51 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe
-
Size
96KB
-
MD5
a250a47bf693e0bacce0794ae8c9ef52
-
SHA1
4d3e71036c2f6d959b2cecf49673345d4acd2a43
-
SHA256
45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006
-
SHA512
bb4732c39f0bbe7564fa37e20c9503531f4e91d59faee7b165d35b2e0df368e61ab7b1152af84b3e4cbec420a31abae3a94b1e42a3e48740bca031dfdbe31627
-
SSDEEP
1536:51SQjay/5v+Rfn8rZz5uDNp4q2Lk1GPXuhiTMuZXGTIVefVDkryyAyqX:ijE5yUrZz5043aGPXuhuXGQmVDeCyqX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2228 Magnek32.exe 2528 Mhqfbebj.exe 2340 Nnnojlpa.exe 2544 Nplkfgoe.exe 2496 Ncjgbcoi.exe 2460 Nnplpl32.exe 2868 Ndjdlffl.exe 848 Nfkpdn32.exe 2672 Nnbhek32.exe 1548 Nqqdag32.exe 2148 Nfmmin32.exe 376 Nlgefh32.exe 1132 Ncancbha.exe 2744 Nfpjomgd.exe 1924 Nmjblg32.exe 1616 Nccjhafn.exe 1404 Odegpj32.exe 1780 Omloag32.exe 644 Onmkio32.exe 2908 Odgcfijj.exe 808 Okalbc32.exe 1980 Onphoo32.exe 2216 Oghlgdgk.exe 2996 Okchhc32.exe 900 Oelmai32.exe 1852 Ogjimd32.exe 1524 Omgaek32.exe 2600 Oenifh32.exe 2508 Ofpfnqjp.exe 2476 Pminkk32.exe 2900 Pphjgfqq.exe 2860 Pjmodopf.exe 2432 Pipopl32.exe 1276 Ppjglfon.exe 852 Pbiciana.exe 772 Pmnhfjmg.exe 1512 Pfflopdh.exe 2152 Piehkkcl.exe 2136 Plcdgfbo.exe 2732 Pfiidobe.exe 3032 Pigeqkai.exe 696 Pbpjiphi.exe 584 Qnfjna32.exe 1724 Qbbfopeg.exe 2020 Qeqbkkej.exe 2796 Qhooggdn.exe 1704 Qljkhe32.exe 2920 Qnigda32.exe 1180 Qmlgonbe.exe 1740 Qecoqk32.exe 2840 Ahakmf32.exe 2664 Ajphib32.exe 2780 Ankdiqih.exe 2636 Aajpelhl.exe 2520 Aplpai32.exe 2628 Ahchbf32.exe 2384 Ajbdna32.exe 2364 Aalmklfi.exe 2164 Apomfh32.exe 1016 Abmibdlh.exe 2320 Ajdadamj.exe 2036 Alenki32.exe 2028 Apajlhka.exe 1836 Abpfhcje.exe -
Loads dropped DLL 64 IoCs
pid Process 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 2228 Magnek32.exe 2228 Magnek32.exe 2528 Mhqfbebj.exe 2528 Mhqfbebj.exe 2340 Nnnojlpa.exe 2340 Nnnojlpa.exe 2544 Nplkfgoe.exe 2544 Nplkfgoe.exe 2496 Ncjgbcoi.exe 2496 Ncjgbcoi.exe 2460 Nnplpl32.exe 2460 Nnplpl32.exe 2868 Ndjdlffl.exe 2868 Ndjdlffl.exe 848 Nfkpdn32.exe 848 Nfkpdn32.exe 2672 Nnbhek32.exe 2672 Nnbhek32.exe 1548 Nqqdag32.exe 1548 Nqqdag32.exe 2148 Nfmmin32.exe 2148 Nfmmin32.exe 376 Nlgefh32.exe 376 Nlgefh32.exe 1132 Ncancbha.exe 1132 Ncancbha.exe 2744 Nfpjomgd.exe 2744 Nfpjomgd.exe 1924 Nmjblg32.exe 1924 Nmjblg32.exe 1616 Nccjhafn.exe 1616 Nccjhafn.exe 1404 Odegpj32.exe 1404 Odegpj32.exe 1780 Omloag32.exe 1780 Omloag32.exe 644 Onmkio32.exe 644 Onmkio32.exe 2908 Odgcfijj.exe 2908 Odgcfijj.exe 808 Okalbc32.exe 808 Okalbc32.exe 1980 Onphoo32.exe 1980 Onphoo32.exe 2216 Oghlgdgk.exe 2216 Oghlgdgk.exe 2996 Okchhc32.exe 2996 Okchhc32.exe 900 Oelmai32.exe 900 Oelmai32.exe 1852 Ogjimd32.exe 1852 Ogjimd32.exe 1524 Omgaek32.exe 1524 Omgaek32.exe 2600 Oenifh32.exe 2600 Oenifh32.exe 2508 Ofpfnqjp.exe 2508 Ofpfnqjp.exe 2476 Pminkk32.exe 2476 Pminkk32.exe 2900 Pphjgfqq.exe 2900 Pphjgfqq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Kijbioba.dll Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Hcplhi32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Objbcm32.dll Pjadmnic.exe File created C:\Windows\SysWOW64\Pdfdcg32.dll Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jifdebic.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Abpfhcje.exe File created C:\Windows\SysWOW64\Bpafkknm.exe Banepo32.exe File created C:\Windows\SysWOW64\Jmhmpb32.exe Jjjacf32.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Gicbeald.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pciifc32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Kafbec32.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Cgmkmecg.exe Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cjndop32.exe File created C:\Windows\SysWOW64\Kgcampld.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Nnnojlpa.exe Mhqfbebj.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File opened for modification C:\Windows\SysWOW64\Jmhmpb32.exe Jjjacf32.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Aalmklfi.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Pkjapnke.dll Dodonf32.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gaemjbcg.exe File created C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Aipddi32.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Aalmklfi.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Globlmmj.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pmdjdh32.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File created C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Mpbaebdd.exe Mmceigep.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bpiipf32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Okalbc32.exe Odgcfijj.exe File opened for modification C:\Windows\SysWOW64\Pipopl32.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hiekid32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File created C:\Windows\SysWOW64\Alqkcl32.dll Nfkpdn32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Afohaa32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File created C:\Windows\SysWOW64\Cibgai32.dll Alhjai32.exe File created C:\Windows\SysWOW64\Bpfcgg32.exe Ahokfj32.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5168 5580 WerFault.exe 585 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mpbaebdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Iaeiieeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqncakcq.dll" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Naajoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glamna32.dll" Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hlakpp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2228 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 28 PID 2084 wrote to memory of 2228 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 28 PID 2084 wrote to memory of 2228 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 28 PID 2084 wrote to memory of 2228 2084 45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe 28 PID 2228 wrote to memory of 2528 2228 Magnek32.exe 29 PID 2228 wrote to memory of 2528 2228 Magnek32.exe 29 PID 2228 wrote to memory of 2528 2228 Magnek32.exe 29 PID 2228 wrote to memory of 2528 2228 Magnek32.exe 29 PID 2528 wrote to memory of 2340 2528 Mhqfbebj.exe 30 PID 2528 wrote to memory of 2340 2528 Mhqfbebj.exe 30 PID 2528 wrote to memory of 2340 2528 Mhqfbebj.exe 30 PID 2528 wrote to memory of 2340 2528 Mhqfbebj.exe 30 PID 2340 wrote to memory of 2544 2340 Nnnojlpa.exe 31 PID 2340 wrote to memory of 2544 2340 Nnnojlpa.exe 31 PID 2340 wrote to memory of 2544 2340 Nnnojlpa.exe 31 PID 2340 wrote to memory of 2544 2340 Nnnojlpa.exe 31 PID 2544 wrote to memory of 2496 2544 Nplkfgoe.exe 32 PID 2544 wrote to memory of 2496 2544 Nplkfgoe.exe 32 PID 2544 wrote to memory of 2496 2544 Nplkfgoe.exe 32 PID 2544 wrote to memory of 2496 2544 Nplkfgoe.exe 32 PID 2496 wrote to memory of 2460 2496 Ncjgbcoi.exe 33 PID 2496 wrote to memory of 2460 2496 Ncjgbcoi.exe 33 PID 2496 wrote to memory of 2460 2496 Ncjgbcoi.exe 33 PID 2496 wrote to memory of 2460 2496 Ncjgbcoi.exe 33 PID 2460 wrote to memory of 2868 2460 Nnplpl32.exe 34 PID 2460 wrote to memory of 2868 2460 Nnplpl32.exe 34 PID 2460 wrote to memory of 2868 2460 Nnplpl32.exe 34 PID 2460 wrote to memory of 2868 2460 Nnplpl32.exe 34 PID 2868 wrote to memory of 848 2868 Ndjdlffl.exe 35 PID 2868 wrote to memory of 848 2868 Ndjdlffl.exe 35 PID 2868 wrote to memory of 848 2868 Ndjdlffl.exe 35 PID 2868 wrote to memory of 848 2868 Ndjdlffl.exe 35 PID 848 wrote to memory of 2672 848 Nfkpdn32.exe 36 PID 848 wrote to memory of 2672 848 Nfkpdn32.exe 36 PID 848 wrote to memory of 2672 848 Nfkpdn32.exe 36 PID 848 wrote to memory of 2672 848 Nfkpdn32.exe 36 PID 2672 wrote to memory of 1548 2672 Nnbhek32.exe 37 PID 2672 wrote to memory of 1548 2672 Nnbhek32.exe 37 PID 2672 wrote to memory of 1548 2672 Nnbhek32.exe 37 PID 2672 wrote to memory of 1548 2672 Nnbhek32.exe 37 PID 1548 wrote to memory of 2148 1548 Nqqdag32.exe 38 PID 1548 wrote to memory of 2148 1548 Nqqdag32.exe 38 PID 1548 wrote to memory of 2148 1548 Nqqdag32.exe 38 PID 1548 wrote to memory of 2148 1548 Nqqdag32.exe 38 PID 2148 wrote to memory of 376 2148 Nfmmin32.exe 39 PID 2148 wrote to memory of 376 2148 Nfmmin32.exe 39 PID 2148 wrote to memory of 376 2148 Nfmmin32.exe 39 PID 2148 wrote to memory of 376 2148 Nfmmin32.exe 39 PID 376 wrote to memory of 1132 376 Nlgefh32.exe 40 PID 376 wrote to memory of 1132 376 Nlgefh32.exe 40 PID 376 wrote to memory of 1132 376 Nlgefh32.exe 40 PID 376 wrote to memory of 1132 376 Nlgefh32.exe 40 PID 1132 wrote to memory of 2744 1132 Ncancbha.exe 41 PID 1132 wrote to memory of 2744 1132 Ncancbha.exe 41 PID 1132 wrote to memory of 2744 1132 Ncancbha.exe 41 PID 1132 wrote to memory of 2744 1132 Ncancbha.exe 41 PID 2744 wrote to memory of 1924 2744 Nfpjomgd.exe 42 PID 2744 wrote to memory of 1924 2744 Nfpjomgd.exe 42 PID 2744 wrote to memory of 1924 2744 Nfpjomgd.exe 42 PID 2744 wrote to memory of 1924 2744 Nfpjomgd.exe 42 PID 1924 wrote to memory of 1616 1924 Nmjblg32.exe 43 PID 1924 wrote to memory of 1616 1924 Nmjblg32.exe 43 PID 1924 wrote to memory of 1616 1924 Nmjblg32.exe 43 PID 1924 wrote to memory of 1616 1924 Nmjblg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe"C:\Users\Admin\AppData\Local\Temp\45dc53bcb6c92dd14662c2ced6741dd4a2a762f530a1124271cf690246fe3006.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe35⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe36⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe37⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe39⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe43⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe44⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe45⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe50⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe52⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe55⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe56⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe57⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe60⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe62⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe63⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe66⤵PID:700
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe67⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe68⤵PID:2788
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe69⤵PID:2000
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe71⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe72⤵PID:1528
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe74⤵PID:2644
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe75⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe79⤵PID:1540
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe80⤵PID:2040
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe82⤵PID:1920
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe83⤵PID:448
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe84⤵PID:840
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe85⤵PID:2220
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe86⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe88⤵PID:2928
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe89⤵PID:2532
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe90⤵PID:2396
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe91⤵PID:1732
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe92⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe93⤵PID:544
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe94⤵PID:112
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe95⤵PID:108
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe96⤵PID:2752
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe98⤵PID:1408
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe100⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe101⤵PID:276
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe102⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe104⤵PID:2940
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe105⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe107⤵PID:2276
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe108⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe109⤵PID:2308
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe110⤵PID:2064
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe112⤵PID:1976
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe113⤵PID:2356
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe114⤵PID:1080
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe115⤵PID:1868
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe116⤵PID:1108
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe117⤵PID:2572
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe118⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe119⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe120⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe121⤵
- Modifies registry class
PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-