Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2023 03:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d207710f38cf774c94edc911cd038d80.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d207710f38cf774c94edc911cd038d80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d207710f38cf774c94edc911cd038d80.exe
-
Size
77KB
-
MD5
d207710f38cf774c94edc911cd038d80
-
SHA1
463af42e8bea7de00d2b3da46a01ff2b469a50ac
-
SHA256
0e858ea3e4fd20bce174baade8a979580a4f140d99543f249ae2fdcbbef35d23
-
SHA512
c92b2a193e4c63214bc258718f1104192e97624af73f42e350a0c80d1c8416c9093012e1d3ae6c36964faae84d80af2217d881b7994e8700421843bd14e32917
-
SSDEEP
1536:7e8TnbyHNRYlt/e5rQ4ZeahACI8/92LtUwfi+TjRC/D:7eCytGlxs07zCIvqwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjoadei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhaipei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkamdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejobk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehnpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbgmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcembe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehienn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjnhiiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioiki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecialmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbolflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diamko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmedf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcfleff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icqmncof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicgpelg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jppnpjel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoegm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ellicihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekajec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmedf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhbbob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikihlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfogbjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbnmbhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipnihgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhmqlmj.exe -
Executes dropped EXE 64 IoCs
pid Process 3876 Hfjdqmng.exe 4588 Ifmqfm32.exe 3656 Iliinc32.exe 2444 Imiehfao.exe 3908 Ilnbicff.exe 4880 Mfnoqc32.exe 3948 Nqbpojnp.exe 4068 Nfohgqlg.exe 4628 Ncchae32.exe 1924 Nmkmjjaa.exe 2692 Onkidm32.exe 1900 Offnhpfo.exe 4472 Ocjoadei.exe 4656 Oanokhdb.exe 4608 Ojfcdnjc.exe 4368 Ogjdmbil.exe 1472 Oabhfg32.exe 3208 Pnifekmd.exe 3852 Pplobcpp.exe 4188 Pjbcplpe.exe 2116 Phfcipoo.exe 840 Qfkqjmdg.exe 3904 Qaqegecm.exe 4328 Qpeahb32.exe 4908 Afpjel32.exe 3052 Aphnnafb.exe 1928 Agdcpkll.exe 1384 Adhdjpjf.exe 2344 Aaldccip.exe 552 Amcehdod.exe 3488 Bgnffj32.exe 2120 Bpfkpp32.exe 1396 Bhpofl32.exe 936 Boldhf32.exe 1948 Cponen32.exe 4400 Cocjiehd.exe 812 Cnhgjaml.exe 4868 Cgqlcg32.exe 5112 Dafppp32.exe 3632 Dojqjdbl.exe 3896 Dgeenfog.exe 2596 Dggbcf32.exe 3664 Damfao32.exe 4316 Dkekjdck.exe 1400 Dglkoeio.exe 2112 Eqdpgk32.exe 4808 Ekjded32.exe 2460 Eohmkb32.exe 4912 Ebifmm32.exe 2488 Ekajec32.exe 1420 Eqncnj32.exe 2948 Ekcgkb32.exe 1508 Fkfcqb32.exe 1432 Fijdjfdb.exe 4508 Filapfbo.exe 4872 Fqgedh32.exe 2632 Fajbjh32.exe 1260 Gnnccl32.exe 1428 Gicgpelg.exe 2296 Gejhef32.exe 2280 Gbnhoj32.exe 3572 Ggkqgaol.exe 2960 Gbpedjnb.exe 5004 Gpdennml.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pplobcpp.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Pmmfoj32.dll Gnaecedp.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gicgpelg.exe File opened for modification C:\Windows\SysWOW64\Hqghqpnl.exe Hepgkohh.exe File opened for modification C:\Windows\SysWOW64\Aecialmb.exe Amfhgj32.exe File created C:\Windows\SysWOW64\Jnkqlk32.dll Bqpbboeg.exe File opened for modification C:\Windows\SysWOW64\Ckcbaf32.exe Ckafkfkp.exe File created C:\Windows\SysWOW64\Pplhhm32.exe Piapkbeg.exe File opened for modification C:\Windows\SysWOW64\Iloajfml.exe Ieeimlep.exe File created C:\Windows\SysWOW64\Hgpchp32.dll Hjfbjdnd.exe File opened for modification C:\Windows\SysWOW64\Fgmllpng.exe Fcodfa32.exe File opened for modification C:\Windows\SysWOW64\Knbinhfl.exe Kejeebpl.exe File opened for modification C:\Windows\SysWOW64\Gnnccl32.exe Fajbjh32.exe File opened for modification C:\Windows\SysWOW64\Kcapicdj.exe Khlklj32.exe File opened for modification C:\Windows\SysWOW64\Lkiamp32.exe Kbnlim32.exe File opened for modification C:\Windows\SysWOW64\Oheienli.exe Obkahddl.exe File created C:\Windows\SysWOW64\Oqklkbbi.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Nmkgdlkh.dll Onqdhh32.exe File created C:\Windows\SysWOW64\Pmhbqbae.exe Pqbala32.exe File created C:\Windows\SysWOW64\Dihmeahp.dll Dbcbnlcl.exe File created C:\Windows\SysWOW64\Iaifbg32.exe Ifcben32.exe File created C:\Windows\SysWOW64\Oolnabal.exe Oediim32.exe File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Ijiopd32.exe File opened for modification C:\Windows\SysWOW64\Pcpgmf32.exe Pkholi32.exe File opened for modification C:\Windows\SysWOW64\Fgncff32.exe Fjjcmbci.exe File created C:\Windows\SysWOW64\Eahobg32.exe Ekngemhd.exe File created C:\Windows\SysWOW64\Dbfccfbm.dll Ifjoop32.exe File created C:\Windows\SysWOW64\Jgcooaah.exe Iaifbg32.exe File created C:\Windows\SysWOW64\Ejccgi32.exe Eahobg32.exe File created C:\Windows\SysWOW64\Odehaccj.dll Kaopoj32.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Ihpcinld.exe File created C:\Windows\SysWOW64\Iolgql32.dll Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Cibkohef.exe Cdebfago.exe File opened for modification C:\Windows\SysWOW64\Malnklgg.exe Mjafoapj.exe File opened for modification C:\Windows\SysWOW64\Imiehfao.exe Iliinc32.exe File created C:\Windows\SysWOW64\Lhqefjpo.exe Lohqnd32.exe File created C:\Windows\SysWOW64\Mnokmd32.dll Dgpeha32.exe File created C:\Windows\SysWOW64\Ifcben32.exe Iebfmfdg.exe File opened for modification C:\Windows\SysWOW64\Dpllbp32.exe Defheg32.exe File created C:\Windows\SysWOW64\Nkhlin32.dll Gnanioad.exe File created C:\Windows\SysWOW64\Igghffab.dll Malefbkc.exe File created C:\Windows\SysWOW64\Jnapgjdo.exe Jmbdmg32.exe File created C:\Windows\SysWOW64\Dlbfmjqi.exe Dehnpp32.exe File created C:\Windows\SysWOW64\Cponen32.exe Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Dojqjdbl.exe File created C:\Windows\SysWOW64\Pecpknke.exe Pkklbh32.exe File created C:\Windows\SysWOW64\Ljncnhhk.exe Ldanloba.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dafppp32.exe File opened for modification C:\Windows\SysWOW64\Ajohfcpj.exe Abhqefpg.exe File created C:\Windows\SysWOW64\Fcbnpnme.exe Fbaahf32.exe File opened for modification C:\Windows\SysWOW64\Dinjjf32.exe Dbcbnlcl.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Dgeenfog.exe File created C:\Windows\SysWOW64\Hahokfag.exe Ghojbq32.exe File created C:\Windows\SysWOW64\Engdno32.dll Ajohfcpj.exe File opened for modification C:\Windows\SysWOW64\Pkonbamc.exe Pdeffgff.exe File created C:\Windows\SysWOW64\Eqncnj32.exe Ekajec32.exe File created C:\Windows\SysWOW64\Kapfiqoj.exe Kpnjah32.exe File created C:\Windows\SysWOW64\Cpljehpo.exe Bgdemb32.exe File created C:\Windows\SysWOW64\Gpmmbfem.dll Ieeimlep.exe File created C:\Windows\SysWOW64\Flboch32.exe Fhefmjlp.exe File created C:\Windows\SysWOW64\Aecialmb.exe Amfhgj32.exe File created C:\Windows\SysWOW64\Bfieagka.exe Bghddp32.exe File created C:\Windows\SysWOW64\Aaofedkl.exe Aamipe32.exe File created C:\Windows\SysWOW64\Jojbil32.dll Bdgehobe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6328 6768 WerFault.exe 667 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foeeml32.dll" Gcimfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpegl32.dll" Oeffnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkonbamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbciqln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhekaejj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjgidfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dicbfhni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll" Mkjjdmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfqehop.dll" Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipqigjkp.dll" Dehnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmpfdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jacpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhafcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijiopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdgljil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjhbbob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqncnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkfcqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbglgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcpkeke.dll" Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqklkbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeffgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlhgpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqbpahpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafacn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkboeobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoakaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflpcaoh.dll" Bflagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cheegm32.dll" Jikjmbmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" d207710f38cf774c94edc911cd038d80.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbhfhcl.dll" Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohcfcqo.dll" Pphckb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnekoch.dll" Cinpdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfoac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnpgdmjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjelibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehhom32.dll" Nagngjmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 3876 3280 d207710f38cf774c94edc911cd038d80.exe 86 PID 3280 wrote to memory of 3876 3280 d207710f38cf774c94edc911cd038d80.exe 86 PID 3280 wrote to memory of 3876 3280 d207710f38cf774c94edc911cd038d80.exe 86 PID 3876 wrote to memory of 4588 3876 Hfjdqmng.exe 87 PID 3876 wrote to memory of 4588 3876 Hfjdqmng.exe 87 PID 3876 wrote to memory of 4588 3876 Hfjdqmng.exe 87 PID 4588 wrote to memory of 3656 4588 Ifmqfm32.exe 88 PID 4588 wrote to memory of 3656 4588 Ifmqfm32.exe 88 PID 4588 wrote to memory of 3656 4588 Ifmqfm32.exe 88 PID 3656 wrote to memory of 2444 3656 Iliinc32.exe 89 PID 3656 wrote to memory of 2444 3656 Iliinc32.exe 89 PID 3656 wrote to memory of 2444 3656 Iliinc32.exe 89 PID 2444 wrote to memory of 3908 2444 Imiehfao.exe 90 PID 2444 wrote to memory of 3908 2444 Imiehfao.exe 90 PID 2444 wrote to memory of 3908 2444 Imiehfao.exe 90 PID 3908 wrote to memory of 4880 3908 Ilnbicff.exe 92 PID 3908 wrote to memory of 4880 3908 Ilnbicff.exe 92 PID 3908 wrote to memory of 4880 3908 Ilnbicff.exe 92 PID 4880 wrote to memory of 3948 4880 Mfnoqc32.exe 94 PID 4880 wrote to memory of 3948 4880 Mfnoqc32.exe 94 PID 4880 wrote to memory of 3948 4880 Mfnoqc32.exe 94 PID 3948 wrote to memory of 4068 3948 Nqbpojnp.exe 95 PID 3948 wrote to memory of 4068 3948 Nqbpojnp.exe 95 PID 3948 wrote to memory of 4068 3948 Nqbpojnp.exe 95 PID 4068 wrote to memory of 4628 4068 Nfohgqlg.exe 96 PID 4068 wrote to memory of 4628 4068 Nfohgqlg.exe 96 PID 4068 wrote to memory of 4628 4068 Nfohgqlg.exe 96 PID 4628 wrote to memory of 1924 4628 Ncchae32.exe 97 PID 4628 wrote to memory of 1924 4628 Ncchae32.exe 97 PID 4628 wrote to memory of 1924 4628 Ncchae32.exe 97 PID 1924 wrote to memory of 2692 1924 Nmkmjjaa.exe 99 PID 1924 wrote to memory of 2692 1924 Nmkmjjaa.exe 99 PID 1924 wrote to memory of 2692 1924 Nmkmjjaa.exe 99 PID 2692 wrote to memory of 1900 2692 Onkidm32.exe 100 PID 2692 wrote to memory of 1900 2692 Onkidm32.exe 100 PID 2692 wrote to memory of 1900 2692 Onkidm32.exe 100 PID 1900 wrote to memory of 4472 1900 Offnhpfo.exe 101 PID 1900 wrote to memory of 4472 1900 Offnhpfo.exe 101 PID 1900 wrote to memory of 4472 1900 Offnhpfo.exe 101 PID 4472 wrote to memory of 4656 4472 Ocjoadei.exe 102 PID 4472 wrote to memory of 4656 4472 Ocjoadei.exe 102 PID 4472 wrote to memory of 4656 4472 Ocjoadei.exe 102 PID 4656 wrote to memory of 4608 4656 Oanokhdb.exe 103 PID 4656 wrote to memory of 4608 4656 Oanokhdb.exe 103 PID 4656 wrote to memory of 4608 4656 Oanokhdb.exe 103 PID 4608 wrote to memory of 4368 4608 Ojfcdnjc.exe 104 PID 4608 wrote to memory of 4368 4608 Ojfcdnjc.exe 104 PID 4608 wrote to memory of 4368 4608 Ojfcdnjc.exe 104 PID 4368 wrote to memory of 1472 4368 Ogjdmbil.exe 105 PID 4368 wrote to memory of 1472 4368 Ogjdmbil.exe 105 PID 4368 wrote to memory of 1472 4368 Ogjdmbil.exe 105 PID 1472 wrote to memory of 3208 1472 Oabhfg32.exe 106 PID 1472 wrote to memory of 3208 1472 Oabhfg32.exe 106 PID 1472 wrote to memory of 3208 1472 Oabhfg32.exe 106 PID 3208 wrote to memory of 3852 3208 Pnifekmd.exe 107 PID 3208 wrote to memory of 3852 3208 Pnifekmd.exe 107 PID 3208 wrote to memory of 3852 3208 Pnifekmd.exe 107 PID 3852 wrote to memory of 4188 3852 Pplobcpp.exe 108 PID 3852 wrote to memory of 4188 3852 Pplobcpp.exe 108 PID 3852 wrote to memory of 4188 3852 Pplobcpp.exe 108 PID 4188 wrote to memory of 2116 4188 Pjbcplpe.exe 110 PID 4188 wrote to memory of 2116 4188 Pjbcplpe.exe 110 PID 4188 wrote to memory of 2116 4188 Pjbcplpe.exe 110 PID 2116 wrote to memory of 840 2116 Phfcipoo.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\d207710f38cf774c94edc911cd038d80.exe"C:\Users\Admin\AppData\Local\Temp\d207710f38cf774c94edc911cd038d80.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe23⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe24⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe25⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe26⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe27⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe28⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe29⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe30⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe31⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe32⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe33⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe34⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe36⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe37⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe38⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe39⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe43⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe44⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe46⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe47⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe48⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe49⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe50⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe53⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe55⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe56⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe57⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe59⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe62⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe63⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe66⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe67⤵PID:1792
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe68⤵PID:1464
-
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe69⤵PID:3304
-
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe70⤵PID:4384
-
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe71⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe72⤵PID:3136
-
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe73⤵PID:5132
-
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe74⤵PID:5176
-
C:\Windows\SysWOW64\Jppnpjel.exeC:\Windows\system32\Jppnpjel.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe76⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe78⤵PID:5376
-
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe79⤵PID:5420
-
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe80⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe81⤵PID:5512
-
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe82⤵PID:5560
-
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe83⤵PID:5604
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe84⤵PID:5676
-
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe85⤵PID:5732
-
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe87⤵PID:5820
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe88⤵PID:5880
-
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe89⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe90⤵PID:5960
-
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe91⤵PID:6004
-
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe92⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe94⤵PID:6140
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe95⤵PID:5164
-
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe96⤵PID:5324
-
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe97⤵PID:5412
-
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe98⤵PID:5460
-
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe99⤵PID:5552
-
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe100⤵
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe101⤵PID:5720
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe102⤵PID:5812
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe103⤵PID:5900
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe104⤵PID:5968
-
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe106⤵PID:1128
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe107⤵PID:5168
-
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe108⤵PID:5360
-
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe109⤵PID:5448
-
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5596 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe112⤵PID:5868
-
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe113⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Ojcpdg32.exeC:\Windows\system32\Ojcpdg32.exe115⤵PID:5456
-
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe117⤵PID:5892
-
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe119⤵PID:5404
-
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe120⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe121⤵PID:5316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-