Analysis
-
max time kernel
164s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 20:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dced71d68ffe28cbb42e1119efb221de.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dced71d68ffe28cbb42e1119efb221de.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
dced71d68ffe28cbb42e1119efb221de.exe
-
Size
79KB
-
MD5
dced71d68ffe28cbb42e1119efb221de
-
SHA1
3ff1cc42bca5dc9aa66e9285bc23f93585481039
-
SHA256
18217b4b445a3af93e9e2af5bdcb85a74cda0efe52056de2f8014541c8c285c6
-
SHA512
43c8fcea9c7860da4b67b53a9a35fe06c8b6438a7455303ce4205cf927f0f6c8f00b5f7b2761d0fa34fbc5b1a50313b40ef9f2302d2fd25e8002537f8e8f3f4f
-
SSDEEP
1536:CG3C+G/YOnBgdeXvhSUEeiFkSIgiItKq9v6DK:CGSRgfWpSUEeixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfimheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfoflj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enoddi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkggfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiapjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbkijdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacojc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncekjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edonmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlbpldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einckibc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeanfkob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chphhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgimepmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnnbgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlipal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdbmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnbqjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfedfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgboiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fghkdjdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogjflhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbqlhfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgomjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaafnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didnmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacihleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injcginc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbamdkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnekcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmgomjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiaomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnmbbgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcmingd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifldj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abedil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbiooolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilafcomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkdbllo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikafjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmccecfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqnbgpmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdogcqhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlbpldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffcilob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagbklae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiokacgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcfncjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabofaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmipkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaleei.exe -
Executes dropped EXE 64 IoCs
pid Process 1832 Onhhmpoo.exe 1544 Bgfhnpde.exe 4264 Bpfcelml.exe 3056 Cnpibh32.exe 3016 Dfngcdhi.exe 4500 Eldbbjof.exe 4068 Efampahd.exe 2624 Foonjd32.exe 3696 Fljedg32.exe 5060 Hodqlq32.exe 2688 Hhaope32.exe 1812 Iiokacgp.exe 4144 Jginej32.exe 4348 Kfaglf32.exe 4976 Kidmcqeg.exe 940 Lmfodn32.exe 4304 Mdodbf32.exe 2968 Nplkhf32.exe 4044 Ndomiddc.exe 4248 Okbhlm32.exe 4808 Pahpee32.exe 888 Bkamdi32.exe 2568 Bdiamnpc.exe 4692 Bilcol32.exe 5032 Cqghcn32.exe 3532 Cicjokll.exe 5052 Cigcjj32.exe 1348 Dajnol32.exe 1992 Ebpqjmpd.exe 4600 Flpkcbqm.exe 3708 Gogjflhf.exe 3720 Gekeie32.exe 1040 Ijgjpaao.exe 3356 Jomeoggk.exe 2148 Nmbamdkm.exe 208 Ojmgggdo.exe 4420 Omnqhbap.exe 4416 Pdlbpldg.exe 656 Pmipdq32.exe 3244 Cgecpa32.exe 3456 Dmiaig32.exe 2916 Enoddi32.exe 2856 Eglbhnkp.exe 4368 Emikpeig.exe 432 Fjfnphpf.exe 4316 Fhjoilop.exe 1188 Gmnmbbgp.exe 264 Hkggfe32.exe 4612 Hmjmnpmb.exe 4880 Hoiihcde.exe 3732 Ikechced.exe 1616 Jeanfkob.exe 4520 Jojboa32.exe 1564 Jamhflqq.exe 4220 Kohnpoib.exe 216 Loaafnah.exe 1844 Qefkcl32.exe 4364 Djgbmffn.exe 3936 Gjagapbn.exe 2304 Hfmqapcl.exe 4540 Iplkje32.exe 3052 Jkplilgk.exe 1192 Lkgkqh32.exe 4472 Nocphd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Clknii32.exe Beaelofp.exe File created C:\Windows\SysWOW64\Dcknnglh.dll Ijgjpaao.exe File created C:\Windows\SysWOW64\Lgnekcei.exe Laqlclga.exe File created C:\Windows\SysWOW64\Neafdjak.exe Nifldj32.exe File opened for modification C:\Windows\SysWOW64\Bcahgh32.exe Blhpjnbe.exe File created C:\Windows\SysWOW64\Hedaoa32.exe Hpgigj32.exe File created C:\Windows\SysWOW64\Nhokeolc.exe Naecieef.exe File opened for modification C:\Windows\SysWOW64\Ndidgg32.exe Ndghahib.exe File opened for modification C:\Windows\SysWOW64\Pmlekq32.exe Pbgqnhpl.exe File created C:\Windows\SysWOW64\Nplkhf32.exe Mdodbf32.exe File created C:\Windows\SysWOW64\Ebpqjmpd.exe Dajnol32.exe File created C:\Windows\SysWOW64\Pfacfmlb.dll Chphhn32.exe File created C:\Windows\SysWOW64\Iiehjgnp.exe Idbfhiko.exe File opened for modification C:\Windows\SysWOW64\Nknolaob.exe Neafdjak.exe File opened for modification C:\Windows\SysWOW64\Jebfgl32.exe Jljbogaf.exe File opened for modification C:\Windows\SysWOW64\Qjjhla32.exe Pqbdclak.exe File created C:\Windows\SysWOW64\Ebihiaml.dll Bqkifb32.exe File opened for modification C:\Windows\SysWOW64\Oiakpheo.exe Obgccn32.exe File created C:\Windows\SysWOW64\Gedqcjbo.dll Ipjenn32.exe File opened for modification C:\Windows\SysWOW64\Gmojep32.exe Ennqpkcm.exe File opened for modification C:\Windows\SysWOW64\Bmfqhmid.exe Bmokgnol.exe File opened for modification C:\Windows\SysWOW64\Cnpibh32.exe Bpfcelml.exe File created C:\Windows\SysWOW64\Bdiamnpc.exe Bkamdi32.exe File created C:\Windows\SysWOW64\Aonhblad.exe Aiapjecl.exe File created C:\Windows\SysWOW64\Kmgdaokh.exe Kkfkod32.exe File opened for modification C:\Windows\SysWOW64\Fncilm32.exe Fjccpo32.exe File created C:\Windows\SysWOW64\Pbnngi32.exe Ofdpmi32.exe File created C:\Windows\SysWOW64\Mndonl32.dll Jkplilgk.exe File opened for modification C:\Windows\SysWOW64\Pcncjh32.exe Njploeoi.exe File opened for modification C:\Windows\SysWOW64\Bcghlnih.exe Biadoeib.exe File opened for modification C:\Windows\SysWOW64\Cipppc32.exe Cgndikgd.exe File created C:\Windows\SysWOW64\Jebfgl32.exe Jljbogaf.exe File created C:\Windows\SysWOW64\Hmegdjkj.dll Emikpeig.exe File opened for modification C:\Windows\SysWOW64\Klfjbpmn.exe Jfbkijdo.exe File created C:\Windows\SysWOW64\Nbjndimm.dll Knaldo32.exe File created C:\Windows\SysWOW64\Edcghbbi.exe Einckibc.exe File created C:\Windows\SysWOW64\Ggdiqkah.exe Gqjada32.exe File created C:\Windows\SysWOW64\Honohb32.dll Jmnakqcc.exe File created C:\Windows\SysWOW64\Bcahgh32.exe Blhpjnbe.exe File opened for modification C:\Windows\SysWOW64\Fqpomo32.exe Fghkdjdo.exe File opened for modification C:\Windows\SysWOW64\Nmbamdkm.exe Jomeoggk.exe File created C:\Windows\SysWOW64\Cmnncb32.exe Ckpagg32.exe File created C:\Windows\SysWOW64\Naomha32.dll Pbnngi32.exe File opened for modification C:\Windows\SysWOW64\Einckibc.exe Ecdkno32.exe File created C:\Windows\SysWOW64\Afghgkdl.exe Acdbpq32.exe File created C:\Windows\SysWOW64\Bqkifb32.exe Bjaqih32.exe File created C:\Windows\SysWOW64\Gkpmbm32.dll Inhgaipf.exe File created C:\Windows\SysWOW64\Nkeodibl.dll Eoccii32.exe File opened for modification C:\Windows\SysWOW64\Mgdklb32.exe Mnlfclip.exe File created C:\Windows\SysWOW64\Cgijnk32.exe Cmdfpbkc.exe File created C:\Windows\SysWOW64\Gqjada32.exe Gfemfhje.exe File opened for modification C:\Windows\SysWOW64\Dmdhmj32.exe Dfjpppbh.exe File opened for modification C:\Windows\SysWOW64\Omegdebp.exe Oejbpb32.exe File created C:\Windows\SysWOW64\Hfggoh32.dll Pacojc32.exe File created C:\Windows\SysWOW64\Kfaglf32.exe Jginej32.exe File created C:\Windows\SysWOW64\Bghifmbc.dll Ejegdngb.exe File opened for modification C:\Windows\SysWOW64\Fcdbmb32.exe Fmjjqhpn.exe File created C:\Windows\SysWOW64\Mgbnfb32.exe Mgpaqbcf.exe File created C:\Windows\SysWOW64\Poomom32.exe Pibdff32.exe File created C:\Windows\SysWOW64\Pagbklae.exe Pnfiia32.exe File created C:\Windows\SysWOW64\Jfcbcp32.exe Jpijgf32.exe File created C:\Windows\SysWOW64\Eeacgp32.dll Cdhfpm32.exe File opened for modification C:\Windows\SysWOW64\Gmnmbbgp.exe Fhjoilop.exe File created C:\Windows\SysWOW64\Fkanbk32.dll Fcdbmb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoilfidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjbbemd.dll" Okbhgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooqqmoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flohdkpg.dll" Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncekjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhjnpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbhlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepdodie.dll" Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilafcomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpcppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojndd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcfncjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdnlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnpfje32.dll" Jpdhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldakbepc.dll" Oejbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljbogaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfidb32.dll" Pmipdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enoddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhfgqob.dll" Dalhgfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doojni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdlncnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amanfpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmjpjpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbdclak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqbbicel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmdkk32.dll" Bdndik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdndik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmicmbn.dll" Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdnlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijlqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cedbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgfhnpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbkgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkajoiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblhlpne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acppniod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcqeng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qefkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjnen32.dll" Gmojep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpkcbqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqnbgpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhkfnak.dll" Ajeami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdoqgfq.dll" Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgohi32.dll" Hojndd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbaaa32.dll" Pdkolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpbae32.dll" Kgdpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhhma32.dll" Nlnbqjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfcqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiaomkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkdqinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpcap32.dll" Dpcppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgiojp32.dll" Bmfqhmid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgjfgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndnnbgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noglik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caioglje.dll" Ondleo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1832 5116 dced71d68ffe28cbb42e1119efb221de.exe 93 PID 5116 wrote to memory of 1832 5116 dced71d68ffe28cbb42e1119efb221de.exe 93 PID 5116 wrote to memory of 1832 5116 dced71d68ffe28cbb42e1119efb221de.exe 93 PID 1832 wrote to memory of 1544 1832 Onhhmpoo.exe 94 PID 1832 wrote to memory of 1544 1832 Onhhmpoo.exe 94 PID 1832 wrote to memory of 1544 1832 Onhhmpoo.exe 94 PID 1544 wrote to memory of 4264 1544 Bgfhnpde.exe 95 PID 1544 wrote to memory of 4264 1544 Bgfhnpde.exe 95 PID 1544 wrote to memory of 4264 1544 Bgfhnpde.exe 95 PID 4264 wrote to memory of 3056 4264 Bpfcelml.exe 96 PID 4264 wrote to memory of 3056 4264 Bpfcelml.exe 96 PID 4264 wrote to memory of 3056 4264 Bpfcelml.exe 96 PID 3056 wrote to memory of 3016 3056 Cnpibh32.exe 97 PID 3056 wrote to memory of 3016 3056 Cnpibh32.exe 97 PID 3056 wrote to memory of 3016 3056 Cnpibh32.exe 97 PID 3016 wrote to memory of 4500 3016 Dfngcdhi.exe 98 PID 3016 wrote to memory of 4500 3016 Dfngcdhi.exe 98 PID 3016 wrote to memory of 4500 3016 Dfngcdhi.exe 98 PID 4500 wrote to memory of 4068 4500 Eldbbjof.exe 99 PID 4500 wrote to memory of 4068 4500 Eldbbjof.exe 99 PID 4500 wrote to memory of 4068 4500 Eldbbjof.exe 99 PID 4068 wrote to memory of 2624 4068 Efampahd.exe 101 PID 4068 wrote to memory of 2624 4068 Efampahd.exe 101 PID 4068 wrote to memory of 2624 4068 Efampahd.exe 101 PID 2624 wrote to memory of 3696 2624 Foonjd32.exe 102 PID 2624 wrote to memory of 3696 2624 Foonjd32.exe 102 PID 2624 wrote to memory of 3696 2624 Foonjd32.exe 102 PID 3696 wrote to memory of 5060 3696 Fljedg32.exe 103 PID 3696 wrote to memory of 5060 3696 Fljedg32.exe 103 PID 3696 wrote to memory of 5060 3696 Fljedg32.exe 103 PID 5060 wrote to memory of 2688 5060 Hodqlq32.exe 104 PID 5060 wrote to memory of 2688 5060 Hodqlq32.exe 104 PID 5060 wrote to memory of 2688 5060 Hodqlq32.exe 104 PID 2688 wrote to memory of 1812 2688 Hhaope32.exe 105 PID 2688 wrote to memory of 1812 2688 Hhaope32.exe 105 PID 2688 wrote to memory of 1812 2688 Hhaope32.exe 105 PID 1812 wrote to memory of 4144 1812 Iiokacgp.exe 106 PID 1812 wrote to memory of 4144 1812 Iiokacgp.exe 106 PID 1812 wrote to memory of 4144 1812 Iiokacgp.exe 106 PID 4144 wrote to memory of 4348 4144 Jginej32.exe 107 PID 4144 wrote to memory of 4348 4144 Jginej32.exe 107 PID 4144 wrote to memory of 4348 4144 Jginej32.exe 107 PID 4348 wrote to memory of 4976 4348 Kfaglf32.exe 108 PID 4348 wrote to memory of 4976 4348 Kfaglf32.exe 108 PID 4348 wrote to memory of 4976 4348 Kfaglf32.exe 108 PID 4976 wrote to memory of 940 4976 Kidmcqeg.exe 109 PID 4976 wrote to memory of 940 4976 Kidmcqeg.exe 109 PID 4976 wrote to memory of 940 4976 Kidmcqeg.exe 109 PID 940 wrote to memory of 4304 940 Lmfodn32.exe 110 PID 940 wrote to memory of 4304 940 Lmfodn32.exe 110 PID 940 wrote to memory of 4304 940 Lmfodn32.exe 110 PID 4304 wrote to memory of 2968 4304 Mdodbf32.exe 111 PID 4304 wrote to memory of 2968 4304 Mdodbf32.exe 111 PID 4304 wrote to memory of 2968 4304 Mdodbf32.exe 111 PID 2968 wrote to memory of 4044 2968 Nplkhf32.exe 112 PID 2968 wrote to memory of 4044 2968 Nplkhf32.exe 112 PID 2968 wrote to memory of 4044 2968 Nplkhf32.exe 112 PID 4044 wrote to memory of 4248 4044 Ndomiddc.exe 113 PID 4044 wrote to memory of 4248 4044 Ndomiddc.exe 113 PID 4044 wrote to memory of 4248 4044 Ndomiddc.exe 113 PID 4248 wrote to memory of 4808 4248 Okbhlm32.exe 114 PID 4248 wrote to memory of 4808 4248 Okbhlm32.exe 114 PID 4248 wrote to memory of 4808 4248 Okbhlm32.exe 114 PID 4808 wrote to memory of 888 4808 Pahpee32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\dced71d68ffe28cbb42e1119efb221de.exe"C:\Users\Admin\AppData\Local\Temp\dced71d68ffe28cbb42e1119efb221de.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Hodqlq32.exeC:\Windows\system32\Hodqlq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Hhaope32.exeC:\Windows\system32\Hhaope32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Jginej32.exeC:\Windows\system32\Jginej32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Kfaglf32.exeC:\Windows\system32\Kfaglf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Kidmcqeg.exeC:\Windows\system32\Kidmcqeg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe24⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe25⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe26⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe27⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe28⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe30⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe34⤵PID:5028
-
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe38⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe42⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe43⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe45⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Fjfnphpf.exeC:\Windows\system32\Fjfnphpf.exe47⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Gmnmbbgp.exeC:\Windows\system32\Gmnmbbgp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe51⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe52⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ikechced.exeC:\Windows\system32\Ikechced.exe53⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe56⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe57⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe60⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe61⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe62⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe63⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Lkgkqh32.exeC:\Windows\system32\Lkgkqh32.exe65⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Nocphd32.exeC:\Windows\system32\Nocphd32.exe66⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Ondleo32.exeC:\Windows\system32\Ondleo32.exe67⤵
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe68⤵PID:1296
-
C:\Windows\SysWOW64\Phfcdcfg.exeC:\Windows\system32\Phfcdcfg.exe69⤵PID:3436
-
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe70⤵PID:3220
-
C:\Windows\SysWOW64\Qiocde32.exeC:\Windows\system32\Qiocde32.exe71⤵PID:3180
-
C:\Windows\SysWOW64\Qnlkllcf.exeC:\Windows\system32\Qnlkllcf.exe72⤵PID:2328
-
C:\Windows\SysWOW64\Aiapjecl.exeC:\Windows\system32\Aiapjecl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Aonhblad.exeC:\Windows\system32\Aonhblad.exe74⤵PID:2252
-
C:\Windows\SysWOW64\Aiclodaj.exeC:\Windows\system32\Aiclodaj.exe75⤵PID:2760
-
C:\Windows\SysWOW64\Aejmdegn.exeC:\Windows\system32\Aejmdegn.exe76⤵PID:3204
-
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe77⤵PID:4312
-
C:\Windows\SysWOW64\Bajqpe32.exeC:\Windows\system32\Bajqpe32.exe78⤵PID:4356
-
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe79⤵PID:2320
-
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4392 -
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe81⤵PID:4560
-
C:\Windows\SysWOW64\Didnmp32.exeC:\Windows\system32\Didnmp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Dhndil32.exeC:\Windows\system32\Dhndil32.exe83⤵PID:816
-
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe84⤵
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Ebplhp32.exeC:\Windows\system32\Ebplhp32.exe85⤵PID:1420
-
C:\Windows\SysWOW64\Fmjjqhpn.exeC:\Windows\system32\Fmjjqhpn.exe86⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Fbiooolb.exeC:\Windows\system32\Fbiooolb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Fckhnaab.exeC:\Windows\system32\Fckhnaab.exe89⤵
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Gpgbna32.exeC:\Windows\system32\Gpgbna32.exe90⤵PID:2676
-
C:\Windows\SysWOW64\Gfedfk32.exeC:\Windows\system32\Gfedfk32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4024 -
C:\Windows\SysWOW64\Hadkib32.exeC:\Windows\system32\Hadkib32.exe93⤵PID:5032
-
C:\Windows\SysWOW64\Hbegakcb.exeC:\Windows\system32\Hbegakcb.exe94⤵PID:3568
-
C:\Windows\SysWOW64\Ijaimg32.exeC:\Windows\system32\Ijaimg32.exe95⤵PID:3824
-
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe96⤵PID:4684
-
C:\Windows\SysWOW64\Jinloboo.exeC:\Windows\system32\Jinloboo.exe97⤵PID:2244
-
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe98⤵
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Kpagbk32.exeC:\Windows\system32\Kpagbk32.exe99⤵PID:4720
-
C:\Windows\SysWOW64\Kkfkod32.exeC:\Windows\system32\Kkfkod32.exe100⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Kmgdaokh.exeC:\Windows\system32\Kmgdaokh.exe101⤵PID:4996
-
C:\Windows\SysWOW64\Kgphje32.exeC:\Windows\system32\Kgphje32.exe102⤵PID:3516
-
C:\Windows\SysWOW64\Lajfbmmi.exeC:\Windows\system32\Lajfbmmi.exe103⤵PID:2516
-
C:\Windows\SysWOW64\Lgfojd32.exeC:\Windows\system32\Lgfojd32.exe104⤵PID:4200
-
C:\Windows\SysWOW64\Laqlclga.exeC:\Windows\system32\Laqlclga.exe105⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Lgnekcei.exeC:\Windows\system32\Lgnekcei.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Lacihleo.exeC:\Windows\system32\Lacihleo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Mgpaqbcf.exeC:\Windows\system32\Mgpaqbcf.exe108⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Mgbnfb32.exeC:\Windows\system32\Mgbnfb32.exe109⤵PID:2568
-
C:\Windows\SysWOW64\Mnlfclip.exeC:\Windows\system32\Mnlfclip.exe110⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Mgdklb32.exeC:\Windows\system32\Mgdklb32.exe111⤵PID:980
-
C:\Windows\SysWOW64\Njjmil32.exeC:\Windows\system32\Njjmil32.exe112⤵PID:4724
-
C:\Windows\SysWOW64\Nbjhph32.exeC:\Windows\system32\Nbjhph32.exe113⤵PID:1992
-
C:\Windows\SysWOW64\Okcmingd.exeC:\Windows\system32\Okcmingd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Oqdnld32.exeC:\Windows\system32\Oqdnld32.exe115⤵PID:484
-
C:\Windows\SysWOW64\Ognginic.exeC:\Windows\system32\Ognginic.exe116⤵PID:4436
-
C:\Windows\SysWOW64\Fhbpqb32.exeC:\Windows\system32\Fhbpqb32.exe117⤵PID:4348
-
C:\Windows\SysWOW64\Hbknqeha.exeC:\Windows\system32\Hbknqeha.exe118⤵PID:1348
-
C:\Windows\SysWOW64\Helfbqeb.exeC:\Windows\system32\Helfbqeb.exe119⤵PID:4416
-
C:\Windows\SysWOW64\Icgjfgef.exeC:\Windows\system32\Icgjfgef.exe120⤵
- Modifies registry class
PID:4116 -
C:\Windows\SysWOW64\Jpdqlgdc.exeC:\Windows\system32\Jpdqlgdc.exe121⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-