Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/06/2024, 23:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe
-
Size
359KB
-
MD5
652ff6105b308f8883262a5b3017eebe
-
SHA1
993db5f698f7f2672fdd0633eb9f4515b38fb377
-
SHA256
7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245
-
SHA512
3a8a90e45dc3f49390e7ac11ede15a17b230f1bb7954ed86000bf9195d2e65ccbc9632978881a1276d41147c3efe62cf1058ca7eafa290a64dd1f9d9fa5ea7a1
-
SSDEEP
6144:IZy5+qHHMUZYVrOigcC6oQ6+EcC6oQ6+YahBQyiTACPTRN6+YahBQyiTAgiuMRl0:IW+qHHMBK9E6n9E6vah6yiMCPTRN6vaU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Legben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adikdfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffcpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlkfbocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamjda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahgad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefiopki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofkgcobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkekjdck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjmlaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbldphde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdeeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcoaglhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacngdgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgkjlmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnnccl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe -
Executes dropped EXE 64 IoCs
pid Process 1028 Ljaoeini.exe 2444 Lgepom32.exe 3696 Lnohlgep.exe 3312 Lmbhgd32.exe 2156 Ldipha32.exe 1220 Lndagg32.exe 4844 Mglfplgk.exe 4948 Mminhceb.exe 3364 Mkjnfkma.exe 3340 Mcecjmkl.exe 1832 Mnkggfkb.exe 3712 Mchppmij.exe 5092 Mnmdme32.exe 1436 Megljppl.exe 2188 Mkadfj32.exe 1096 Nmenca32.exe 3428 Ncofplba.exe 4220 Nmgjia32.exe 4364 Njkkbehl.exe 1152 Nccokk32.exe 4720 Nnicid32.exe 1720 Nagpeo32.exe 3144 Nmnqjp32.exe 4152 Najmjokc.exe 2452 Omqmop32.exe 1616 Onpjichj.exe 3956 Ohhnbhok.exe 1768 Oaqbkn32.exe 436 Oeokal32.exe 2348 Ohmhmh32.exe 1556 Plkpcfal.exe 4504 Phaahggp.exe 3504 Pdhbmh32.exe 3952 Ponfka32.exe 3808 Pdkoch32.exe 1312 Paoollik.exe 4280 Pdmkhgho.exe 1924 Qmepam32.exe 4508 Qlgpod32.exe 4804 Qmhlgmmm.exe 2360 Qeodhjmo.exe 1268 Qlimed32.exe 1580 Addaif32.exe 772 Alkijdci.exe 4432 Aahbbkaq.exe 3508 Aajohjon.exe 2288 Adikdfna.exe 3912 Akccap32.exe 2812 Aehgnied.exe 4004 Ahgcjddh.exe 1196 Ahippdbe.exe 2824 Bnfihkqm.exe 4452 Bemqih32.exe 3484 Blgifbil.exe 908 Bnhenj32.exe 2748 Bepmoh32.exe 2928 Bklfgo32.exe 1524 Bnkbcj32.exe 4264 Bahkih32.exe 1880 Bhbcfbjk.exe 1704 Bomkcm32.exe 3108 Bffcpg32.exe 2952 Blqllqqa.exe 3960 Chglab32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Fooclapd.exe File created C:\Windows\SysWOW64\Galoohke.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Megljppl.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Legben32.exe Lomjicei.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bahkih32.exe File created C:\Windows\SysWOW64\Pmpockdl.dll Afbgkl32.exe File created C:\Windows\SysWOW64\Ceohefin.dll Mfbaalbi.exe File created C:\Windows\SysWOW64\Glkmmefl.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Fbiipkjk.dll Mkjnfkma.exe File created C:\Windows\SysWOW64\Iankhggi.dll Mapppn32.exe File opened for modification C:\Windows\SysWOW64\Lplfcf32.exe Lhenai32.exe File created C:\Windows\SysWOW64\Fmfgek32.exe Flfkkhid.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fefedmil.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Omgmeigd.exe File created C:\Windows\SysWOW64\Ineedcfb.dll Chglab32.exe File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe Dafppp32.exe File opened for modification C:\Windows\SysWOW64\Gnnccl32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Adkqoohc.exe Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe Hppeim32.exe File created C:\Windows\SysWOW64\Jgddkelm.dll Bdfpkm32.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Cnhgjaml.exe File opened for modification C:\Windows\SysWOW64\Gldglf32.exe Gejopl32.exe File created C:\Windows\SysWOW64\Gimngjie.dll Ehbnigjj.exe File created C:\Windows\SysWOW64\Afnqfkij.dll Dmlkhofd.exe File created C:\Windows\SysWOW64\Kpcjgnhb.exe Kjjbjd32.exe File created C:\Windows\SysWOW64\Mmfkhmdi.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Idknpoad.dll Ihpcinld.exe File created C:\Windows\SysWOW64\Kabcopmg.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Ocnabm32.exe File created C:\Windows\SysWOW64\Iikikigb.dll Cbdjeg32.exe File created C:\Windows\SysWOW64\Ocgbld32.exe Oaifpi32.exe File created C:\Windows\SysWOW64\Gejqna32.dll Ofgdcipq.exe File created C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Fmlbhekk.dll Fnipbc32.exe File created C:\Windows\SysWOW64\Nmgjia32.exe Ncofplba.exe File opened for modification C:\Windows\SysWOW64\Kpoalo32.exe Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Padnaq32.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Gpcpel32.dll Jnlkedai.exe File created C:\Windows\SysWOW64\Nbphglbe.exe Nmcpoedn.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gmojkj32.exe File opened for modification C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File created C:\Windows\SysWOW64\Fnipbc32.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Olieecnn.dll Jgpfbjlo.exe File created C:\Windows\SysWOW64\Idllbp32.dll Qlimed32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll Iliinc32.exe File created C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Iogopi32.exe Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Iahgad32.exe File created C:\Windows\SysWOW64\Mjknojbk.dll Qlgpod32.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Johggfha.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Eepmqdbn.dll Afpjel32.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Kegpifod.exe Komhll32.exe File created C:\Windows\SysWOW64\Bkgeainn.exe Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Hbgkei32.exe Hpioin32.exe File created C:\Windows\SysWOW64\Hfaajnfb.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nmgjia32.exe File created C:\Windows\SysWOW64\Nalhik32.dll Dafppp32.exe File created C:\Windows\SysWOW64\Ibgdlg32.exe Ilnlom32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13300 13220 WerFault.exe 631 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll" Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loacdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijdjfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpkjpdi.dll" Lgepom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kidben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkadfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" Eejeiocj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbdnipf.dll" Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbmohmoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll" Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqdcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnofeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfcabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll" Gkdpbpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Ofgdcipq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbpgl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1028 4180 7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe 88 PID 4180 wrote to memory of 1028 4180 7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe 88 PID 4180 wrote to memory of 1028 4180 7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe 88 PID 1028 wrote to memory of 2444 1028 Ljaoeini.exe 89 PID 1028 wrote to memory of 2444 1028 Ljaoeini.exe 89 PID 1028 wrote to memory of 2444 1028 Ljaoeini.exe 89 PID 2444 wrote to memory of 3696 2444 Lgepom32.exe 90 PID 2444 wrote to memory of 3696 2444 Lgepom32.exe 90 PID 2444 wrote to memory of 3696 2444 Lgepom32.exe 90 PID 3696 wrote to memory of 3312 3696 Lnohlgep.exe 91 PID 3696 wrote to memory of 3312 3696 Lnohlgep.exe 91 PID 3696 wrote to memory of 3312 3696 Lnohlgep.exe 91 PID 3312 wrote to memory of 2156 3312 Lmbhgd32.exe 92 PID 3312 wrote to memory of 2156 3312 Lmbhgd32.exe 92 PID 3312 wrote to memory of 2156 3312 Lmbhgd32.exe 92 PID 2156 wrote to memory of 1220 2156 Ldipha32.exe 93 PID 2156 wrote to memory of 1220 2156 Ldipha32.exe 93 PID 2156 wrote to memory of 1220 2156 Ldipha32.exe 93 PID 1220 wrote to memory of 4844 1220 Lndagg32.exe 94 PID 1220 wrote to memory of 4844 1220 Lndagg32.exe 94 PID 1220 wrote to memory of 4844 1220 Lndagg32.exe 94 PID 4844 wrote to memory of 4948 4844 Mglfplgk.exe 95 PID 4844 wrote to memory of 4948 4844 Mglfplgk.exe 95 PID 4844 wrote to memory of 4948 4844 Mglfplgk.exe 95 PID 4948 wrote to memory of 3364 4948 Mminhceb.exe 96 PID 4948 wrote to memory of 3364 4948 Mminhceb.exe 96 PID 4948 wrote to memory of 3364 4948 Mminhceb.exe 96 PID 3364 wrote to memory of 3340 3364 Mkjnfkma.exe 97 PID 3364 wrote to memory of 3340 3364 Mkjnfkma.exe 97 PID 3364 wrote to memory of 3340 3364 Mkjnfkma.exe 97 PID 3340 wrote to memory of 1832 3340 Mcecjmkl.exe 98 PID 3340 wrote to memory of 1832 3340 Mcecjmkl.exe 98 PID 3340 wrote to memory of 1832 3340 Mcecjmkl.exe 98 PID 1832 wrote to memory of 3712 1832 Mnkggfkb.exe 99 PID 1832 wrote to memory of 3712 1832 Mnkggfkb.exe 99 PID 1832 wrote to memory of 3712 1832 Mnkggfkb.exe 99 PID 3712 wrote to memory of 5092 3712 Mchppmij.exe 100 PID 3712 wrote to memory of 5092 3712 Mchppmij.exe 100 PID 3712 wrote to memory of 5092 3712 Mchppmij.exe 100 PID 5092 wrote to memory of 1436 5092 Mnmdme32.exe 101 PID 5092 wrote to memory of 1436 5092 Mnmdme32.exe 101 PID 5092 wrote to memory of 1436 5092 Mnmdme32.exe 101 PID 1436 wrote to memory of 2188 1436 Megljppl.exe 102 PID 1436 wrote to memory of 2188 1436 Megljppl.exe 102 PID 1436 wrote to memory of 2188 1436 Megljppl.exe 102 PID 2188 wrote to memory of 1096 2188 Mkadfj32.exe 103 PID 2188 wrote to memory of 1096 2188 Mkadfj32.exe 103 PID 2188 wrote to memory of 1096 2188 Mkadfj32.exe 103 PID 1096 wrote to memory of 3428 1096 Nmenca32.exe 104 PID 1096 wrote to memory of 3428 1096 Nmenca32.exe 104 PID 1096 wrote to memory of 3428 1096 Nmenca32.exe 104 PID 3428 wrote to memory of 4220 3428 Ncofplba.exe 105 PID 3428 wrote to memory of 4220 3428 Ncofplba.exe 105 PID 3428 wrote to memory of 4220 3428 Ncofplba.exe 105 PID 4220 wrote to memory of 4364 4220 Nmgjia32.exe 106 PID 4220 wrote to memory of 4364 4220 Nmgjia32.exe 106 PID 4220 wrote to memory of 4364 4220 Nmgjia32.exe 106 PID 4364 wrote to memory of 1152 4364 Njkkbehl.exe 107 PID 4364 wrote to memory of 1152 4364 Njkkbehl.exe 107 PID 4364 wrote to memory of 1152 4364 Njkkbehl.exe 107 PID 1152 wrote to memory of 4720 1152 Nccokk32.exe 108 PID 1152 wrote to memory of 4720 1152 Nccokk32.exe 108 PID 1152 wrote to memory of 4720 1152 Nccokk32.exe 108 PID 4720 wrote to memory of 1720 4720 Nnicid32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe"C:\Users\Admin\AppData\Local\Temp\7b438b4e4de254be629888d897838aaa60957736d11545c8f8d2931890926245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe24⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe25⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe26⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe27⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe28⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe29⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe30⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe31⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe32⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe33⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe34⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe35⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe36⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe37⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4280 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe39⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe41⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe46⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe49⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe51⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe52⤵PID:1244
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe53⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe54⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe55⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe56⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe59⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe62⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe65⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3960 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe67⤵PID:3332
-
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe68⤵PID:348
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe70⤵PID:4068
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe71⤵PID:4584
-
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3880 -
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe73⤵PID:3088
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe74⤵
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe75⤵PID:2096
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe76⤵PID:3092
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe77⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe78⤵PID:5164
-
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe79⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe80⤵PID:5248
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe81⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe82⤵PID:5328
-
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe83⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe84⤵PID:5432
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe85⤵PID:5476
-
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe86⤵PID:5524
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe87⤵PID:5600
-
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe88⤵PID:5644
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe90⤵PID:5724
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe91⤵PID:5772
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe92⤵PID:5812
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe93⤵PID:5860
-
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe94⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe95⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe96⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe97⤵PID:6032
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe98⤵PID:6072
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe99⤵PID:6116
-
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe100⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe101⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe103⤵PID:5352
-
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe104⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe105⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe106⤵PID:5612
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe108⤵PID:5736
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe109⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe110⤵PID:5876
-
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe111⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe112⤵PID:6024
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe113⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe114⤵PID:1340
-
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe115⤵PID:4644
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe116⤵PID:5356
-
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe117⤵PID:5504
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe118⤵PID:5564
-
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe119⤵PID:5720
-
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe120⤵PID:5856
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe121⤵
- Drops file in System32 directory
PID:5932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-