Analysis
-
max time kernel
63s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe
-
Size
80KB
-
MD5
619f903831978d04161532659ded95a9
-
SHA1
b4ed9bc9fe2f3e90c8fea886be80994c5485a296
-
SHA256
615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01
-
SHA512
8c7db2d8440f0e2e3e43bcab8ce52f129df4d5cd6eab4a45bb3ca4bc3e53dd0d41fe31bc6a0c5a113c7274b1bec4e273090dd3f25ff7d877c3a73fa9aa78d299
-
SSDEEP
1536:zWDi0W/OK5EwY9oJlMnOrsuCKpEh18dYk5DAmCjGHiw5Ig7RQCR/RgpMujAYC+On:zWdHfgmOrJZa1hV+veCVqLAYC+O+Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbohigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekpkigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdblmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfcmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dceohhja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folaiqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cimmggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqgmmjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leopnglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgmcqggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcpikkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gofkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe -
Executes dropped EXE 64 IoCs
pid Process 3228 Ncgkcl32.exe 3924 Nkncdifl.exe 4736 Nnmopdep.exe 2272 Ndghmo32.exe 208 Ngedij32.exe 2196 Njcpee32.exe 1580 Nbkhfc32.exe 1556 Nqmhbpba.exe 5024 Ncldnkae.exe 2812 Nggqoj32.exe 4996 Nnaikd32.exe 3612 Nbmelbid.exe 3344 Nqpego32.exe 3952 Ncnadk32.exe 5052 Okeieh32.exe 3932 Ojhiqefo.exe 1484 Oboaabga.exe 2540 Oqbamo32.exe 2552 Ocqnij32.exe 1424 Okhfjh32.exe 4656 Ojjffddl.exe 2516 Obangb32.exe 5084 Oqdoboli.exe 368 Occkojkm.exe 4732 Okjbpglo.exe 1000 Ojmcld32.exe 4652 Obdkma32.exe 2104 Oqgkhnjf.exe 2556 Ocegdjij.exe 3496 Ogaceh32.exe 2728 Ojopad32.exe 1016 Onklabip.exe 540 Oqihnn32.exe 3204 Odednmpm.exe 2480 Ogcpjhoq.exe 3052 Okolkg32.exe 3908 Ojalgcnd.exe 2996 Onmhgb32.exe 1596 Oqkdcn32.exe 1384 Odgqdlnj.exe 4312 Pcjapi32.exe 1428 Pgemphmn.exe 4264 Pjdilcla.exe 1216 Pnpemb32.exe 1612 Pbkamqmd.exe 2072 Peimil32.exe 1468 Pghieg32.exe 4024 Pkceffcd.exe 2872 Pnbbbabh.exe 1980 Pbmncp32.exe 4644 Pqpnombl.exe 808 Peljol32.exe 4368 Pgjfkg32.exe 3588 Pkfblfab.exe 3516 Pjhbgb32.exe 4716 Pndohaqe.exe 3404 Pbpjhp32.exe 3988 Pabkdmpi.exe 2752 Pcagphom.exe 4892 Pgmcqggf.exe 3252 Pkhoae32.exe 2056 Pnfkma32.exe 2764 Pbbgnpgl.exe 3180 Peqcjkfp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lbpdblmo.exe Ljilqnlm.exe File opened for modification C:\Windows\SysWOW64\Hcmbee32.exe Hdjbiheb.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Process not Found File created C:\Windows\SysWOW64\Kgflcifg.exe Process not Found File created C:\Windows\SysWOW64\Plikcm32.dll Process not Found File created C:\Windows\SysWOW64\Lphdhn32.dll Process not Found File created C:\Windows\SysWOW64\Hpdclcbj.dll Efmmmn32.exe File opened for modification C:\Windows\SysWOW64\Haoimcgg.exe Hkeaqi32.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hmpjmn32.exe File created C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Inmgmijo.exe Ikokan32.exe File created C:\Windows\SysWOW64\Enbjad32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iogopi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oqbamo32.exe Oboaabga.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Mlhbal32.exe Miifeq32.exe File created C:\Windows\SysWOW64\Hfdhao32.dll Ieliebnf.exe File created C:\Windows\SysWOW64\Fibojhim.exe Fgdbnmji.exe File created C:\Windows\SysWOW64\Flinkojm.exe Fikbocki.exe File created C:\Windows\SysWOW64\Npbceggm.exe Process not Found File created C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Mjpbam32.exe Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Bjbfklei.exe Bblnindg.exe File created C:\Windows\SysWOW64\Fkldkg32.dll Process not Found File created C:\Windows\SysWOW64\Ohcpka32.dll Process not Found File created C:\Windows\SysWOW64\Lkhpjc32.dll Process not Found File created C:\Windows\SysWOW64\Fooeif32.exe Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Mlcifmbl.exe Mgfqmfde.exe File opened for modification C:\Windows\SysWOW64\Ngdmod32.exe Npjebj32.exe File created C:\Windows\SysWOW64\Omcjep32.exe Process not Found File created C:\Windows\SysWOW64\Pqlhmf32.dll Process not Found File created C:\Windows\SysWOW64\Dndfnlpc.dll Process not Found File created C:\Windows\SysWOW64\Bogkmgba.exe Process not Found File created C:\Windows\SysWOW64\Acbmpm32.dll Eoaihhlp.exe File created C:\Windows\SysWOW64\Ohbkfake.dll Olfobjbg.exe File created C:\Windows\SysWOW64\Eajeon32.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Ghpendjj.exe Gfbibikg.exe File opened for modification C:\Windows\SysWOW64\Eifhdd32.exe Eciplm32.exe File created C:\Windows\SysWOW64\Fpdcag32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aglemn32.exe Acqimo32.exe File opened for modification C:\Windows\SysWOW64\Ajqgidij.exe Agbkmijg.exe File created C:\Windows\SysWOW64\Dcjnoece.exe Dakacjdb.exe File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Neffpj32.exe Nchjdo32.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Llhikacp.exe File opened for modification C:\Windows\SysWOW64\Enkmfolf.exe Process not Found File created C:\Windows\SysWOW64\Keqdmihc.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Ipjoja32.exe Process not Found File created C:\Windows\SysWOW64\Dhhfedil.exe Dpqodfij.exe File created C:\Windows\SysWOW64\Accimdgp.dll Process not Found File created C:\Windows\SysWOW64\Nfihbk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aglnbhal.exe Aodfajaj.exe File created C:\Windows\SysWOW64\Debbhd32.dll Embkoi32.exe File opened for modification C:\Windows\SysWOW64\Hmbfbn32.exe Hkdjfb32.exe File created C:\Windows\SysWOW64\Kpjbdk32.dll Process not Found File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Okedcjcm.exe Ohghgodi.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Djcoai32.exe File opened for modification C:\Windows\SysWOW64\Fmkgkapm.exe Fipkjb32.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 1200 16200 Process not Found 1755 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll" Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojjhafd.dll" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micoommd.dll" Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoke32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohjdmko.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gempgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghhhcomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkkjmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhqigge.dll" Peqcjkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifefimom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poblig32.dll" Pfnegggi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jibmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfqqkf.dll" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fonnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghniielm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbbeh32.dll" Bcbohigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlelal32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noeocqni.dll" Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbllbmg.dll" Phjenbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpdfnolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knkekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhbolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajkhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 3228 1820 615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe 81 PID 1820 wrote to memory of 3228 1820 615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe 81 PID 1820 wrote to memory of 3228 1820 615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe 81 PID 3228 wrote to memory of 3924 3228 Ncgkcl32.exe 82 PID 3228 wrote to memory of 3924 3228 Ncgkcl32.exe 82 PID 3228 wrote to memory of 3924 3228 Ncgkcl32.exe 82 PID 3924 wrote to memory of 4736 3924 Nkncdifl.exe 83 PID 3924 wrote to memory of 4736 3924 Nkncdifl.exe 83 PID 3924 wrote to memory of 4736 3924 Nkncdifl.exe 83 PID 4736 wrote to memory of 2272 4736 Nnmopdep.exe 84 PID 4736 wrote to memory of 2272 4736 Nnmopdep.exe 84 PID 4736 wrote to memory of 2272 4736 Nnmopdep.exe 84 PID 2272 wrote to memory of 208 2272 Ndghmo32.exe 85 PID 2272 wrote to memory of 208 2272 Ndghmo32.exe 85 PID 2272 wrote to memory of 208 2272 Ndghmo32.exe 85 PID 208 wrote to memory of 2196 208 Ngedij32.exe 86 PID 208 wrote to memory of 2196 208 Ngedij32.exe 86 PID 208 wrote to memory of 2196 208 Ngedij32.exe 86 PID 2196 wrote to memory of 1580 2196 Njcpee32.exe 87 PID 2196 wrote to memory of 1580 2196 Njcpee32.exe 87 PID 2196 wrote to memory of 1580 2196 Njcpee32.exe 87 PID 1580 wrote to memory of 1556 1580 Nbkhfc32.exe 88 PID 1580 wrote to memory of 1556 1580 Nbkhfc32.exe 88 PID 1580 wrote to memory of 1556 1580 Nbkhfc32.exe 88 PID 1556 wrote to memory of 5024 1556 Nqmhbpba.exe 89 PID 1556 wrote to memory of 5024 1556 Nqmhbpba.exe 89 PID 1556 wrote to memory of 5024 1556 Nqmhbpba.exe 89 PID 5024 wrote to memory of 2812 5024 Ncldnkae.exe 90 PID 5024 wrote to memory of 2812 5024 Ncldnkae.exe 90 PID 5024 wrote to memory of 2812 5024 Ncldnkae.exe 90 PID 2812 wrote to memory of 4996 2812 Nggqoj32.exe 91 PID 2812 wrote to memory of 4996 2812 Nggqoj32.exe 91 PID 2812 wrote to memory of 4996 2812 Nggqoj32.exe 91 PID 4996 wrote to memory of 3612 4996 Nnaikd32.exe 92 PID 4996 wrote to memory of 3612 4996 Nnaikd32.exe 92 PID 4996 wrote to memory of 3612 4996 Nnaikd32.exe 92 PID 3612 wrote to memory of 3344 3612 Nbmelbid.exe 93 PID 3612 wrote to memory of 3344 3612 Nbmelbid.exe 93 PID 3612 wrote to memory of 3344 3612 Nbmelbid.exe 93 PID 3344 wrote to memory of 3952 3344 Nqpego32.exe 94 PID 3344 wrote to memory of 3952 3344 Nqpego32.exe 94 PID 3344 wrote to memory of 3952 3344 Nqpego32.exe 94 PID 3952 wrote to memory of 5052 3952 Ncnadk32.exe 95 PID 3952 wrote to memory of 5052 3952 Ncnadk32.exe 95 PID 3952 wrote to memory of 5052 3952 Ncnadk32.exe 95 PID 5052 wrote to memory of 3932 5052 Okeieh32.exe 96 PID 5052 wrote to memory of 3932 5052 Okeieh32.exe 96 PID 5052 wrote to memory of 3932 5052 Okeieh32.exe 96 PID 3932 wrote to memory of 1484 3932 Ojhiqefo.exe 97 PID 3932 wrote to memory of 1484 3932 Ojhiqefo.exe 97 PID 3932 wrote to memory of 1484 3932 Ojhiqefo.exe 97 PID 1484 wrote to memory of 2540 1484 Oboaabga.exe 98 PID 1484 wrote to memory of 2540 1484 Oboaabga.exe 98 PID 1484 wrote to memory of 2540 1484 Oboaabga.exe 98 PID 2540 wrote to memory of 2552 2540 Oqbamo32.exe 99 PID 2540 wrote to memory of 2552 2540 Oqbamo32.exe 99 PID 2540 wrote to memory of 2552 2540 Oqbamo32.exe 99 PID 2552 wrote to memory of 1424 2552 Ocqnij32.exe 100 PID 2552 wrote to memory of 1424 2552 Ocqnij32.exe 100 PID 2552 wrote to memory of 1424 2552 Ocqnij32.exe 100 PID 1424 wrote to memory of 4656 1424 Okhfjh32.exe 101 PID 1424 wrote to memory of 4656 1424 Okhfjh32.exe 101 PID 1424 wrote to memory of 4656 1424 Okhfjh32.exe 101 PID 4656 wrote to memory of 2516 4656 Ojjffddl.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe"C:\Users\Admin\AppData\Local\Temp\615761bd433e2df430548683632034cdc8656525618359482ad5ea8f3afedc01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe23⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe24⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe25⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe26⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe27⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe28⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe29⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe30⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe31⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe32⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe33⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe34⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe35⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe36⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe37⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe38⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe39⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe40⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe41⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe42⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe43⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe44⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe45⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe46⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe47⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe48⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe49⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe52⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe53⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe54⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe55⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe56⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe57⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe59⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe60⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe62⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe63⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe64⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe66⤵PID:4004
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe67⤵PID:1132
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe68⤵PID:2524
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe69⤵PID:4832
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe70⤵PID:2176
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe71⤵PID:1404
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe72⤵PID:4664
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe73⤵PID:1020
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe74⤵PID:4160
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe76⤵PID:1600
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe77⤵PID:2900
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe78⤵PID:4548
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe79⤵PID:3888
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe80⤵PID:1640
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe81⤵PID:3076
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe82⤵PID:2332
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe83⤵PID:2188
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe84⤵PID:1096
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe85⤵PID:448
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe86⤵PID:3172
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe87⤵PID:3876
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe88⤵PID:2600
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe89⤵PID:4808
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe90⤵PID:3184
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe91⤵PID:3512
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe92⤵PID:1212
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe93⤵PID:3624
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe94⤵PID:4436
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe95⤵PID:1552
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe96⤵PID:4360
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe97⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe98⤵PID:1432
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe99⤵PID:2084
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe100⤵PID:3360
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe101⤵PID:2284
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe102⤵PID:2096
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe103⤵PID:3992
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe104⤵PID:3600
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe105⤵PID:1124
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe106⤵PID:4784
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe107⤵PID:5092
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe108⤵PID:4620
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe109⤵PID:4600
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe111⤵PID:4636
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe112⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe113⤵PID:4452
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe114⤵PID:1028
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe115⤵PID:4340
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe116⤵PID:752
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe117⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe118⤵PID:3440
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe119⤵PID:3912
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe120⤵PID:1912
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe121⤵PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-