Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 04:15 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a816c6d77ae45f31f822a13a8d468f0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a816c6d77ae45f31f822a13a8d468f0N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2a816c6d77ae45f31f822a13a8d468f0N.exe
-
Size
64KB
-
MD5
2a816c6d77ae45f31f822a13a8d468f0
-
SHA1
1823abf4d0ff5a04a2f628e8b797c2291c3b7b1d
-
SHA256
3044ae6b05f99f4077e1fe0ab94b54de70b31564fe4a3ae935d634c30f584d22
-
SHA512
21bd48e33029c139eb0e5715dcad4f59e77f4e5dac9bf25c6856d5fd7b642c95e395eb3160b2c9dbd1c3ac70602bfffa505ac03375d572c0a33c7643e6a1ada0
-
SSDEEP
1536:W1foWylUlx15TRHDPuC9sRc2lQE1kMJwJTFeO6XKhbMbt2:WjylixT9DPQJ11JMTwO6Xjt2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Googaaej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhlgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namegfql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejfkmem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaecjab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifomlap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celgjlpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpbgajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qghlmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcmfchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijngkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjakkmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffhakjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbigbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijppjfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanbjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqimlihn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpido32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naqqmieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqagkjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmeldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkpipaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkiaece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbapom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnebmgjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkdad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imjgbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppffec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhmpoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomkkagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklifdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqkigp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqgahoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicjokll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likcdpop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmngm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbdip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpckjlje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmmfbfl.exe -
Executes dropped EXE 64 IoCs
pid Process 3216 Kkbkmqed.exe 2716 Kalcik32.exe 2880 Kehojiej.exe 2956 Klbgfc32.exe 2724 Kopcbo32.exe 1620 Kejloi32.exe 2024 Khihld32.exe 3828 Kocphojh.exe 4808 Kaaldjil.exe 496 Khkdad32.exe 4944 Lbqinm32.exe 2680 Ldbefe32.exe 3892 Lklnconj.exe 4472 Laffpi32.exe 3112 Llkjmb32.exe 460 Lbebilli.exe 1220 Ldfoad32.exe 4044 Lkqgno32.exe 5020 Lefkkg32.exe 3668 Lhdggb32.exe 1112 Loopdmpk.exe 3536 Lehhqg32.exe 4440 Mkepineo.exe 3240 Maoifh32.exe 644 Mhiabbdi.exe 3716 Mcoepkdo.exe 1876 Mdpagc32.exe 1660 Moefdljc.exe 4588 Mepnaf32.exe 3780 Mklfjm32.exe 2228 Mebkge32.exe 2432 Mkocol32.exe 1792 Nhbciqln.exe 3592 Nomlek32.exe 216 Nchhfild.exe 648 Ndidna32.exe 2064 Nkcmjlio.exe 4032 Namegfql.exe 1080 Ndlacapp.exe 2256 Nlcidopb.exe 2344 Ncmaai32.exe 3012 Nfknmd32.exe 4340 Nhjjip32.exe 3044 Nkhfek32.exe 3624 Nconfh32.exe 1580 Nfnjbdep.exe 3632 Nhlfoodc.exe 3916 Nofoki32.exe 4548 Nfpghccm.exe 4036 Ocdgahag.exe 4076 Odedipge.exe 756 Ookhfigk.exe 4544 Ofdqcc32.exe 820 Ohcmpn32.exe 2260 Oomelheh.exe 3296 Obkahddl.exe 2528 Odjmdocp.exe 3952 Omaeem32.exe 1724 Oooaah32.exe 3432 Ofijnbkb.exe 1168 Odljjo32.exe 1956 Omcbkl32.exe 728 Ooangh32.exe 1736 Obpkcc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Idjcam32.dll Laffpi32.exe File created C:\Windows\SysWOW64\Feljgd32.exe Fpoaom32.exe File created C:\Windows\SysWOW64\Gqkajk32.exe Gnlenp32.exe File created C:\Windows\SysWOW64\Oepnld32.dll Gpgnjebd.exe File created C:\Windows\SysWOW64\Imhjlb32.exe Ihmnldib.exe File created C:\Windows\SysWOW64\Klmlfi32.dll Imhjlb32.exe File opened for modification C:\Windows\SysWOW64\Jmmcgbnf.exe Iiaggc32.exe File created C:\Windows\SysWOW64\Eneilj32.dll Oaejhh32.exe File created C:\Windows\SysWOW64\Bcpika32.exe Bmfqngcg.exe File created C:\Windows\SysWOW64\Jmbdmg32.exe Jgekdq32.exe File opened for modification C:\Windows\SysWOW64\Namnmp32.exe Nonbqd32.exe File created C:\Windows\SysWOW64\Dhpdkm32.exe Dfngcdhi.exe File created C:\Windows\SysWOW64\Bjbboi32.dll Flghognq.exe File opened for modification C:\Windows\SysWOW64\Labkempb.exe Lmfodn32.exe File created C:\Windows\SysWOW64\Ljeeki32.dll Nmpkakak.exe File created C:\Windows\SysWOW64\Cghgpgqd.exe Ciefek32.exe File created C:\Windows\SysWOW64\Nhbciqln.exe Mkocol32.exe File opened for modification C:\Windows\SysWOW64\Amfhgj32.exe Aeopfl32.exe File created C:\Windows\SysWOW64\Elnehifk.exe Eipilmgh.exe File opened for modification C:\Windows\SysWOW64\Elnehifk.exe Eipilmgh.exe File opened for modification C:\Windows\SysWOW64\Gchflq32.exe Gomkkagl.exe File opened for modification C:\Windows\SysWOW64\Liifnp32.exe Ljffccjh.exe File opened for modification C:\Windows\SysWOW64\Oajccgmd.exe Onngci32.exe File opened for modification C:\Windows\SysWOW64\Nlcidopb.exe Ndlacapp.exe File created C:\Windows\SysWOW64\Hnpnedno.dll Akmjdpac.exe File opened for modification C:\Windows\SysWOW64\Nmpkakak.exe Nieoal32.exe File created C:\Windows\SysWOW64\Cjdfgc32.exe Cjdfgc32.exe File created C:\Windows\SysWOW64\Nomlek32.exe Nhbciqln.exe File created C:\Windows\SysWOW64\Ifgknd32.dll Icqmncof.exe File created C:\Windows\SysWOW64\Laglkb32.exe Loiong32.exe File created C:\Windows\SysWOW64\Bhjabbic.dll Fhefmjlp.exe File created C:\Windows\SysWOW64\Nbddah32.dll Gohapb32.exe File created C:\Windows\SysWOW64\Kmadhp32.dll Bqnemp32.exe File created C:\Windows\SysWOW64\Djeopjhd.dll Ceeaim32.exe File created C:\Windows\SysWOW64\Qoflodqh.dll Dnghhqdk.exe File opened for modification C:\Windows\SysWOW64\Cfcoblfb.exe Cdebfago.exe File opened for modification C:\Windows\SysWOW64\Gfjfhbpb.exe Gckjlf32.exe File created C:\Windows\SysWOW64\Jhbkgiif.dll Gchflq32.exe File opened for modification C:\Windows\SysWOW64\Lfaqcclf.exe Lhopgg32.exe File created C:\Windows\SysWOW64\Bdiamnpc.exe Bqnemp32.exe File opened for modification C:\Windows\SysWOW64\Ndidna32.exe Nchhfild.exe File created C:\Windows\SysWOW64\Hgebnc32.exe Hdffah32.exe File created C:\Windows\SysWOW64\Mgngih32.exe Mhkgnkoj.exe File created C:\Windows\SysWOW64\Okcogc32.exe Ohdbkh32.exe File created C:\Windows\SysWOW64\Gchflq32.exe Gomkkagl.exe File created C:\Windows\SysWOW64\Ajmcke32.dll Jggapj32.exe File opened for modification C:\Windows\SysWOW64\Mhjpceko.exe Mdodbf32.exe File created C:\Windows\SysWOW64\Afnlpohj.exe Acppddig.exe File opened for modification C:\Windows\SysWOW64\Blgddd32.exe Bfjllnnm.exe File created C:\Windows\SysWOW64\Dbhlikpf.exe Dlncla32.exe File opened for modification C:\Windows\SysWOW64\Eipilmgh.exe Eedmlo32.exe File created C:\Windows\SysWOW64\Ginenk32.exe Gebimmco.exe File created C:\Windows\SysWOW64\Jjhjae32.exe Jflnafno.exe File opened for modification C:\Windows\SysWOW64\Ladhkmno.exe Lmiljn32.exe File opened for modification C:\Windows\SysWOW64\Niglfl32.exe Nkdlkope.exe File created C:\Windows\SysWOW64\Gmjlak32.dll Kakednfj.exe File opened for modification C:\Windows\SysWOW64\Ohdbkh32.exe Oakjnnap.exe File created C:\Windows\SysWOW64\Pnhacn32.exe Pgoigcip.exe File opened for modification C:\Windows\SysWOW64\Bflagg32.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Jdeoad32.dll Fgcjea32.exe File created C:\Windows\SysWOW64\Jncemmid.dll Fhgccijm.exe File created C:\Windows\SysWOW64\Fncjigbo.dll Gebimmco.exe File created C:\Windows\SysWOW64\Pbhmepaa.dll Hfniikha.exe File opened for modification C:\Windows\SysWOW64\Agcdnjcl.exe Ahpdcn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 20092 20020 WerFault.exe 1079 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpandm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdlgmgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hednfnpf.dll" Hljnkdnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmbfiokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Philfgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdipag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnhmg32.dll" Bngfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfilkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfokff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccmog32.dll" Nagngjmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibbklke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgebnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmqiec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nockkcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepbfj32.dll" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll" Mhiabbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll" Apimodmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll" Blnjecfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effdbcbq.dll" Kccbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjjc32.dll" Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipffl32.dll" Mdcmnfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkelplc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaldjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgknd32.dll" Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmddajlf.dll" Hjieii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dagajlal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oakjnnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqmmlpm.dll" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndejcemn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckcap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loiong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdkfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcnhngo.dll" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifoijonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaeea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkakhakq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhennm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpaqqdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjlan32.dll" Lmkipncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmgof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjhega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhffijdm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 3216 4568 2a816c6d77ae45f31f822a13a8d468f0N.exe 89 PID 4568 wrote to memory of 3216 4568 2a816c6d77ae45f31f822a13a8d468f0N.exe 89 PID 4568 wrote to memory of 3216 4568 2a816c6d77ae45f31f822a13a8d468f0N.exe 89 PID 3216 wrote to memory of 2716 3216 Kkbkmqed.exe 90 PID 3216 wrote to memory of 2716 3216 Kkbkmqed.exe 90 PID 3216 wrote to memory of 2716 3216 Kkbkmqed.exe 90 PID 2716 wrote to memory of 2880 2716 Kalcik32.exe 91 PID 2716 wrote to memory of 2880 2716 Kalcik32.exe 91 PID 2716 wrote to memory of 2880 2716 Kalcik32.exe 91 PID 2880 wrote to memory of 2956 2880 Kehojiej.exe 92 PID 2880 wrote to memory of 2956 2880 Kehojiej.exe 92 PID 2880 wrote to memory of 2956 2880 Kehojiej.exe 92 PID 2956 wrote to memory of 2724 2956 Klbgfc32.exe 93 PID 2956 wrote to memory of 2724 2956 Klbgfc32.exe 93 PID 2956 wrote to memory of 2724 2956 Klbgfc32.exe 93 PID 2724 wrote to memory of 1620 2724 Kopcbo32.exe 94 PID 2724 wrote to memory of 1620 2724 Kopcbo32.exe 94 PID 2724 wrote to memory of 1620 2724 Kopcbo32.exe 94 PID 1620 wrote to memory of 2024 1620 Kejloi32.exe 95 PID 1620 wrote to memory of 2024 1620 Kejloi32.exe 95 PID 1620 wrote to memory of 2024 1620 Kejloi32.exe 95 PID 2024 wrote to memory of 3828 2024 Khihld32.exe 96 PID 2024 wrote to memory of 3828 2024 Khihld32.exe 96 PID 2024 wrote to memory of 3828 2024 Khihld32.exe 96 PID 3828 wrote to memory of 4808 3828 Kocphojh.exe 97 PID 3828 wrote to memory of 4808 3828 Kocphojh.exe 97 PID 3828 wrote to memory of 4808 3828 Kocphojh.exe 97 PID 4808 wrote to memory of 496 4808 Kaaldjil.exe 98 PID 4808 wrote to memory of 496 4808 Kaaldjil.exe 98 PID 4808 wrote to memory of 496 4808 Kaaldjil.exe 98 PID 496 wrote to memory of 4944 496 Khkdad32.exe 100 PID 496 wrote to memory of 4944 496 Khkdad32.exe 100 PID 496 wrote to memory of 4944 496 Khkdad32.exe 100 PID 4944 wrote to memory of 2680 4944 Lbqinm32.exe 101 PID 4944 wrote to memory of 2680 4944 Lbqinm32.exe 101 PID 4944 wrote to memory of 2680 4944 Lbqinm32.exe 101 PID 2680 wrote to memory of 3892 2680 Ldbefe32.exe 102 PID 2680 wrote to memory of 3892 2680 Ldbefe32.exe 102 PID 2680 wrote to memory of 3892 2680 Ldbefe32.exe 102 PID 3892 wrote to memory of 4472 3892 Lklnconj.exe 104 PID 3892 wrote to memory of 4472 3892 Lklnconj.exe 104 PID 3892 wrote to memory of 4472 3892 Lklnconj.exe 104 PID 4472 wrote to memory of 3112 4472 Laffpi32.exe 105 PID 4472 wrote to memory of 3112 4472 Laffpi32.exe 105 PID 4472 wrote to memory of 3112 4472 Laffpi32.exe 105 PID 3112 wrote to memory of 460 3112 Llkjmb32.exe 106 PID 3112 wrote to memory of 460 3112 Llkjmb32.exe 106 PID 3112 wrote to memory of 460 3112 Llkjmb32.exe 106 PID 460 wrote to memory of 1220 460 Lbebilli.exe 108 PID 460 wrote to memory of 1220 460 Lbebilli.exe 108 PID 460 wrote to memory of 1220 460 Lbebilli.exe 108 PID 1220 wrote to memory of 4044 1220 Ldfoad32.exe 109 PID 1220 wrote to memory of 4044 1220 Ldfoad32.exe 109 PID 1220 wrote to memory of 4044 1220 Ldfoad32.exe 109 PID 4044 wrote to memory of 5020 4044 Lkqgno32.exe 110 PID 4044 wrote to memory of 5020 4044 Lkqgno32.exe 110 PID 4044 wrote to memory of 5020 4044 Lkqgno32.exe 110 PID 5020 wrote to memory of 3668 5020 Lefkkg32.exe 111 PID 5020 wrote to memory of 3668 5020 Lefkkg32.exe 111 PID 5020 wrote to memory of 3668 5020 Lefkkg32.exe 111 PID 3668 wrote to memory of 1112 3668 Lhdggb32.exe 112 PID 3668 wrote to memory of 1112 3668 Lhdggb32.exe 112 PID 3668 wrote to memory of 1112 3668 Lhdggb32.exe 112 PID 1112 wrote to memory of 3536 1112 Loopdmpk.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a816c6d77ae45f31f822a13a8d468f0N.exe"C:\Users\Admin\AppData\Local\Temp\2a816c6d77ae45f31f822a13a8d468f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe23⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe24⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe25⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe27⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe28⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe29⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe30⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe31⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe32⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe35⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe37⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe38⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe41⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe42⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe43⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe44⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe46⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe47⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe48⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe49⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe50⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe51⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe52⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe53⤵PID:4316
-
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe54⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe55⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe56⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe57⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe58⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe59⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe60⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe62⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe63⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe64⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe65⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe66⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe67⤵PID:2460
-
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe68⤵PID:1300
-
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe69⤵PID:5128
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe70⤵PID:5168
-
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe71⤵PID:5200
-
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe72⤵PID:5248
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe73⤵PID:5288
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe74⤵PID:5328
-
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe75⤵PID:5368
-
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe76⤵PID:5412
-
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe77⤵PID:5456
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe78⤵PID:5504
-
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe79⤵PID:5544
-
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe80⤵PID:5584
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe81⤵PID:5624
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe82⤵PID:5668
-
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe83⤵PID:5712
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe85⤵PID:5800
-
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe86⤵PID:5844
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe87⤵PID:5888
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe88⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe89⤵PID:5972
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe90⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe91⤵PID:6056
-
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe92⤵PID:6100
-
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe93⤵PID:5124
-
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe94⤵PID:5176
-
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe95⤵PID:5256
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe96⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe97⤵PID:5400
-
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe98⤵PID:5480
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe99⤵PID:5520
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe100⤵PID:5600
-
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe102⤵PID:5796
-
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe103⤵PID:5824
-
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe104⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe105⤵PID:5944
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe106⤵PID:6044
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe107⤵
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe108⤵PID:5152
-
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe109⤵PID:5224
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe110⤵PID:5420
-
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe111⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe112⤵PID:5660
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe114⤵PID:5820
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe115⤵PID:5952
-
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe117⤵PID:5192
-
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe118⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe119⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe120⤵PID:2360
-
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe121⤵
- Modifies registry class
PID:3352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-