Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29fd364300612e6f5db1fde92cba7fa0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
29fd364300612e6f5db1fde92cba7fa0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
29fd364300612e6f5db1fde92cba7fa0N.exe
-
Size
97KB
-
MD5
29fd364300612e6f5db1fde92cba7fa0
-
SHA1
cf977b90c347d649a37389e426b376b55c744308
-
SHA256
b0c491642ba0db1aff1250034c977029806e87c9e93690dc555956287fded4e5
-
SHA512
2fad4509f2bde5ef444747fc9c83200efee56896cb5a1c0d25de9a38024bd3e96d450681ef85dc330118877e55e590dc48622f497e4b62e65679dad3354b2319
-
SSDEEP
1536:BkXVHlFMsbGR6Hl3gN5Uydh8/hbzlQemelYEvJXeYZ6:BkXVndQ5Uydh85lQ2lVJXeK6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhbkinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnblnlhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqgqan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedbahod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fndpmndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjbhmad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecefqnel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhikci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 29fd364300612e6f5db1fde92cba7fa0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maeachag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlpaoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe -
Executes dropped EXE 64 IoCs
pid Process 3656 Lflgmqhd.exe 4988 Likcilhh.exe 3476 Lhncdi32.exe 3352 Loglacfo.exe 4732 Leadnm32.exe 1980 Mlklkgei.exe 1124 Mojhgbdl.exe 1268 Mfaqhp32.exe 4448 Miomdk32.exe 1404 Mpieqeko.exe 3916 Molelb32.exe 2812 Mefmimif.exe 3048 Mlpeff32.exe 4976 Moobbb32.exe 1964 Mehjol32.exe 4016 Mlbbkfoq.exe 2920 Mblkhq32.exe 1292 Mekgdl32.exe 3424 Mhicpg32.exe 928 Mfjcnold.exe 4080 Niipjj32.exe 4896 Npchgdcd.exe 3908 Neppokal.exe 3784 Nhnlkfpp.exe 2272 Nohehq32.exe 3904 Nebmekoi.exe 1880 Nlleaeff.exe 2196 Nojanpej.exe 5024 Nedjjj32.exe 1572 Nlnbgddc.exe 4256 Nchjdo32.exe 2604 Nheble32.exe 2764 Nookip32.exe 3576 Ogfcjm32.exe 1856 Oidofh32.exe 3456 Opogbbig.exe 2824 Ocmconhk.exe 3348 Ohjlgefb.exe 1892 Ocopdn32.exe 60 Oenlqi32.exe 1804 Oofaiokl.exe 3584 Ogmijllo.exe 3308 Opemca32.exe 3016 Oebflhaf.exe 2600 Ohqbhdpj.exe 2540 Ookjdn32.exe 3156 Pedbahod.exe 1452 Ppjgoaoj.exe 2664 Pgdokkfg.exe 3676 Phelcc32.exe 4344 Poodpmca.exe 3968 Pfillg32.exe 708 Phhhhc32.exe 2008 Ppopjp32.exe 620 Pjgebf32.exe 3744 Phjenbhp.exe 4532 Podmkm32.exe 4388 Pcpikkge.exe 3860 Pfnegggi.exe 3588 Phlacbfm.exe 3636 Pofjpl32.exe 2984 Qcbfakec.exe 4364 Qjlnnemp.exe 328 Qhonib32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qmeigg32.exe Qjfmkk32.exe File created C:\Windows\SysWOW64\Libmeq32.dll Gkdpbpih.exe File created C:\Windows\SysWOW64\Jejechjg.dll Flinkojm.exe File created C:\Windows\SysWOW64\Fgijpe32.dll Bphgeo32.exe File created C:\Windows\SysWOW64\Bgpcliao.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Iijfhbhl.exe File opened for modification C:\Windows\SysWOW64\Fclhpo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pfoann32.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jnelok32.exe File created C:\Windows\SysWOW64\Offnhpfo.exe Oplfkeob.exe File opened for modification C:\Windows\SysWOW64\Amcmpodi.exe Ajeadd32.exe File created C:\Windows\SysWOW64\Becnaq32.dll Hkjjlhle.exe File created C:\Windows\SysWOW64\Jnhidk32.exe Jgnqgqan.exe File opened for modification C:\Windows\SysWOW64\Mcjmel32.exe Malpia32.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Aplpihjd.dll Dpnbog32.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Jjjghcfp.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Kmdlffhj.exe Kggcnoic.exe File created C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Dfkecidg.dll Fipkjb32.exe File created C:\Windows\SysWOW64\Dheibpje.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Miomdk32.exe Mfaqhp32.exe File created C:\Windows\SysWOW64\Jomdjhoo.dll Npchgdcd.exe File opened for modification C:\Windows\SysWOW64\Lnldla32.exe Ljqhkckn.exe File opened for modification C:\Windows\SysWOW64\Nbcjnilj.exe Nhmeapmd.exe File created C:\Windows\SysWOW64\Djelgied.exe Dbndfl32.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File created C:\Windows\SysWOW64\Likcilhh.exe Lflgmqhd.exe File opened for modification C:\Windows\SysWOW64\Bgnkhg32.exe Bogcgj32.exe File opened for modification C:\Windows\SysWOW64\Ppdbgncl.exe Process not Found File created C:\Windows\SysWOW64\Gdmjaa32.dll Eleepoob.exe File created C:\Windows\SysWOW64\Llmhaold.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Hpchib32.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Naagioah.dll Process not Found File opened for modification C:\Windows\SysWOW64\Flngfn32.exe Fipkjb32.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Ladnhcdo.dll Ginnfgop.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Akoqpg32.exe File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Process not Found File created C:\Windows\SysWOW64\Lhnoigkk.dll Process not Found File created C:\Windows\SysWOW64\Oebflhaf.exe Opemca32.exe File created C:\Windows\SysWOW64\Djmibn32.exe Dhomfc32.exe File opened for modification C:\Windows\SysWOW64\Gdoihpbk.exe Gijekg32.exe File created C:\Windows\SysWOW64\Cmpdihki.dll Fmkqpkla.exe File created C:\Windows\SysWOW64\Plpqil32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Iimcma32.exe Iafkld32.exe File opened for modification C:\Windows\SysWOW64\Khbiello.exe Jahqiaeb.exe File created C:\Windows\SysWOW64\Mdafpj32.dll Kgninn32.exe File opened for modification C:\Windows\SysWOW64\Jgkmgk32.exe Jocefm32.exe File opened for modification C:\Windows\SysWOW64\Mnhdgpii.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Qjffpe32.exe Process not Found File created C:\Windows\SysWOW64\Aocfbi32.dll Amcmpodi.exe File created C:\Windows\SysWOW64\Impjjbmh.dll Amhfkopc.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Egaejeej.exe File opened for modification C:\Windows\SysWOW64\Mpeiie32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ejdocm32.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Ggpcfd32.dll Eehicoel.exe File created C:\Windows\SysWOW64\Gngeik32.exe Glhimp32.exe File opened for modification C:\Windows\SysWOW64\Dkbocbog.exe Diccgfpd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8964 8572 Process not Found 1288 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igajal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhebpni.dll" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koaagkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjedffig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffcnib.dll" Bfedoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpnbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgnomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjpll32.dll" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcdlpbd.dll" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkjcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmhlgmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccqkigkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Aodogdmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbdab32.dll" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcanijap.dll" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmoafdl.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemnpgle.dll" Ohiemobf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljclki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biogppeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplbfcmi.dll" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfgikbb.dll" Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll" Hgfapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodapf32.dll" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiipmhmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnnkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhmeapmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpanan32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 3656 536 29fd364300612e6f5db1fde92cba7fa0N.exe 83 PID 536 wrote to memory of 3656 536 29fd364300612e6f5db1fde92cba7fa0N.exe 83 PID 536 wrote to memory of 3656 536 29fd364300612e6f5db1fde92cba7fa0N.exe 83 PID 3656 wrote to memory of 4988 3656 Lflgmqhd.exe 84 PID 3656 wrote to memory of 4988 3656 Lflgmqhd.exe 84 PID 3656 wrote to memory of 4988 3656 Lflgmqhd.exe 84 PID 4988 wrote to memory of 3476 4988 Likcilhh.exe 85 PID 4988 wrote to memory of 3476 4988 Likcilhh.exe 85 PID 4988 wrote to memory of 3476 4988 Likcilhh.exe 85 PID 3476 wrote to memory of 3352 3476 Lhncdi32.exe 86 PID 3476 wrote to memory of 3352 3476 Lhncdi32.exe 86 PID 3476 wrote to memory of 3352 3476 Lhncdi32.exe 86 PID 3352 wrote to memory of 4732 3352 Loglacfo.exe 87 PID 3352 wrote to memory of 4732 3352 Loglacfo.exe 87 PID 3352 wrote to memory of 4732 3352 Loglacfo.exe 87 PID 4732 wrote to memory of 1980 4732 Leadnm32.exe 88 PID 4732 wrote to memory of 1980 4732 Leadnm32.exe 88 PID 4732 wrote to memory of 1980 4732 Leadnm32.exe 88 PID 1980 wrote to memory of 1124 1980 Mlklkgei.exe 89 PID 1980 wrote to memory of 1124 1980 Mlklkgei.exe 89 PID 1980 wrote to memory of 1124 1980 Mlklkgei.exe 89 PID 1124 wrote to memory of 1268 1124 Mojhgbdl.exe 90 PID 1124 wrote to memory of 1268 1124 Mojhgbdl.exe 90 PID 1124 wrote to memory of 1268 1124 Mojhgbdl.exe 90 PID 1268 wrote to memory of 4448 1268 Mfaqhp32.exe 91 PID 1268 wrote to memory of 4448 1268 Mfaqhp32.exe 91 PID 1268 wrote to memory of 4448 1268 Mfaqhp32.exe 91 PID 4448 wrote to memory of 1404 4448 Miomdk32.exe 92 PID 4448 wrote to memory of 1404 4448 Miomdk32.exe 92 PID 4448 wrote to memory of 1404 4448 Miomdk32.exe 92 PID 1404 wrote to memory of 3916 1404 Mpieqeko.exe 93 PID 1404 wrote to memory of 3916 1404 Mpieqeko.exe 93 PID 1404 wrote to memory of 3916 1404 Mpieqeko.exe 93 PID 3916 wrote to memory of 2812 3916 Molelb32.exe 94 PID 3916 wrote to memory of 2812 3916 Molelb32.exe 94 PID 3916 wrote to memory of 2812 3916 Molelb32.exe 94 PID 2812 wrote to memory of 3048 2812 Mefmimif.exe 96 PID 2812 wrote to memory of 3048 2812 Mefmimif.exe 96 PID 2812 wrote to memory of 3048 2812 Mefmimif.exe 96 PID 3048 wrote to memory of 4976 3048 Mlpeff32.exe 97 PID 3048 wrote to memory of 4976 3048 Mlpeff32.exe 97 PID 3048 wrote to memory of 4976 3048 Mlpeff32.exe 97 PID 4976 wrote to memory of 1964 4976 Moobbb32.exe 98 PID 4976 wrote to memory of 1964 4976 Moobbb32.exe 98 PID 4976 wrote to memory of 1964 4976 Moobbb32.exe 98 PID 1964 wrote to memory of 4016 1964 Mehjol32.exe 99 PID 1964 wrote to memory of 4016 1964 Mehjol32.exe 99 PID 1964 wrote to memory of 4016 1964 Mehjol32.exe 99 PID 4016 wrote to memory of 2920 4016 Mlbbkfoq.exe 101 PID 4016 wrote to memory of 2920 4016 Mlbbkfoq.exe 101 PID 4016 wrote to memory of 2920 4016 Mlbbkfoq.exe 101 PID 2920 wrote to memory of 1292 2920 Mblkhq32.exe 102 PID 2920 wrote to memory of 1292 2920 Mblkhq32.exe 102 PID 2920 wrote to memory of 1292 2920 Mblkhq32.exe 102 PID 1292 wrote to memory of 3424 1292 Mekgdl32.exe 103 PID 1292 wrote to memory of 3424 1292 Mekgdl32.exe 103 PID 1292 wrote to memory of 3424 1292 Mekgdl32.exe 103 PID 3424 wrote to memory of 928 3424 Mhicpg32.exe 104 PID 3424 wrote to memory of 928 3424 Mhicpg32.exe 104 PID 3424 wrote to memory of 928 3424 Mhicpg32.exe 104 PID 928 wrote to memory of 4080 928 Mfjcnold.exe 106 PID 928 wrote to memory of 4080 928 Mfjcnold.exe 106 PID 928 wrote to memory of 4080 928 Mfjcnold.exe 106 PID 4080 wrote to memory of 4896 4080 Niipjj32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fd364300612e6f5db1fde92cba7fa0N.exe"C:\Users\Admin\AppData\Local\Temp\29fd364300612e6f5db1fde92cba7fa0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe24⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe25⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe26⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe27⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe28⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe29⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe30⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe32⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe33⤵PID:4720
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe35⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe36⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe37⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe38⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe39⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe41⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe42⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe44⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe46⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe47⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe48⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe50⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe51⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe52⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe53⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe54⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe55⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe56⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe57⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe58⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe59⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe60⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe61⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe62⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe63⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe64⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe65⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe66⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe67⤵PID:4100
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe68⤵PID:220
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe69⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe70⤵PID:5000
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe71⤵PID:3976
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe72⤵PID:4336
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe73⤵PID:4284
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe74⤵PID:3340
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe75⤵PID:4900
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe76⤵PID:3288
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe77⤵PID:4992
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe78⤵PID:2516
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe79⤵PID:1848
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe80⤵PID:2292
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe81⤵PID:4656
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe82⤵
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe83⤵
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe84⤵PID:2504
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5020 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe86⤵PID:2232
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe87⤵PID:780
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe88⤵PID:4980
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe89⤵PID:4008
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe90⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe92⤵PID:3580
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe93⤵PID:2004
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe94⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe96⤵PID:4432
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe97⤵PID:2532
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe98⤵PID:944
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe99⤵PID:4172
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe100⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe101⤵PID:4552
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe102⤵PID:5136
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe104⤵PID:5224
-
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe105⤵PID:5268
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe106⤵PID:5312
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe107⤵PID:5360
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe108⤵PID:5404
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe109⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe110⤵PID:5492
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe111⤵PID:5536
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe112⤵PID:5580
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe114⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe115⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe116⤵PID:5756
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe117⤵PID:5796
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe118⤵PID:5840
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe120⤵PID:5960
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe121⤵PID:6012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-