Analysis
-
max time kernel
117s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 08:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82af9f0609ff9ac0407e231c30e77e10N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
82af9f0609ff9ac0407e231c30e77e10N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
5 signatures
120 seconds
General
-
Target
82af9f0609ff9ac0407e231c30e77e10N.exe
-
Size
1.2MB
-
MD5
82af9f0609ff9ac0407e231c30e77e10
-
SHA1
3dcde5bf2aaeeff93a46acaaee32a0a6e409a169
-
SHA256
fd4addcaafd42ed1b103751e0d8bc3aebb53c3ade5c0f2a15102aaaf534dc43a
-
SHA512
715de7b875986ce094b8bdeb3775b67ea20f6c798d6f3e6141f3b69ecc239c2bb8c5cbaa22016f998f8dd92514039895f2aa32f9179cb20e7fe5c622fe300201
-
SSDEEP
24576:8JILl5hwq5hVW1nq5h3q5hL6X1q5h3q5h:8CYt6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofckhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgfedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjijmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdbacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bboffejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edplhjhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alelqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqpfjnba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqogq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgehfkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 82af9f0609ff9ac0407e231c30e77e10N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egened32.exe -
Executes dropped EXE 64 IoCs
pid Process 3912 Hhknpmma.exe 3760 Hjlkge32.exe 1848 Ijogmdqm.exe 1488 Iakiia32.exe 2980 Ihdafkdg.exe 5108 Ikcmbfcj.exe 2628 Inainbcn.exe 1808 Iqpfjnba.exe 5100 Igjngh32.exe 380 Ijhjcchb.exe 2368 Ibobdqid.exe 3924 Jdnoplhh.exe 3920 Jglklggl.exe 2728 Jjjghcfp.exe 1380 Jnfcia32.exe 2608 Jqdoem32.exe 1040 Jhlgfj32.exe 3968 Jkjcbe32.exe 4244 Jnhpoamf.exe 4516 Jqglkmlj.exe 3808 Jhndljll.exe 8 Jklphekp.exe 3272 Jnkldqkc.exe 2944 Jqiipljg.exe 1440 Jhpqaiji.exe 2580 Jkomneim.exe 2632 Jnmijq32.exe 4560 Jqlefl32.exe 1556 Jgenbfoa.exe 1352 Jjdjoane.exe 2616 Jnpfop32.exe 776 Kqnbkl32.exe 1836 Kkcfid32.exe 3108 Knbbep32.exe 4196 Kqpoakco.exe 4684 Kiggbhda.exe 1072 Kkfcndce.exe 4396 Kjhcjq32.exe 3276 Kbpkkn32.exe 3060 Kenggi32.exe 3076 Kgmcce32.exe 3988 Kjkpoq32.exe 1496 Kbbhqn32.exe 1468 Keqdmihc.exe 3636 Kgopidgf.exe 3288 Kniieo32.exe 3440 Kageaj32.exe 3840 Kecabifp.exe 944 Kgamnded.exe 1636 Kjpijpdg.exe 2420 Lbgalmej.exe 4636 Liqihglg.exe 3880 Lkofdbkj.exe 2076 Lnnbqnjn.exe 764 Lalnmiia.exe 2132 Licfngjd.exe 3496 Ljdceo32.exe 4884 Lbkkgl32.exe 5056 Lejgch32.exe 2276 Lghcocol.exe 408 Ljgpkonp.exe 1084 Lnbklm32.exe 4596 Laqhhi32.exe 3548 Ljilqnlm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bacjdbch.exe Bmhocd32.exe File created C:\Windows\SysWOW64\Bkmeha32.exe Bmidnm32.exe File created C:\Windows\SysWOW64\Jnfcia32.exe Jjjghcfp.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Qikgco32.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Jcoaglhk.exe Jocefm32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jcanll32.exe File opened for modification C:\Windows\SysWOW64\Igjngh32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Ecgcfm32.exe Elpkep32.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lmdnbn32.exe File created C:\Windows\SysWOW64\Hlohlk32.dll Apaadpng.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Pbjddh32.exe Paihlpfi.exe File created C:\Windows\SysWOW64\Jnpfop32.exe Jjdjoane.exe File created C:\Windows\SysWOW64\Jdblhj32.dll Fpgpgfmh.exe File opened for modification C:\Windows\SysWOW64\Moipoh32.exe Mmkdcm32.exe File created C:\Windows\SysWOW64\Anfmbd32.dll Doojec32.exe File created C:\Windows\SysWOW64\Nlphbnoe.exe Niakfbpa.exe File created C:\Windows\SysWOW64\Lojmcdgl.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Pmkofa32.exe Pbekii32.exe File created C:\Windows\SysWOW64\Daollh32.exe Dkedonpo.exe File created C:\Windows\SysWOW64\Ikcmbfcj.exe Ihdafkdg.exe File opened for modification C:\Windows\SysWOW64\Epikpo32.exe Emkndc32.exe File created C:\Windows\SysWOW64\Ipaooi32.dll Dgjoif32.exe File created C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Ncjakdno.dll Klggli32.exe File opened for modification C:\Windows\SysWOW64\Ffobhg32.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lomqcjie.exe File created C:\Windows\SysWOW64\Iakiia32.exe Ijogmdqm.exe File created C:\Windows\SysWOW64\Cmcolgbj.exe Bbnkonbd.exe File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Illfdc32.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Palklf32.exe File created C:\Windows\SysWOW64\Kqnbkl32.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Nlfcoqpl.dll Malpia32.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Loemnnhe.exe Process not Found File created C:\Windows\SysWOW64\Phgibp32.dll Ommceclc.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Ecgodpgb.exe File opened for modification C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Ehfomc32.dll Khbiello.exe File created C:\Windows\SysWOW64\Lbkank32.dll Ijhjcchb.exe File opened for modification C:\Windows\SysWOW64\Edplhjhi.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Inebjihf.exe Ihkjno32.exe File created C:\Windows\SysWOW64\Qppaclio.exe Pciqnk32.exe File created C:\Windows\SysWOW64\Lghcocol.exe Lejgch32.exe File created C:\Windows\SysWOW64\Gbfnhm32.dll Njmhhefi.exe File created C:\Windows\SysWOW64\Cqnnno32.dll Kkfcndce.exe File created C:\Windows\SysWOW64\Akccap32.exe Adikdfna.exe File created C:\Windows\SysWOW64\Njinmf32.exe Ncofplba.exe File opened for modification C:\Windows\SysWOW64\Ekdnei32.exe Eejeiocj.exe File created C:\Windows\SysWOW64\Jjjojj32.dll Njhgbp32.exe File created C:\Windows\SysWOW64\Ejioqkck.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ooangh32.exe Process not Found File created C:\Windows\SysWOW64\Fimhbfpl.dll Fbbpmb32.exe File opened for modification C:\Windows\SysWOW64\Kncaec32.exe Kflide32.exe File created C:\Windows\SysWOW64\Dbnefjjd.dll Process not Found File created C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe Felbnn32.exe File opened for modification C:\Windows\SysWOW64\Cmedjl32.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Ebgpad32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Hccdbf32.dll Onocomdo.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Cffpglpg.dll Ljdceo32.exe File created C:\Windows\SysWOW64\Oondnini.exe Nlphbnoe.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofmobmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkimho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejgpb32.dll" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgddbm32.dll" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll" Mfbaalbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flngfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmflbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oelolmnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll" Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhfppabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Qdoacabq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll" Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqkondfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijogmdqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Geohklaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Kcidmkpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onapdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll" Lcjcnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfohgqlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcfahbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddklbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3912 4704 82af9f0609ff9ac0407e231c30e77e10N.exe 84 PID 4704 wrote to memory of 3912 4704 82af9f0609ff9ac0407e231c30e77e10N.exe 84 PID 4704 wrote to memory of 3912 4704 82af9f0609ff9ac0407e231c30e77e10N.exe 84 PID 3912 wrote to memory of 3760 3912 Hhknpmma.exe 85 PID 3912 wrote to memory of 3760 3912 Hhknpmma.exe 85 PID 3912 wrote to memory of 3760 3912 Hhknpmma.exe 85 PID 3760 wrote to memory of 1848 3760 Hjlkge32.exe 86 PID 3760 wrote to memory of 1848 3760 Hjlkge32.exe 86 PID 3760 wrote to memory of 1848 3760 Hjlkge32.exe 86 PID 1848 wrote to memory of 1488 1848 Ijogmdqm.exe 87 PID 1848 wrote to memory of 1488 1848 Ijogmdqm.exe 87 PID 1848 wrote to memory of 1488 1848 Ijogmdqm.exe 87 PID 1488 wrote to memory of 2980 1488 Iakiia32.exe 88 PID 1488 wrote to memory of 2980 1488 Iakiia32.exe 88 PID 1488 wrote to memory of 2980 1488 Iakiia32.exe 88 PID 2980 wrote to memory of 5108 2980 Ihdafkdg.exe 89 PID 2980 wrote to memory of 5108 2980 Ihdafkdg.exe 89 PID 2980 wrote to memory of 5108 2980 Ihdafkdg.exe 89 PID 5108 wrote to memory of 2628 5108 Ikcmbfcj.exe 90 PID 5108 wrote to memory of 2628 5108 Ikcmbfcj.exe 90 PID 5108 wrote to memory of 2628 5108 Ikcmbfcj.exe 90 PID 2628 wrote to memory of 1808 2628 Inainbcn.exe 91 PID 2628 wrote to memory of 1808 2628 Inainbcn.exe 91 PID 2628 wrote to memory of 1808 2628 Inainbcn.exe 91 PID 1808 wrote to memory of 5100 1808 Iqpfjnba.exe 92 PID 1808 wrote to memory of 5100 1808 Iqpfjnba.exe 92 PID 1808 wrote to memory of 5100 1808 Iqpfjnba.exe 92 PID 5100 wrote to memory of 380 5100 Igjngh32.exe 93 PID 5100 wrote to memory of 380 5100 Igjngh32.exe 93 PID 5100 wrote to memory of 380 5100 Igjngh32.exe 93 PID 380 wrote to memory of 2368 380 Ijhjcchb.exe 94 PID 380 wrote to memory of 2368 380 Ijhjcchb.exe 94 PID 380 wrote to memory of 2368 380 Ijhjcchb.exe 94 PID 2368 wrote to memory of 3924 2368 Ibobdqid.exe 95 PID 2368 wrote to memory of 3924 2368 Ibobdqid.exe 95 PID 2368 wrote to memory of 3924 2368 Ibobdqid.exe 95 PID 3924 wrote to memory of 3920 3924 Jdnoplhh.exe 96 PID 3924 wrote to memory of 3920 3924 Jdnoplhh.exe 96 PID 3924 wrote to memory of 3920 3924 Jdnoplhh.exe 96 PID 3920 wrote to memory of 2728 3920 Jglklggl.exe 97 PID 3920 wrote to memory of 2728 3920 Jglklggl.exe 97 PID 3920 wrote to memory of 2728 3920 Jglklggl.exe 97 PID 2728 wrote to memory of 1380 2728 Jjjghcfp.exe 98 PID 2728 wrote to memory of 1380 2728 Jjjghcfp.exe 98 PID 2728 wrote to memory of 1380 2728 Jjjghcfp.exe 98 PID 1380 wrote to memory of 2608 1380 Jnfcia32.exe 99 PID 1380 wrote to memory of 2608 1380 Jnfcia32.exe 99 PID 1380 wrote to memory of 2608 1380 Jnfcia32.exe 99 PID 2608 wrote to memory of 1040 2608 Jqdoem32.exe 100 PID 2608 wrote to memory of 1040 2608 Jqdoem32.exe 100 PID 2608 wrote to memory of 1040 2608 Jqdoem32.exe 100 PID 1040 wrote to memory of 3968 1040 Jhlgfj32.exe 101 PID 1040 wrote to memory of 3968 1040 Jhlgfj32.exe 101 PID 1040 wrote to memory of 3968 1040 Jhlgfj32.exe 101 PID 3968 wrote to memory of 4244 3968 Jkjcbe32.exe 102 PID 3968 wrote to memory of 4244 3968 Jkjcbe32.exe 102 PID 3968 wrote to memory of 4244 3968 Jkjcbe32.exe 102 PID 4244 wrote to memory of 4516 4244 Jnhpoamf.exe 103 PID 4244 wrote to memory of 4516 4244 Jnhpoamf.exe 103 PID 4244 wrote to memory of 4516 4244 Jnhpoamf.exe 103 PID 4516 wrote to memory of 3808 4516 Jqglkmlj.exe 104 PID 4516 wrote to memory of 3808 4516 Jqglkmlj.exe 104 PID 4516 wrote to memory of 3808 4516 Jqglkmlj.exe 104 PID 3808 wrote to memory of 8 3808 Jhndljll.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\82af9f0609ff9ac0407e231c30e77e10N.exe"C:\Users\Admin\AppData\Local\Temp\82af9f0609ff9ac0407e231c30e77e10N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe23⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe24⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe25⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe26⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe27⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe29⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe33⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe34⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe35⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe36⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe37⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe39⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe40⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe41⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe42⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe43⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe44⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe45⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe46⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe47⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe48⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe50⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe51⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe52⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe53⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe54⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe56⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe57⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe59⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe62⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe63⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe64⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe65⤵PID:4364
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe66⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe67⤵PID:3052
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe68⤵PID:1748
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe70⤵PID:1036
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe71⤵PID:3024
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe72⤵PID:4236
-
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe73⤵PID:4140
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe74⤵PID:4600
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe75⤵PID:4864
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe77⤵PID:808
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe78⤵PID:3400
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe79⤵PID:2712
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe80⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe81⤵PID:4068
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe82⤵PID:5128
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe83⤵PID:5168
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe84⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe85⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe86⤵PID:5272
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe87⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe88⤵PID:5344
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe89⤵PID:5380
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe90⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe91⤵PID:5456
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe92⤵PID:5488
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe93⤵PID:5524
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe94⤵PID:5560
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe95⤵PID:5596
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe96⤵PID:5632
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe97⤵PID:5668
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe98⤵PID:5704
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe99⤵PID:5740
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe101⤵PID:5812
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe102⤵PID:5848
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe103⤵PID:5884
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe104⤵PID:5920
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe105⤵PID:5956
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe106⤵PID:5992
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe107⤵PID:6028
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe110⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe111⤵PID:1100
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe112⤵PID:540
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe113⤵PID:1480
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe114⤵PID:4376
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe115⤵PID:868
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe116⤵PID:2424
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe117⤵PID:5140
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe118⤵PID:5196
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe119⤵PID:5264
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe120⤵PID:5332
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe121⤵
- Modifies registry class
PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-