Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe
-
Size
88KB
-
MD5
dfd8ef3ab4e603d85e9dfb15e2e96c99
-
SHA1
6c2d2ba274bee3f7718fa9816cbad606dd3d0f77
-
SHA256
c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c
-
SHA512
e057dbc34190e1b59121cccff56f93d76f3c1fdcfd6d556e00c001476c21f4f397370a81cf222c88e1f5536962fd23e6654a5dac446594c550d6e9d2038044d2
-
SSDEEP
1536:RXcGV3Xo0atzWgrP3yUfSs7csQ+jNwWL7xBZDWYRpk5E5tInouy8L:Nc6ohzNYs4ijPbZqYpXgoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jleijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdigadjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcifkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjnqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppikbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkfbocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napjdpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alelqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjodla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onpjichj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhldbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfpkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lebijnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpfbjlo.exe -
Executes dropped EXE 64 IoCs
pid Process 4428 Milidebi.exe 4592 Mniallpq.exe 5104 Mahnhhod.exe 5116 Mhafeb32.exe 3960 Mjpbam32.exe 4912 Meefofek.exe 624 Mjbogmdb.exe 732 Mbighjdd.exe 3108 Micoed32.exe 4464 Mjellmbp.exe 1724 Mblcnj32.exe 404 Mejpje32.exe 1300 Mldhfpib.exe 2052 Nobdbkhf.exe 4576 Naaqofgj.exe 5016 Nhkikq32.exe 2264 Nbqmiinl.exe 4820 Nijeec32.exe 864 Nklbmllg.exe 1480 Neafjdkn.exe 3988 Nhpbfpka.exe 3924 Nojjcj32.exe 768 Nahgoe32.exe 2236 Nlnkmnah.exe 4700 Nbgcih32.exe 4572 Nefped32.exe 4824 Nhdlao32.exe 388 Okchnk32.exe 4732 Oampjeml.exe 64 Oidhlb32.exe 4604 Ooqqdi32.exe 5040 Oaompd32.exe 4908 Oifeab32.exe 3208 Oldamm32.exe 1928 Oocmii32.exe 2760 Oemefcap.exe 3016 Ohkbbn32.exe 4080 Ooejohhq.exe 2120 Oadfkdgd.exe 2104 Ohnohn32.exe 2132 Oklkdi32.exe 3112 Oohgdhfn.exe 4748 Oafcqcea.exe 3928 Oeaoab32.exe 904 Pllgnl32.exe 4144 Pojcjh32.exe 2488 Pahpfc32.exe 4708 Phbhcmjl.exe 4280 Pkadoiip.exe 408 Pchlpfjb.exe 4212 Pakllc32.exe 2876 Phedhmhi.exe 3052 Pkcadhgm.exe 520 Pcjiff32.exe 312 Pamiaboj.exe 2520 Pidabppl.exe 4004 Plbmokop.exe 3568 Pcmeke32.exe 2268 Pekbga32.exe 4232 Pifnhpmi.exe 1752 Plejdkmm.exe 3672 Pocfpf32.exe 2936 Pabblb32.exe 3604 Piijno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Pkcadhgm.exe File opened for modification C:\Windows\SysWOW64\Inlihl32.exe Icfekc32.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Ponfka32.exe File created C:\Windows\SysWOW64\Jcoiaikp.dll Jlbejloe.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Cnhgjaml.exe File created C:\Windows\SysWOW64\Kjmqinmi.dll Mhafeb32.exe File opened for modification C:\Windows\SysWOW64\Bkkple32.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Hecjke32.exe Hbenoi32.exe File created C:\Windows\SysWOW64\Pakdbp32.exe Pidlqb32.exe File opened for modification C:\Windows\SysWOW64\Madjhb32.exe Mkhapk32.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Alpbecod.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Ekaapi32.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fefedmil.exe File created C:\Windows\SysWOW64\Pmblagmf.exe Pfiddm32.exe File created C:\Windows\SysWOW64\Nbphglbe.exe Noblkqca.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Phlepppi.dll Akdilipp.exe File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe Dafppp32.exe File opened for modification C:\Windows\SysWOW64\Eqncnj32.exe Eomffaag.exe File opened for modification C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File opened for modification C:\Windows\SysWOW64\Cfpffeaj.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Blgifbil.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Ennqfenp.exe Eeelnp32.exe File created C:\Windows\SysWOW64\Jefjbddd.dll Jiiicf32.exe File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Kgnbdh32.exe File created C:\Windows\SysWOW64\Imnbiq32.dll Mmhgmmbf.exe File created C:\Windows\SysWOW64\Debcil32.dll Noppeaed.exe File created C:\Windows\SysWOW64\Nmcpoedn.exe Nhhdnf32.exe File created C:\Windows\SysWOW64\Fppcajgd.dll Ckilmcgb.exe File created C:\Windows\SysWOW64\Gbfldf32.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mokmdh32.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mgbefe32.exe File opened for modification C:\Windows\SysWOW64\Gijmad32.exe Gacepg32.exe File created C:\Windows\SysWOW64\Lfinqm32.dll Akoqpg32.exe File created C:\Windows\SysWOW64\Ipaooi32.dll Dkekjdck.exe File created C:\Windows\SysWOW64\Lipgdi32.dll Gegkpf32.exe File opened for modification C:\Windows\SysWOW64\Omdieb32.exe Oihmedma.exe File created C:\Windows\SysWOW64\Cobhcgin.dll Mniallpq.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Ebommi32.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kqbdldnq.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mjodla32.exe File created C:\Windows\SysWOW64\Oonlfo32.exe Omopjcjp.exe File created C:\Windows\SysWOW64\Fljhbbae.dll Omdieb32.exe File created C:\Windows\SysWOW64\Pencqe32.dll Paihlpfi.exe File opened for modification C:\Windows\SysWOW64\Pblajhje.exe Pciqnk32.exe File created C:\Windows\SysWOW64\Gdmjaa32.dll Eclmamod.exe File created C:\Windows\SysWOW64\Ebcneqod.dll Eppjfgcp.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File created C:\Windows\SysWOW64\Cmgilf32.dll Mbibfm32.exe File created C:\Windows\SysWOW64\Ocnabm32.exe Opbean32.exe File opened for modification C:\Windows\SysWOW64\Pifnhpmi.exe Pekbga32.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jcanll32.exe File created C:\Windows\SysWOW64\Njgigo32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Eiekog32.exe Eqncnj32.exe File created C:\Windows\SysWOW64\Fqeioiam.exe Fkhpfbce.exe File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Gnbcohkd.dll Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Mkfoeejd.dll Opclldhj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1788 15988 WerFault.exe 893 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajggomog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niojoeel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcocace.dll" Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlndcmq.dll" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnhejgh.dll" Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fngcmcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gojiiafp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piapkbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoacg32.dll" Aednci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll" Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Ebimgcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll" Ilcldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpdnjple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlkfbocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akpoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klndfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" Ofjqihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflahpe.dll" Bkoigdom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkpnclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll" Egened32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgcakon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 4428 3232 c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe 86 PID 3232 wrote to memory of 4428 3232 c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe 86 PID 3232 wrote to memory of 4428 3232 c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe 86 PID 4428 wrote to memory of 4592 4428 Milidebi.exe 87 PID 4428 wrote to memory of 4592 4428 Milidebi.exe 87 PID 4428 wrote to memory of 4592 4428 Milidebi.exe 87 PID 4592 wrote to memory of 5104 4592 Mniallpq.exe 88 PID 4592 wrote to memory of 5104 4592 Mniallpq.exe 88 PID 4592 wrote to memory of 5104 4592 Mniallpq.exe 88 PID 5104 wrote to memory of 5116 5104 Mahnhhod.exe 89 PID 5104 wrote to memory of 5116 5104 Mahnhhod.exe 89 PID 5104 wrote to memory of 5116 5104 Mahnhhod.exe 89 PID 5116 wrote to memory of 3960 5116 Mhafeb32.exe 90 PID 5116 wrote to memory of 3960 5116 Mhafeb32.exe 90 PID 5116 wrote to memory of 3960 5116 Mhafeb32.exe 90 PID 3960 wrote to memory of 4912 3960 Mjpbam32.exe 91 PID 3960 wrote to memory of 4912 3960 Mjpbam32.exe 91 PID 3960 wrote to memory of 4912 3960 Mjpbam32.exe 91 PID 4912 wrote to memory of 624 4912 Meefofek.exe 92 PID 4912 wrote to memory of 624 4912 Meefofek.exe 92 PID 4912 wrote to memory of 624 4912 Meefofek.exe 92 PID 624 wrote to memory of 732 624 Mjbogmdb.exe 93 PID 624 wrote to memory of 732 624 Mjbogmdb.exe 93 PID 624 wrote to memory of 732 624 Mjbogmdb.exe 93 PID 732 wrote to memory of 3108 732 Mbighjdd.exe 94 PID 732 wrote to memory of 3108 732 Mbighjdd.exe 94 PID 732 wrote to memory of 3108 732 Mbighjdd.exe 94 PID 3108 wrote to memory of 4464 3108 Micoed32.exe 95 PID 3108 wrote to memory of 4464 3108 Micoed32.exe 95 PID 3108 wrote to memory of 4464 3108 Micoed32.exe 95 PID 4464 wrote to memory of 1724 4464 Mjellmbp.exe 96 PID 4464 wrote to memory of 1724 4464 Mjellmbp.exe 96 PID 4464 wrote to memory of 1724 4464 Mjellmbp.exe 96 PID 1724 wrote to memory of 404 1724 Mblcnj32.exe 97 PID 1724 wrote to memory of 404 1724 Mblcnj32.exe 97 PID 1724 wrote to memory of 404 1724 Mblcnj32.exe 97 PID 404 wrote to memory of 1300 404 Mejpje32.exe 99 PID 404 wrote to memory of 1300 404 Mejpje32.exe 99 PID 404 wrote to memory of 1300 404 Mejpje32.exe 99 PID 1300 wrote to memory of 2052 1300 Mldhfpib.exe 100 PID 1300 wrote to memory of 2052 1300 Mldhfpib.exe 100 PID 1300 wrote to memory of 2052 1300 Mldhfpib.exe 100 PID 2052 wrote to memory of 4576 2052 Nobdbkhf.exe 101 PID 2052 wrote to memory of 4576 2052 Nobdbkhf.exe 101 PID 2052 wrote to memory of 4576 2052 Nobdbkhf.exe 101 PID 4576 wrote to memory of 5016 4576 Naaqofgj.exe 102 PID 4576 wrote to memory of 5016 4576 Naaqofgj.exe 102 PID 4576 wrote to memory of 5016 4576 Naaqofgj.exe 102 PID 5016 wrote to memory of 2264 5016 Nhkikq32.exe 103 PID 5016 wrote to memory of 2264 5016 Nhkikq32.exe 103 PID 5016 wrote to memory of 2264 5016 Nhkikq32.exe 103 PID 2264 wrote to memory of 4820 2264 Nbqmiinl.exe 104 PID 2264 wrote to memory of 4820 2264 Nbqmiinl.exe 104 PID 2264 wrote to memory of 4820 2264 Nbqmiinl.exe 104 PID 4820 wrote to memory of 864 4820 Nijeec32.exe 105 PID 4820 wrote to memory of 864 4820 Nijeec32.exe 105 PID 4820 wrote to memory of 864 4820 Nijeec32.exe 105 PID 864 wrote to memory of 1480 864 Nklbmllg.exe 106 PID 864 wrote to memory of 1480 864 Nklbmllg.exe 106 PID 864 wrote to memory of 1480 864 Nklbmllg.exe 106 PID 1480 wrote to memory of 3988 1480 Neafjdkn.exe 107 PID 1480 wrote to memory of 3988 1480 Neafjdkn.exe 107 PID 1480 wrote to memory of 3988 1480 Neafjdkn.exe 107 PID 3988 wrote to memory of 3924 3988 Nhpbfpka.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe"C:\Users\Admin\AppData\Local\Temp\c8b63af1069fbfea319fe8e0ac328880b07fc20c1bd46f24c2ef95eb8b793f0c.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe23⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe24⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe25⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe26⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe27⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe28⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe30⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe31⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe34⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe35⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe36⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe37⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe38⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe39⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe40⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe41⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe42⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe43⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe44⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe45⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe46⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe47⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe48⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe49⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe50⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe51⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe52⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe53⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe54⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe56⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe57⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe58⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe59⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe60⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe62⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe63⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe64⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe65⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe66⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe67⤵PID:2412
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe68⤵PID:3376
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe69⤵PID:2204
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe71⤵PID:920
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe72⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe73⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe74⤵PID:2588
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe75⤵PID:4664
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe76⤵PID:2832
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe77⤵PID:5036
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe78⤵PID:1880
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe79⤵PID:2976
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe80⤵PID:3904
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe81⤵
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe82⤵PID:4068
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe83⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe84⤵PID:3668
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe85⤵PID:1800
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe86⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe87⤵PID:1560
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe88⤵PID:4976
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe89⤵PID:4784
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe90⤵PID:5152
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe91⤵PID:5204
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe92⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe93⤵PID:5292
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe94⤵PID:5336
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe95⤵PID:5380
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe96⤵PID:5424
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe97⤵PID:5468
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe98⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe99⤵PID:5552
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe100⤵PID:5600
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe101⤵PID:5644
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe102⤵PID:5680
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe103⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe104⤵PID:5780
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe105⤵PID:5824
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe106⤵PID:5868
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe107⤵PID:5912
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe108⤵PID:5988
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe109⤵PID:6044
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe110⤵PID:6084
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe111⤵PID:6128
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe112⤵PID:5136
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe113⤵PID:5216
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe114⤵PID:5280
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe115⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe116⤵PID:5404
-
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe118⤵PID:5564
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe119⤵PID:5620
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe120⤵PID:5664
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe121⤵PID:5776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-