Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe
Resource
win7-20220901-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe
-
Size
92KB
-
MD5
a2b600e42cd00888208dfb28faa2ecf0
-
SHA1
67fb74581582d18dcde4a6201dc163d540dbd945
-
SHA256
6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d
-
SHA512
7112c57435b25f30de54669c560778c95c35a025c14715e46b03e1dad48fcd2a9b68a4c891a1b9fb162e2d8b07914819983e942e6d7a29f9d4c381b2b7cf6b78
-
SSDEEP
1536:VBAIaHrKZMLzHfa2NdNlzB8i3jLV3BGnMPJKEsztuJO:0IUrKZoi2NDXjjLlBRh1sN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecepiiid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qplogpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpcbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmblob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikecnnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbokjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaldema.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpobgekq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qplogpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dalofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anepfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fanimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbkeacqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqofippg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiajjena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpjllnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajbaika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbamjgpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclmbjao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faqfclaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhimopqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icminm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmbja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbafjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpalgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcehejic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefcmbdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkblajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbjooli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohnfide.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnikcdop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcqgahoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapmlopi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpgli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeaeedg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohobebig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikega32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifebp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miklkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfaijand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofoogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaglck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnbopoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqaiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnqjjgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikliomjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgloiqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdcqhe.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 Dlqphkqj.exe 3052 Dghakc32.exe 5064 Dleick32.exe 4264 Dpcbii32.exe 4692 Lfdmon32.exe 4744 Dgomgq32.exe 4748 Dbdaeied.exe 4548 Dalkkegj.exe 3420 Ebndkhmj.exe 1112 Eacald32.exe 1732 Ebbmfgid.exe 4488 Ejnbjj32.exe 4836 Eecfhb32.exe 4628 Ejpopi32.exe 2728 Eefcmbdc.exe 3116 Eongfh32.exe 2840 Flddelgj.exe 1084 Faammbea.exe 400 Fkjafh32.exe 208 Feofca32.exe 4784 Fogjlf32.exe 2504 Fhpoelii.exe 3640 Gbecbeho.exe 4504 Gkqhgg32.exe 4856 Glpdajmm.exe 2672 Gbjlnd32.exe 1276 Glbafjkj.exe 4268 Gaoioq32.exe 3424 Gembeooh.exe 2228 Glgjai32.exe 3380 Hepojo32.exe 4824 Hliggieb.exe 4028 Hccodc32.exe 4724 Hedhenip.exe 4968 Hkaqnegg.exe 4524 Hiball32.exe 4592 Hooidc32.exe 3856 Hamepo32.exe 1460 Hhgnmi32.exe 3636 Icmbja32.exe 4340 Ihjkbh32.exe 3212 Icoopa32.exe 3080 Ihlghhpi.exe 2664 Jkajdb32.exe 5100 Jkdfjbgb.exe 1096 Jfikgkgh.exe 3740 Jkfcpbep.exe 4056 Jjgcni32.exe 4068 Jbbhblkj.exe 4604 Jofhkpic.exe 760 Kmjiedhm.exe 764 Kbgamk32.exe 4788 Kiajjena.exe 4660 Kokbfo32.exe 1136 Kicfoelo.exe 4004 Kcikmnld.exe 5024 Kifced32.exe 3924 Kjepogao.exe 4356 Kbqdcjoj.exe 1844 Lkiiloej.exe 4364 Lfnmihep.exe 1592 Lcbmclcj.exe 632 Lmkblajj.exe 1088 Llpomn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fcaqka32.exe Fiilblom.exe File created C:\Windows\SysWOW64\Nmkheljf.dll Hgpbhmna.exe File created C:\Windows\SysWOW64\Kbqdcjoj.exe Kjepogao.exe File opened for modification C:\Windows\SysWOW64\Eenfbmfo.exe Ejhbedfi.exe File opened for modification C:\Windows\SysWOW64\Jemmhdog.exe Jnfeggoe.exe File created C:\Windows\SysWOW64\Opkoflco.exe Fmpjmh32.exe File created C:\Windows\SysWOW64\Ilfennic.exe Hlppno32.exe File created C:\Windows\SysWOW64\Cdolgfbp.exe Caqpkjcl.exe File created C:\Windows\SysWOW64\Fdkdibjp.exe Fnalmh32.exe File opened for modification C:\Windows\SysWOW64\Qkqdnkge.exe Pahpee32.exe File created C:\Windows\SysWOW64\Hjcbmgnb.dll Nbebbk32.exe File created C:\Windows\SysWOW64\Gcfjfqah.exe Gpgnjebd.exe File created C:\Windows\SysWOW64\Gbecbeho.exe Fhpoelii.exe File created C:\Windows\SysWOW64\Lpqglh32.dll Mppdhl32.exe File created C:\Windows\SysWOW64\Qpobgekq.exe Qkbjooli.exe File opened for modification C:\Windows\SysWOW64\Agndoo32.exe Adohccod.exe File opened for modification C:\Windows\SysWOW64\Dkahnhdd.exe Dqkdao32.exe File opened for modification C:\Windows\SysWOW64\Ikliomjo.exe Iliicp32.exe File created C:\Windows\SysWOW64\Bjcmpepm.exe Bhbahm32.exe File created C:\Windows\SysWOW64\Oickbjmb.exe Ohaokbfd.exe File created C:\Windows\SysWOW64\Jkfcpbep.exe Jfikgkgh.exe File created C:\Windows\SysWOW64\Kokbfo32.exe Kiajjena.exe File created C:\Windows\SysWOW64\Mebhom32.dll Bldond32.exe File created C:\Windows\SysWOW64\Dmnkkang.exe Dcegbk32.exe File created C:\Windows\SysWOW64\Cmeafpab.dll Oiihahme.exe File created C:\Windows\SysWOW64\Oaejhh32.exe Ogpfko32.exe File created C:\Windows\SysWOW64\Kldphm32.dll Ajmgof32.exe File created C:\Windows\SysWOW64\Iobcll32.dll Mfofpe32.exe File created C:\Windows\SysWOW64\Meikek32.dll Agndoo32.exe File created C:\Windows\SysWOW64\Iliicp32.exe Ieoagflg.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Afappe32.exe File created C:\Windows\SysWOW64\Ncjiib32.dll Dalofi32.exe File opened for modification C:\Windows\SysWOW64\Niglfl32.exe Ngipjp32.exe File created C:\Windows\SysWOW64\Goniok32.dll Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Kggjghkd.exe Kppbejka.exe File created C:\Windows\SysWOW64\Mllnhm32.exe Mfofpe32.exe File created C:\Windows\SysWOW64\Jpaddd32.dll Pcdlmb32.exe File created C:\Windows\SysWOW64\Djmbif32.exe Dqdnppjf.exe File created C:\Windows\SysWOW64\Dkahnhdd.exe Dqkdao32.exe File created C:\Windows\SysWOW64\Fjdaqbll.exe Fmpagnmb.exe File created C:\Windows\SysWOW64\Gdheefio.exe Gajiik32.exe File created C:\Windows\SysWOW64\Ckdiqnel.dll Bdiamnpc.exe File opened for modification C:\Windows\SysWOW64\Dpcbii32.exe Dleick32.exe File created C:\Windows\SysWOW64\Diljjh32.dll Ejnbjj32.exe File created C:\Windows\SysWOW64\Pinnjmie.dll Gaglck32.exe File created C:\Windows\SysWOW64\Jlnbopoo.exe Jdgjmbnl.exe File opened for modification C:\Windows\SysWOW64\Ckggnp32.exe Cigkdmel.exe File created C:\Windows\SysWOW64\Lpghfi32.exe Ljjpnb32.exe File opened for modification C:\Windows\SysWOW64\Feofca32.exe Fkjafh32.exe File created C:\Windows\SysWOW64\Dkhehilo.exe Cndeoe32.exe File created C:\Windows\SysWOW64\Kalmid32.dll Fcaqka32.exe File created C:\Windows\SysWOW64\Bjmgcibf.dll Ggafgo32.exe File created C:\Windows\SysWOW64\Cdibqp32.dll Ogpfko32.exe File created C:\Windows\SysWOW64\Jgibqj32.dll Dfcqod32.exe File created C:\Windows\SysWOW64\Ejkiiokj.dll Hcdfho32.exe File created C:\Windows\SysWOW64\Hiball32.exe Hkaqnegg.exe File created C:\Windows\SysWOW64\Mcnhcoij.dll Apfhhddi.exe File created C:\Windows\SysWOW64\Galooolh.dll Fanimm32.exe File opened for modification C:\Windows\SysWOW64\Gajiik32.exe Gaglck32.exe File created C:\Windows\SysWOW64\Nbmlhi32.dll Jemmhdog.exe File created C:\Windows\SysWOW64\Djegekil.exe Dggkipii.exe File created C:\Windows\SysWOW64\Ifilcpkd.dll Cddjeq32.exe File created C:\Windows\SysWOW64\Mhicpg32.exe Lpbopfag.exe File opened for modification C:\Windows\SysWOW64\Kcehejic.exe Kaflio32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflfak32.dll" Edmjfifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfklhhcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacjdgkj.dll" Miklkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oahgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oggllnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkogcqj.dll" Hccodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijcfkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiilblom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghgonlp.dll" Kifced32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niblgqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdommmpd.dll" Adohccod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fanimm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elednfne.dll" Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilgafla.dll" Kcikmnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphendbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapmlopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfqmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flddelgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbaeebg.dll" Lmkblajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keippf32.dll" Flhgfeoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmmnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mikega32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihmedma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milmhdib.dll" Jkfcpbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpghfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkipncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldphm32.dll" Ajmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpgli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dalofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcehejic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajiik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inmbqhgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foqkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfokff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hamepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfcpbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbqffhn.dll" Lcbmclcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqodliaa.dll" Fjbdkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngipjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aklciimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll" Edaaccbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgiaemic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijjnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hliggieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdehjilo.dll" Mjclpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphikkif.dll" Qkbjooli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmfqgao.dll" Liifnp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2248 1304 6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe 81 PID 1304 wrote to memory of 2248 1304 6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe 81 PID 1304 wrote to memory of 2248 1304 6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe 81 PID 2248 wrote to memory of 3052 2248 Dlqphkqj.exe 82 PID 2248 wrote to memory of 3052 2248 Dlqphkqj.exe 82 PID 2248 wrote to memory of 3052 2248 Dlqphkqj.exe 82 PID 3052 wrote to memory of 5064 3052 Dghakc32.exe 83 PID 3052 wrote to memory of 5064 3052 Dghakc32.exe 83 PID 3052 wrote to memory of 5064 3052 Dghakc32.exe 83 PID 5064 wrote to memory of 4264 5064 Dleick32.exe 84 PID 5064 wrote to memory of 4264 5064 Dleick32.exe 84 PID 5064 wrote to memory of 4264 5064 Dleick32.exe 84 PID 4264 wrote to memory of 4692 4264 Dpcbii32.exe 85 PID 4264 wrote to memory of 4692 4264 Dpcbii32.exe 85 PID 4264 wrote to memory of 4692 4264 Dpcbii32.exe 85 PID 4692 wrote to memory of 4744 4692 Lfdmon32.exe 86 PID 4692 wrote to memory of 4744 4692 Lfdmon32.exe 86 PID 4692 wrote to memory of 4744 4692 Lfdmon32.exe 86 PID 4744 wrote to memory of 4748 4744 Dgomgq32.exe 87 PID 4744 wrote to memory of 4748 4744 Dgomgq32.exe 87 PID 4744 wrote to memory of 4748 4744 Dgomgq32.exe 87 PID 4748 wrote to memory of 4548 4748 Dbdaeied.exe 88 PID 4748 wrote to memory of 4548 4748 Dbdaeied.exe 88 PID 4748 wrote to memory of 4548 4748 Dbdaeied.exe 88 PID 4548 wrote to memory of 3420 4548 Dalkkegj.exe 89 PID 4548 wrote to memory of 3420 4548 Dalkkegj.exe 89 PID 4548 wrote to memory of 3420 4548 Dalkkegj.exe 89 PID 3420 wrote to memory of 1112 3420 Ebndkhmj.exe 90 PID 3420 wrote to memory of 1112 3420 Ebndkhmj.exe 90 PID 3420 wrote to memory of 1112 3420 Ebndkhmj.exe 90 PID 1112 wrote to memory of 1732 1112 Eacald32.exe 91 PID 1112 wrote to memory of 1732 1112 Eacald32.exe 91 PID 1112 wrote to memory of 1732 1112 Eacald32.exe 91 PID 1732 wrote to memory of 4488 1732 Ebbmfgid.exe 92 PID 1732 wrote to memory of 4488 1732 Ebbmfgid.exe 92 PID 1732 wrote to memory of 4488 1732 Ebbmfgid.exe 92 PID 4488 wrote to memory of 4836 4488 Ejnbjj32.exe 93 PID 4488 wrote to memory of 4836 4488 Ejnbjj32.exe 93 PID 4488 wrote to memory of 4836 4488 Ejnbjj32.exe 93 PID 4836 wrote to memory of 4628 4836 Eecfhb32.exe 94 PID 4836 wrote to memory of 4628 4836 Eecfhb32.exe 94 PID 4836 wrote to memory of 4628 4836 Eecfhb32.exe 94 PID 4628 wrote to memory of 2728 4628 Ejpopi32.exe 95 PID 4628 wrote to memory of 2728 4628 Ejpopi32.exe 95 PID 4628 wrote to memory of 2728 4628 Ejpopi32.exe 95 PID 2728 wrote to memory of 3116 2728 Eefcmbdc.exe 96 PID 2728 wrote to memory of 3116 2728 Eefcmbdc.exe 96 PID 2728 wrote to memory of 3116 2728 Eefcmbdc.exe 96 PID 3116 wrote to memory of 2840 3116 Eongfh32.exe 97 PID 3116 wrote to memory of 2840 3116 Eongfh32.exe 97 PID 3116 wrote to memory of 2840 3116 Eongfh32.exe 97 PID 2840 wrote to memory of 1084 2840 Flddelgj.exe 98 PID 2840 wrote to memory of 1084 2840 Flddelgj.exe 98 PID 2840 wrote to memory of 1084 2840 Flddelgj.exe 98 PID 1084 wrote to memory of 400 1084 Faammbea.exe 99 PID 1084 wrote to memory of 400 1084 Faammbea.exe 99 PID 1084 wrote to memory of 400 1084 Faammbea.exe 99 PID 400 wrote to memory of 208 400 Fkjafh32.exe 100 PID 400 wrote to memory of 208 400 Fkjafh32.exe 100 PID 400 wrote to memory of 208 400 Fkjafh32.exe 100 PID 208 wrote to memory of 4784 208 Feofca32.exe 101 PID 208 wrote to memory of 4784 208 Feofca32.exe 101 PID 208 wrote to memory of 4784 208 Feofca32.exe 101 PID 4784 wrote to memory of 2504 4784 Fogjlf32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe"C:\Users\Admin\AppData\Local\Temp\6dbc0331d219ba4d600d668e64f4efee6e081efacf0874acb3acd3749ad99a1d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Dlqphkqj.exeC:\Windows\system32\Dlqphkqj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dghakc32.exeC:\Windows\system32\Dghakc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Dleick32.exeC:\Windows\system32\Dleick32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Dpcbii32.exeC:\Windows\system32\Dpcbii32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Lfdmon32.exeC:\Windows\system32\Lfdmon32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Dgomgq32.exeC:\Windows\system32\Dgomgq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Dbdaeied.exeC:\Windows\system32\Dbdaeied.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Dalkkegj.exeC:\Windows\system32\Dalkkegj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Ebndkhmj.exeC:\Windows\system32\Ebndkhmj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Eacald32.exeC:\Windows\system32\Eacald32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Ebbmfgid.exeC:\Windows\system32\Ebbmfgid.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ejnbjj32.exeC:\Windows\system32\Ejnbjj32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Eecfhb32.exeC:\Windows\system32\Eecfhb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Ejpopi32.exeC:\Windows\system32\Ejpopi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Eefcmbdc.exeC:\Windows\system32\Eefcmbdc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Eongfh32.exeC:\Windows\system32\Eongfh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Flddelgj.exeC:\Windows\system32\Flddelgj.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Faammbea.exeC:\Windows\system32\Faammbea.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Fkjafh32.exeC:\Windows\system32\Fkjafh32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Feofca32.exeC:\Windows\system32\Feofca32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Fogjlf32.exeC:\Windows\system32\Fogjlf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Fhpoelii.exeC:\Windows\system32\Fhpoelii.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Gbecbeho.exeC:\Windows\system32\Gbecbeho.exe24⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Gkqhgg32.exeC:\Windows\system32\Gkqhgg32.exe25⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Glpdajmm.exeC:\Windows\system32\Glpdajmm.exe26⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Gbjlnd32.exeC:\Windows\system32\Gbjlnd32.exe27⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Glbafjkj.exeC:\Windows\system32\Glbafjkj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Gaoioq32.exeC:\Windows\system32\Gaoioq32.exe29⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Gembeooh.exeC:\Windows\system32\Gembeooh.exe30⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Glgjai32.exeC:\Windows\system32\Glgjai32.exe31⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hepojo32.exeC:\Windows\system32\Hepojo32.exe32⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Hliggieb.exeC:\Windows\system32\Hliggieb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Hccodc32.exeC:\Windows\system32\Hccodc32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Hedhenip.exeC:\Windows\system32\Hedhenip.exe35⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Hkaqnegg.exeC:\Windows\system32\Hkaqnegg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Hiball32.exeC:\Windows\system32\Hiball32.exe37⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Hooidc32.exeC:\Windows\system32\Hooidc32.exe38⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Hamepo32.exeC:\Windows\system32\Hamepo32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Hhgnmi32.exeC:\Windows\system32\Hhgnmi32.exe40⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Icmbja32.exeC:\Windows\system32\Icmbja32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Ihjkbh32.exeC:\Windows\system32\Ihjkbh32.exe42⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Icoopa32.exeC:\Windows\system32\Icoopa32.exe43⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Ihlghhpi.exeC:\Windows\system32\Ihlghhpi.exe44⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Jkajdb32.exeC:\Windows\system32\Jkajdb32.exe45⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Jkdfjbgb.exeC:\Windows\system32\Jkdfjbgb.exe46⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jfikgkgh.exeC:\Windows\system32\Jfikgkgh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Jkfcpbep.exeC:\Windows\system32\Jkfcpbep.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Jjgcni32.exeC:\Windows\system32\Jjgcni32.exe49⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Jbbhblkj.exeC:\Windows\system32\Jbbhblkj.exe50⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Jofhkpic.exeC:\Windows\system32\Jofhkpic.exe51⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Kmjiedhm.exeC:\Windows\system32\Kmjiedhm.exe52⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Kbgamk32.exeC:\Windows\system32\Kbgamk32.exe53⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kiajjena.exeC:\Windows\system32\Kiajjena.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Kokbfo32.exeC:\Windows\system32\Kokbfo32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Kicfoelo.exeC:\Windows\system32\Kicfoelo.exe56⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Kcikmnld.exeC:\Windows\system32\Kcikmnld.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Kifced32.exeC:\Windows\system32\Kifced32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Kjepogao.exeC:\Windows\system32\Kjepogao.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3924 -
C:\Windows\SysWOW64\Kbqdcjoj.exeC:\Windows\system32\Kbqdcjoj.exe60⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Lkiiloej.exeC:\Windows\system32\Lkiiloej.exe61⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Lfnmihep.exeC:\Windows\system32\Lfnmihep.exe62⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Lcbmclcj.exeC:\Windows\system32\Lcbmclcj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Lmkblajj.exeC:\Windows\system32\Lmkblajj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Llpomn32.exeC:\Windows\system32\Llpomn32.exe65⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Lmokga32.exeC:\Windows\system32\Lmokga32.exe66⤵PID:2268
-
C:\Windows\SysWOW64\Mjclpe32.exeC:\Windows\system32\Mjclpe32.exe67⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Mppdhl32.exeC:\Windows\system32\Mppdhl32.exe68⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Mihiaajf.exeC:\Windows\system32\Mihiaajf.exe69⤵PID:3432
-
C:\Windows\SysWOW64\Mlgemm32.exeC:\Windows\system32\Mlgemm32.exe70⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Mbamjgpg.exeC:\Windows\system32\Mbamjgpg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Mikega32.exeC:\Windows\system32\Mikega32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Mfofpe32.exeC:\Windows\system32\Mfofpe32.exe73⤵
- Drops file in System32 directory
PID:4144 -
C:\Windows\SysWOW64\Mllnhm32.exeC:\Windows\system32\Mllnhm32.exe74⤵PID:2548
-
C:\Windows\SysWOW64\Mipobqco.exeC:\Windows\system32\Mipobqco.exe75⤵PID:5068
-
C:\Windows\SysWOW64\Mlnknlcb.exeC:\Windows\system32\Mlnknlcb.exe76⤵PID:3188
-
C:\Windows\SysWOW64\Niblgqal.exeC:\Windows\system32\Niblgqal.exe77⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Nidhmp32.exeC:\Windows\system32\Nidhmp32.exe78⤵PID:4828
-
C:\Windows\SysWOW64\Npnqjjgf.exeC:\Windows\system32\Npnqjjgf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Nfhifd32.exeC:\Windows\system32\Nfhifd32.exe80⤵PID:1336
-
C:\Windows\SysWOW64\Nifebp32.exeC:\Windows\system32\Nifebp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Nmdnin32.exeC:\Windows\system32\Nmdnin32.exe82⤵PID:3756
-
C:\Windows\SysWOW64\Njhnbb32.exeC:\Windows\system32\Njhnbb32.exe83⤵PID:3892
-
C:\Windows\SysWOW64\Nljkjjhe.exeC:\Windows\system32\Nljkjjhe.exe84⤵PID:3468
-
C:\Windows\SysWOW64\Ofoogc32.exeC:\Windows\system32\Ofoogc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Obfpldno.exeC:\Windows\system32\Obfpldno.exe86⤵PID:540
-
C:\Windows\SysWOW64\Omkdimne.exeC:\Windows\system32\Omkdimne.exe87⤵PID:2848
-
C:\Windows\SysWOW64\Ppcclgen.exeC:\Windows\system32\Ppcclgen.exe88⤵PID:1156
-
C:\Windows\SysWOW64\Pkigipdd.exeC:\Windows\system32\Pkigipdd.exe89⤵PID:3504
-
C:\Windows\SysWOW64\Ppepag32.exeC:\Windows\system32\Ppepag32.exe90⤵PID:1716
-
C:\Windows\SysWOW64\Pcdlmb32.exeC:\Windows\system32\Pcdlmb32.exe91⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Pkkdop32.exeC:\Windows\system32\Pkkdop32.exe92⤵PID:3184
-
C:\Windows\SysWOW64\Pllpfhhp.exeC:\Windows\system32\Pllpfhhp.exe93⤵PID:4020
-
C:\Windows\SysWOW64\Pdchgeib.exeC:\Windows\system32\Pdchgeib.exe94⤵PID:3880
-
C:\Windows\SysWOW64\Pgbdcqhe.exeC:\Windows\system32\Pgbdcqhe.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Plomlgfm.exeC:\Windows\system32\Plomlgfm.exe96⤵PID:4684
-
C:\Windows\SysWOW64\Pdfeme32.exeC:\Windows\system32\Pdfeme32.exe97⤵PID:4336
-
C:\Windows\SysWOW64\Pkpmjonl.exeC:\Windows\system32\Pkpmjonl.exe98⤵PID:2320
-
C:\Windows\SysWOW64\Plajag32.exeC:\Windows\system32\Plajag32.exe99⤵PID:1840
-
C:\Windows\SysWOW64\Qdhabd32.exeC:\Windows\system32\Qdhabd32.exe100⤵PID:228
-
C:\Windows\SysWOW64\Qkbjooli.exeC:\Windows\system32\Qkbjooli.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Qpobgekq.exeC:\Windows\system32\Qpobgekq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Qgikdpbn.exeC:\Windows\system32\Qgikdpbn.exe103⤵PID:3220
-
C:\Windows\SysWOW64\Qnccaj32.exeC:\Windows\system32\Qnccaj32.exe104⤵PID:4328
-
C:\Windows\SysWOW64\Acpkiq32.exeC:\Windows\system32\Acpkiq32.exe105⤵PID:4928
-
C:\Windows\SysWOW64\Aijcfkoo.exeC:\Windows\system32\Aijcfkoo.exe106⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Anepfi32.exeC:\Windows\system32\Anepfi32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Adohccod.exeC:\Windows\system32\Adohccod.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Agndoo32.exeC:\Windows\system32\Agndoo32.exe109⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Apfhhddi.exeC:\Windows\system32\Apfhhddi.exe110⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Agpqeo32.exeC:\Windows\system32\Agpqeo32.exe111⤵PID:5208
-
C:\Windows\SysWOW64\Anjiaicb.exeC:\Windows\system32\Anjiaicb.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Aphendbf.exeC:\Windows\system32\Aphendbf.exe113⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Agbnjnjc.exeC:\Windows\system32\Agbnjnjc.exe114⤵PID:5256
-
C:\Windows\SysWOW64\Aknikm32.exeC:\Windows\system32\Aknikm32.exe115⤵PID:5364
-
C:\Windows\SysWOW64\Adfndbil.exeC:\Windows\system32\Adfndbil.exe116⤵PID:5388
-
C:\Windows\SysWOW64\Agdjpnhp.exeC:\Windows\system32\Agdjpnhp.exe117⤵PID:5408
-
C:\Windows\SysWOW64\Bpmoic32.exeC:\Windows\system32\Bpmoic32.exe118⤵PID:5424
-
C:\Windows\SysWOW64\Bgggenfn.exeC:\Windows\system32\Bgggenfn.exe119⤵PID:5440
-
C:\Windows\SysWOW64\Bldond32.exeC:\Windows\system32\Bldond32.exe120⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Bjlibhoi.exeC:\Windows\system32\Bjlibhoi.exe121⤵PID:5476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-