Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2023, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e23d92a8093e09246d1fcdefe1940f3.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
7e23d92a8093e09246d1fcdefe1940f3.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7e23d92a8093e09246d1fcdefe1940f3.exe
-
Size
240KB
-
MD5
7e23d92a8093e09246d1fcdefe1940f3
-
SHA1
ebd3363fb36026769cdd4a4313792d0d558f8ebe
-
SHA256
3e0fe79c99647e1084fe0bbb3ce22a1009e2c17b94e2048a1039e70005379ee4
-
SHA512
987d84235e50751df953134e039ac2274dd61018cfa421719b7f192a6260d7f18b9914f8b7c88ac54f748cca52de8a260e7a0d286d556deb6aca14a0d61cd60b
-
SSDEEP
3072:wLe+OOHpNODkcAPgxed6BYudlNPMAvAURfE+Hxgu+tAcrbFAJc+RsUi1aVDkOvJ:wLTdwYcIyedZwlNPjLs+H8rtMs4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfohgqlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhkcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckcgpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedgjgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagdnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnoga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piapkbeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piocecgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiplmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofilp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobfob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmfllhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcanll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binhnomg.exe -
Executes dropped EXE 64 IoCs
pid Process 4136 Qlggjk32.exe 4576 Qkmdkgob.exe 1768 Qebhhp32.exe 5092 Allpejfe.exe 4508 Aaiimadl.exe 232 Achegd32.exe 1100 Alqjpi32.exe 4984 Afinioip.exe 4724 Aoabad32.exe 1000 Aodogdmn.exe 3844 Bhldpj32.exe 4564 Bljlfh32.exe 2672 Bhamkipi.exe 2856 Bmofagfp.exe 1248 Bcinna32.exe 4560 Bopocbcq.exe 3840 Cjecpkcg.exe 1156 Cbbdjm32.exe 4528 Ckkiccep.exe 4176 Cmjemflb.exe 4156 Cfcjfk32.exe 4328 Dmoohe32.exe 1424 Dcigeooj.exe 3692 Djelgied.exe 4352 Djhimica.exe 1580 Dbcmakpl.exe 1656 Dmhand32.exe 404 Ebejfk32.exe 904 Ecefqnel.exe 2168 Eiaoid32.exe 1716 Eciplm32.exe 1840 Ebommi32.exe 4584 Fcniglmb.exe 3856 Fjhacf32.exe 5024 Fbcfhibj.exe 2508 Fimodc32.exe 224 Fbfcmhpg.exe 5072 Fbhpch32.exe 1244 Flqdlnde.exe 4164 Gbofcghl.exe 5020 Gjfnedho.exe 3980 Gdobnj32.exe 4476 Gikkfqmf.exe 2708 Gkkgpc32.exe 640 Gkmdecbg.exe 2136 Hbhijepa.exe 4680 Hibafp32.exe 744 Hckeoeno.exe 1284 Hlcjhkdp.exe 3656 Hcmbee32.exe 2532 Higjaoci.exe 2912 Hgkkkcbc.exe 1040 Hmechmip.exe 4240 Hcblpdgg.exe 3660 Iljpij32.exe 4572 Injmcmej.exe 2636 Ijqmhnko.exe 3060 Iciaqc32.exe 376 Ijcjmmil.exe 4620 Iggjga32.exe 2664 Idkkpf32.exe 2996 Ikdcmpnl.exe 2088 Jcphab32.exe 4948 Jnelok32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Geanfelc.exe Gpdennml.exe File created C:\Windows\SysWOW64\Dfmioc32.dll Eiaoid32.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Pmcclm32.exe Popbpqjh.exe File created C:\Windows\SysWOW64\Jlolpq32.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Godcje32.dll Qmeigg32.exe File created C:\Windows\SysWOW64\Pnbddbhk.dll Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Nbnlaldg.exe Njbgmjgl.exe File opened for modification C:\Windows\SysWOW64\Ofjqihnn.exe Ockdmmoj.exe File created C:\Windows\SysWOW64\Ipecicga.dll Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Llmhaold.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Lckboblp.exe File opened for modification C:\Windows\SysWOW64\Gbalopbn.exe Gldglf32.exe File created C:\Windows\SysWOW64\Kcidmkpq.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Cjecpkcg.exe Bopocbcq.exe File created C:\Windows\SysWOW64\Ejljgqdp.dll Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Lqkgbcff.exe Lnmkfh32.exe File created C:\Windows\SysWOW64\Ebjkfjbc.dll Ojdnid32.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cleegp32.exe File opened for modification C:\Windows\SysWOW64\Ebimgcfi.exe Ebgpad32.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Lflbkcll.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Edgbii32.exe Ebifmm32.exe File opened for modification C:\Windows\SysWOW64\Qikbaaml.exe Qfmfefni.exe File created C:\Windows\SysWOW64\Cdolgfbp.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Hcmbee32.exe Hlcjhkdp.exe File created C:\Windows\SysWOW64\Okbcgopo.dll Ijcjmmil.exe File created C:\Windows\SysWOW64\Ipjijkpg.dll Dojqjdbl.exe File created C:\Windows\SysWOW64\Dgihjf32.dll Ddgibkpc.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Dakikoom.exe Dolmodpi.exe File created C:\Windows\SysWOW64\Aodogdmn.exe Aoabad32.exe File created C:\Windows\SysWOW64\Bcinna32.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Aafemk32.exe Aogiap32.exe File opened for modification C:\Windows\SysWOW64\Ipoheakj.exe Ickglm32.exe File created C:\Windows\SysWOW64\Blqhpg32.dll Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Cpdgqmnb.exe Ckgohf32.exe File opened for modification C:\Windows\SysWOW64\Lckboblp.exe Lhcali32.exe File created C:\Windows\SysWOW64\Jbfadafe.dll Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Amjbbfgo.exe File created C:\Windows\SysWOW64\Pkbcikkp.dll Mjggal32.exe File created C:\Windows\SysWOW64\Bfmolc32.exe Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Knchpiom.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Aoqqpnlk.dll Cndeii32.exe File created C:\Windows\SysWOW64\Jllokajf.exe Jebfng32.exe File created C:\Windows\SysWOW64\Efmnhl32.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dpiplm32.exe File opened for modification C:\Windows\SysWOW64\Hhimhobl.exe Haodle32.exe File created C:\Windows\SysWOW64\Aagdnn32.exe Aiplmq32.exe File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Nopfpgip.exe Nnojho32.exe File created C:\Windows\SysWOW64\Gdglhf32.dll Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Gbpedjnb.exe Glfmgp32.exe File created C:\Windows\SysWOW64\Lhcali32.exe Ledepn32.exe File created C:\Windows\SysWOW64\Aimogakj.exe Afockelf.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Odjeljhd.exe File created C:\Windows\SysWOW64\Liabph32.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Kjmejc32.dll Dkekjdck.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4100 12252 WerFault.exe 603 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnqig32.dll" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbihneaj.dll" Kdigadjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmojkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loighj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll" Ooibkpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acccdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll" Bohbhmfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipgdi32.dll" Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekonpckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipkdek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplhmakj.dll" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll" Jedccfqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipecnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" Jlgepanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbceobam.dll" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akhkncql.dll" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll" Lfbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapppn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqndhcdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Kjgeedch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 4136 2396 7e23d92a8093e09246d1fcdefe1940f3.exe 86 PID 2396 wrote to memory of 4136 2396 7e23d92a8093e09246d1fcdefe1940f3.exe 86 PID 2396 wrote to memory of 4136 2396 7e23d92a8093e09246d1fcdefe1940f3.exe 86 PID 4136 wrote to memory of 4576 4136 Qlggjk32.exe 87 PID 4136 wrote to memory of 4576 4136 Qlggjk32.exe 87 PID 4136 wrote to memory of 4576 4136 Qlggjk32.exe 87 PID 4576 wrote to memory of 1768 4576 Qkmdkgob.exe 88 PID 4576 wrote to memory of 1768 4576 Qkmdkgob.exe 88 PID 4576 wrote to memory of 1768 4576 Qkmdkgob.exe 88 PID 1768 wrote to memory of 5092 1768 Qebhhp32.exe 89 PID 1768 wrote to memory of 5092 1768 Qebhhp32.exe 89 PID 1768 wrote to memory of 5092 1768 Qebhhp32.exe 89 PID 5092 wrote to memory of 4508 5092 Allpejfe.exe 92 PID 5092 wrote to memory of 4508 5092 Allpejfe.exe 92 PID 5092 wrote to memory of 4508 5092 Allpejfe.exe 92 PID 4508 wrote to memory of 232 4508 Aaiimadl.exe 90 PID 4508 wrote to memory of 232 4508 Aaiimadl.exe 90 PID 4508 wrote to memory of 232 4508 Aaiimadl.exe 90 PID 232 wrote to memory of 1100 232 Achegd32.exe 91 PID 232 wrote to memory of 1100 232 Achegd32.exe 91 PID 232 wrote to memory of 1100 232 Achegd32.exe 91 PID 1100 wrote to memory of 4984 1100 Alqjpi32.exe 93 PID 1100 wrote to memory of 4984 1100 Alqjpi32.exe 93 PID 1100 wrote to memory of 4984 1100 Alqjpi32.exe 93 PID 4984 wrote to memory of 4724 4984 Afinioip.exe 94 PID 4984 wrote to memory of 4724 4984 Afinioip.exe 94 PID 4984 wrote to memory of 4724 4984 Afinioip.exe 94 PID 4724 wrote to memory of 1000 4724 Aoabad32.exe 95 PID 4724 wrote to memory of 1000 4724 Aoabad32.exe 95 PID 4724 wrote to memory of 1000 4724 Aoabad32.exe 95 PID 1000 wrote to memory of 3844 1000 Aodogdmn.exe 96 PID 1000 wrote to memory of 3844 1000 Aodogdmn.exe 96 PID 1000 wrote to memory of 3844 1000 Aodogdmn.exe 96 PID 3844 wrote to memory of 4564 3844 Bhldpj32.exe 97 PID 3844 wrote to memory of 4564 3844 Bhldpj32.exe 97 PID 3844 wrote to memory of 4564 3844 Bhldpj32.exe 97 PID 4564 wrote to memory of 2672 4564 Bljlfh32.exe 98 PID 4564 wrote to memory of 2672 4564 Bljlfh32.exe 98 PID 4564 wrote to memory of 2672 4564 Bljlfh32.exe 98 PID 2672 wrote to memory of 2856 2672 Bhamkipi.exe 99 PID 2672 wrote to memory of 2856 2672 Bhamkipi.exe 99 PID 2672 wrote to memory of 2856 2672 Bhamkipi.exe 99 PID 2856 wrote to memory of 1248 2856 Bmofagfp.exe 100 PID 2856 wrote to memory of 1248 2856 Bmofagfp.exe 100 PID 2856 wrote to memory of 1248 2856 Bmofagfp.exe 100 PID 1248 wrote to memory of 4560 1248 Bcinna32.exe 101 PID 1248 wrote to memory of 4560 1248 Bcinna32.exe 101 PID 1248 wrote to memory of 4560 1248 Bcinna32.exe 101 PID 4560 wrote to memory of 3840 4560 Bopocbcq.exe 102 PID 4560 wrote to memory of 3840 4560 Bopocbcq.exe 102 PID 4560 wrote to memory of 3840 4560 Bopocbcq.exe 102 PID 3840 wrote to memory of 1156 3840 Cjecpkcg.exe 103 PID 3840 wrote to memory of 1156 3840 Cjecpkcg.exe 103 PID 3840 wrote to memory of 1156 3840 Cjecpkcg.exe 103 PID 1156 wrote to memory of 4528 1156 Cbbdjm32.exe 104 PID 1156 wrote to memory of 4528 1156 Cbbdjm32.exe 104 PID 1156 wrote to memory of 4528 1156 Cbbdjm32.exe 104 PID 4528 wrote to memory of 4176 4528 Ckkiccep.exe 106 PID 4528 wrote to memory of 4176 4528 Ckkiccep.exe 106 PID 4528 wrote to memory of 4176 4528 Ckkiccep.exe 106 PID 4176 wrote to memory of 4156 4176 Cmjemflb.exe 107 PID 4176 wrote to memory of 4156 4176 Cmjemflb.exe 107 PID 4176 wrote to memory of 4156 4176 Cmjemflb.exe 107 PID 4156 wrote to memory of 4328 4156 Cfcjfk32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e23d92a8093e09246d1fcdefe1940f3.exe"C:\Users\Admin\AppData\Local\Temp\7e23d92a8093e09246d1fcdefe1940f3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508
-
-
-
-
-
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe17⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe19⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe22⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe23⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe24⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe26⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe27⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe28⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe29⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe30⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe31⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe32⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe33⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe34⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe36⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe39⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe40⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe41⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe43⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe46⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe48⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe49⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe50⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe53⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe57⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe59⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe60⤵PID:1828
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe61⤵PID:1628
-
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe62⤵PID:2608
-
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe63⤵PID:4364
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe64⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe65⤵PID:2592
-
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe66⤵PID:1480
-
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe67⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe68⤵PID:4128
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe69⤵
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe70⤵
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe71⤵PID:4308
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe73⤵PID:4824
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe74⤵PID:1240
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe75⤵PID:3296
-
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe76⤵PID:3780
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe77⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe78⤵PID:2448
-
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe79⤵PID:3420
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe80⤵PID:1804
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe82⤵PID:1896
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe83⤵PID:5132
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe85⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe86⤵PID:5264
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe87⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe88⤵PID:5344
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe89⤵PID:5396
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe90⤵PID:5440
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe91⤵PID:5480
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe93⤵PID:5564
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe94⤵PID:5616
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe95⤵PID:5660
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe96⤵PID:5704
-
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe97⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe98⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe100⤵PID:6072
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe102⤵PID:4892
-
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe103⤵PID:5200
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe104⤵PID:5272
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe105⤵PID:5340
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe106⤵PID:5404
-
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe107⤵PID:5468
-
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe108⤵PID:5536
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe109⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe110⤵PID:5680
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe111⤵PID:5736
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe112⤵PID:5804
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe113⤵PID:5884
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe114⤵PID:5928
-
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe115⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe116⤵PID:5964
-
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe117⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe118⤵PID:6104
-
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe120⤵PID:5256
-
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe121⤵PID:5392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-