Analysis
-
max time kernel
132s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 19:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfa7776344ed5f548997227335dbfd40_exe32.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bfa7776344ed5f548997227335dbfd40_exe32.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bfa7776344ed5f548997227335dbfd40_exe32.exe
-
Size
130KB
-
MD5
bfa7776344ed5f548997227335dbfd40
-
SHA1
c9630f9fee0718663ff914b59fe5905b9064a2e4
-
SHA256
4687fa5cdf1923c418a4004b4741df32efecbf0bfe123ba47310957c25399476
-
SHA512
0fe9398aec00c41b11d55d9fc7fb2f7f9e4a7cddd4d225ed50a30862967bf69e68504dceef34d2c49e1627c798f7d55553fdf34fd275e25ffd2441d44c944612
-
SSDEEP
3072:wUPgMOA19fw3E7XGM2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:B4R13wX4BhHmNEcYj9nhV8NCV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjecalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicalpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbgian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfjocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcpjcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfeeelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmliem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqcfpmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppimogj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcogice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allpnplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onicbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcale32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpmfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaafnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfkgfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkaahjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbhkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilmpmki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbjdfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqmjen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkofpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmobopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlqlgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmolimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capikhgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldeonbkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbmegol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badaholq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhklgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkoolil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cneknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdmifip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabmcdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeagnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngombd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iildfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngcfikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccacjgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoapo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bminokil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaqhlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbaf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Qdfefkll.exe 1448 Ajnmjp32.exe 4964 Bnlfqngm.exe 860 Bjcfeola.exe 5016 Bjeckojo.exe 3536 Bnehgmob.exe 2492 Cgecpa32.exe 2232 Dmfecgim.exe 3780 Ddpjjd32.exe 3596 Dmnkdfce.exe 2772 Dmphjfab.exe 5052 Eljknl32.exe 4376 Fcjimnjl.exe 3916 Fdobhm32.exe 2424 Genobp32.exe 2500 Geqlhp32.exe 3224 Glmqjj32.exe 4436 Glompi32.exe 1248 Hhmdeink.exe 224 Imofip32.exe 1216 Iaokdn32.exe 3696 Ihicah32.exe 3748 Idbalhho.exe 976 Jhpjbgne.exe 2124 Jlnbhe32.exe 848 Jkcpia32.exe 2692 Kleiid32.exe 4744 Klloichl.exe 2216 Kfdcbiol.exe 1900 Loaafnah.exe 4196 Ldccid32.exe 924 Lbgcch32.exe 4320 Mkfnlmkl.exe 4044 Niohap32.exe 2592 Nicalpak.exe 1116 Obnbjdfi.exe 456 Oeahap32.exe 2552 Pfenga32.exe 1356 Pbokab32.exe 3756 Plimpg32.exe 2696 Qlnfkgho.exe 372 Aooolbep.exe 4364 Apnkfelb.exe 3656 Aiimejap.exe 2748 Amgekh32.exe 4728 Amibqhed.exe 2704 Begcjjql.exe 5060 Bidlqhgc.exe 1724 Cfiiggpg.exe 3260 Dgkbfjeg.exe 1028 Djlkhe32.exe 2000 Dcdpakii.exe 4284 Enlqdc32.exe 1284 Egeemiml.exe 1904 Eqmjen32.exe 1512 Ecnbgian.exe 2888 Emfgpo32.exe 4204 Fqfmlm32.exe 4724 Fcgemhic.exe 5044 Fmpjfn32.exe 4412 Fppchile.exe 1964 Gmfpgmil.exe 460 Gfaaebnj.exe 400 Hhegjdag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ehkhjkkf.dll Njekfenc.exe File created C:\Windows\SysWOW64\Offnae32.exe Oaifin32.exe File created C:\Windows\SysWOW64\Emfgpo32.exe Ecnbgian.exe File created C:\Windows\SysWOW64\Oagbljcp.exe Onifpodl.exe File opened for modification C:\Windows\SysWOW64\Blpemn32.exe Biaiqb32.exe File created C:\Windows\SysWOW64\Fpjkhmqm.dll Nigjifgc.exe File opened for modification C:\Windows\SysWOW64\Nnpalk32.exe Neglceej.exe File created C:\Windows\SysWOW64\Gaikchfj.dll Ibadoc32.exe File opened for modification C:\Windows\SysWOW64\Fimonh32.exe Ffobbmpp.exe File created C:\Windows\SysWOW64\Fnpmej32.exe Eicemccc.exe File created C:\Windows\SysWOW64\Ldpqel32.dll Ljcejhnh.exe File created C:\Windows\SysWOW64\Fmnafmhi.dll Onfbpi32.exe File opened for modification C:\Windows\SysWOW64\Ajfobfaj.exe Aejfjocb.exe File created C:\Windows\SysWOW64\Nenjng32.exe Nigjifgc.exe File created C:\Windows\SysWOW64\Cifmjd32.exe Bmomecoi.exe File created C:\Windows\SysWOW64\Ncqbnhci.dll Hpaibe32.exe File opened for modification C:\Windows\SysWOW64\Henajkcc.exe Gpaiadel.exe File created C:\Windows\SysWOW64\Cmcniamb.dll Ilpaei32.exe File opened for modification C:\Windows\SysWOW64\Iggakn32.exe Ikndpm32.exe File created C:\Windows\SysWOW64\Aamkgpbi.exe Akccje32.exe File created C:\Windows\SysWOW64\Dnpdom32.exe Ddgpfgil.exe File created C:\Windows\SysWOW64\Pagfomja.dll Qpahghbg.exe File opened for modification C:\Windows\SysWOW64\Qdfefkll.exe bfa7776344ed5f548997227335dbfd40_exe32.exe File opened for modification C:\Windows\SysWOW64\Qaofphbd.exe Phddbbnf.exe File created C:\Windows\SysWOW64\Jfblbm32.dll Peahpa32.exe File created C:\Windows\SysWOW64\Ehndhn32.exe Egnhnkmj.exe File opened for modification C:\Windows\SysWOW64\Fcgemhic.exe Fqfmlm32.exe File created C:\Windows\SysWOW64\Elagjihh.exe Ebkbmqhb.exe File opened for modification C:\Windows\SysWOW64\Djnfppqi.exe Ccbanfko.exe File created C:\Windows\SysWOW64\Femcdp32.dll Ffobbmpp.exe File created C:\Windows\SysWOW64\Gehbcb32.exe Giaaoa32.exe File created C:\Windows\SysWOW64\Ckclacmi.exe Cdicdi32.exe File created C:\Windows\SysWOW64\Jbjpohpp.dll Pfanmcao.exe File created C:\Windows\SysWOW64\Jacnegep.exe Ikifhm32.exe File created C:\Windows\SysWOW64\Aagpjm32.dll Oagbljcp.exe File created C:\Windows\SysWOW64\Pnmhqh32.exe Pgcpdn32.exe File created C:\Windows\SysWOW64\Eiaobjia.exe Emknmi32.exe File created C:\Windows\SysWOW64\Lmpkkjcj.exe Lknocb32.exe File opened for modification C:\Windows\SysWOW64\Lifqbi32.exe Ldjhib32.exe File created C:\Windows\SysWOW64\Npppdb32.dll Paennh32.exe File created C:\Windows\SysWOW64\Aajbfccf.dll Pdkcnklf.exe File created C:\Windows\SysWOW64\Dgkqpd32.dll Cfkenogb.exe File opened for modification C:\Windows\SysWOW64\Jpcajflb.exe Jiiiml32.exe File opened for modification C:\Windows\SysWOW64\Cgecpa32.exe Bnehgmob.exe File opened for modification C:\Windows\SysWOW64\Hmginjki.exe Hhegjdag.exe File created C:\Windows\SysWOW64\Cdolbijg.exe Chhkmh32.exe File opened for modification C:\Windows\SysWOW64\Daolgl32.exe Dkedjbgg.exe File created C:\Windows\SysWOW64\Okjnpija.dll Ekqcfpmj.exe File created C:\Windows\SysWOW64\Bmlojd32.dll Caojigoh.exe File created C:\Windows\SysWOW64\Nnimia32.exe Mbmbiqqp.exe File created C:\Windows\SysWOW64\Pndoagfc.exe Pgjfdm32.exe File created C:\Windows\SysWOW64\Gmhkpk32.dll Pglcjl32.exe File opened for modification C:\Windows\SysWOW64\Kdnincal.exe Jmpgfjmd.exe File created C:\Windows\SysWOW64\Aehofbhf.dll Hfcnicjl.exe File created C:\Windows\SysWOW64\Pgcpdn32.exe Pbfglg32.exe File created C:\Windows\SysWOW64\Emllbe32.exe Eknpfj32.exe File opened for modification C:\Windows\SysWOW64\Iojgkbib.exe Iohjebkd.exe File opened for modification C:\Windows\SysWOW64\Eeqclfaa.exe Eodjdocj.exe File created C:\Windows\SysWOW64\Bjcfeola.exe Bnlfqngm.exe File opened for modification C:\Windows\SysWOW64\Efoiko32.exe Epdaneff.exe File opened for modification C:\Windows\SysWOW64\Amibqhed.exe Amgekh32.exe File created C:\Windows\SysWOW64\Oajinq32.dll Begcjjql.exe File created C:\Windows\SysWOW64\Gpimflqb.exe Fechhcal.exe File opened for modification C:\Windows\SysWOW64\Glompi32.exe Glmqjj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4484 2196 WerFault.exe 861 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmehhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcebkcic.dll" Gbbkjgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjjhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkcfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfolq32.dll" Dmdhmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fppjpmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlqhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iljpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklkea32.dll" Lnhadnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoijcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpimflqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkfnlmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phefeg32.dll" Mdckpqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cckkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnbadlnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmffnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfanmcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neglceej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoapqgi.dll" Lgblhmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qalejm32.dll" Qnfkgfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmglog32.dll" Bajjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgliie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onicbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgiflnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caojigoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdifdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gienbe32.dll" Fmjjqhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbcildbi.dll" Nqioqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajckbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nllekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocpdpf32.dll" Ccbanfko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfaalao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbfem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giaaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joahjcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjejdglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhnidi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaiaagp.dll" Pndoagfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnpacjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cafqkmge.dll" Ipmbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhajq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflngpbn.dll" Bngnmjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdophj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbffmlj.dll" Pmfhbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedfdjdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffobbmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfnkoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imklncch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdhln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkofpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopnio32.dll" Meogbcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocliecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajblmci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 2192 4780 bfa7776344ed5f548997227335dbfd40_exe32.exe 80 PID 4780 wrote to memory of 2192 4780 bfa7776344ed5f548997227335dbfd40_exe32.exe 80 PID 4780 wrote to memory of 2192 4780 bfa7776344ed5f548997227335dbfd40_exe32.exe 80 PID 2192 wrote to memory of 1448 2192 Qdfefkll.exe 81 PID 2192 wrote to memory of 1448 2192 Qdfefkll.exe 81 PID 2192 wrote to memory of 1448 2192 Qdfefkll.exe 81 PID 1448 wrote to memory of 4964 1448 Ajnmjp32.exe 82 PID 1448 wrote to memory of 4964 1448 Ajnmjp32.exe 82 PID 1448 wrote to memory of 4964 1448 Ajnmjp32.exe 82 PID 4964 wrote to memory of 860 4964 Bnlfqngm.exe 83 PID 4964 wrote to memory of 860 4964 Bnlfqngm.exe 83 PID 4964 wrote to memory of 860 4964 Bnlfqngm.exe 83 PID 860 wrote to memory of 5016 860 Bjcfeola.exe 84 PID 860 wrote to memory of 5016 860 Bjcfeola.exe 84 PID 860 wrote to memory of 5016 860 Bjcfeola.exe 84 PID 5016 wrote to memory of 3536 5016 Bjeckojo.exe 85 PID 5016 wrote to memory of 3536 5016 Bjeckojo.exe 85 PID 5016 wrote to memory of 3536 5016 Bjeckojo.exe 85 PID 3536 wrote to memory of 2492 3536 Bnehgmob.exe 86 PID 3536 wrote to memory of 2492 3536 Bnehgmob.exe 86 PID 3536 wrote to memory of 2492 3536 Bnehgmob.exe 86 PID 2492 wrote to memory of 2232 2492 Cgecpa32.exe 87 PID 2492 wrote to memory of 2232 2492 Cgecpa32.exe 87 PID 2492 wrote to memory of 2232 2492 Cgecpa32.exe 87 PID 2232 wrote to memory of 3780 2232 Dmfecgim.exe 88 PID 2232 wrote to memory of 3780 2232 Dmfecgim.exe 88 PID 2232 wrote to memory of 3780 2232 Dmfecgim.exe 88 PID 3780 wrote to memory of 3596 3780 Ddpjjd32.exe 89 PID 3780 wrote to memory of 3596 3780 Ddpjjd32.exe 89 PID 3780 wrote to memory of 3596 3780 Ddpjjd32.exe 89 PID 3596 wrote to memory of 2772 3596 Dmnkdfce.exe 90 PID 3596 wrote to memory of 2772 3596 Dmnkdfce.exe 90 PID 3596 wrote to memory of 2772 3596 Dmnkdfce.exe 90 PID 2772 wrote to memory of 5052 2772 Dmphjfab.exe 91 PID 2772 wrote to memory of 5052 2772 Dmphjfab.exe 91 PID 2772 wrote to memory of 5052 2772 Dmphjfab.exe 91 PID 5052 wrote to memory of 4376 5052 Eljknl32.exe 92 PID 5052 wrote to memory of 4376 5052 Eljknl32.exe 92 PID 5052 wrote to memory of 4376 5052 Eljknl32.exe 92 PID 4376 wrote to memory of 3916 4376 Fcjimnjl.exe 93 PID 4376 wrote to memory of 3916 4376 Fcjimnjl.exe 93 PID 4376 wrote to memory of 3916 4376 Fcjimnjl.exe 93 PID 3916 wrote to memory of 2424 3916 Fdobhm32.exe 94 PID 3916 wrote to memory of 2424 3916 Fdobhm32.exe 94 PID 3916 wrote to memory of 2424 3916 Fdobhm32.exe 94 PID 2424 wrote to memory of 2500 2424 Genobp32.exe 95 PID 2424 wrote to memory of 2500 2424 Genobp32.exe 95 PID 2424 wrote to memory of 2500 2424 Genobp32.exe 95 PID 2500 wrote to memory of 3224 2500 Geqlhp32.exe 96 PID 2500 wrote to memory of 3224 2500 Geqlhp32.exe 96 PID 2500 wrote to memory of 3224 2500 Geqlhp32.exe 96 PID 3224 wrote to memory of 4436 3224 Glmqjj32.exe 97 PID 3224 wrote to memory of 4436 3224 Glmqjj32.exe 97 PID 3224 wrote to memory of 4436 3224 Glmqjj32.exe 97 PID 4436 wrote to memory of 1248 4436 Glompi32.exe 98 PID 4436 wrote to memory of 1248 4436 Glompi32.exe 98 PID 4436 wrote to memory of 1248 4436 Glompi32.exe 98 PID 1248 wrote to memory of 224 1248 Hhmdeink.exe 99 PID 1248 wrote to memory of 224 1248 Hhmdeink.exe 99 PID 1248 wrote to memory of 224 1248 Hhmdeink.exe 99 PID 224 wrote to memory of 1216 224 Imofip32.exe 100 PID 224 wrote to memory of 1216 224 Imofip32.exe 100 PID 224 wrote to memory of 1216 224 Imofip32.exe 100 PID 1216 wrote to memory of 3696 1216 Iaokdn32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa7776344ed5f548997227335dbfd40_exe32.exe"C:\Users\Admin\AppData\Local\Temp\bfa7776344ed5f548997227335dbfd40_exe32.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Qdfefkll.exeC:\Windows\system32\Qdfefkll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Fdobhm32.exeC:\Windows\system32\Fdobhm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Hhmdeink.exeC:\Windows\system32\Hhmdeink.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe23⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Idbalhho.exeC:\Windows\system32\Idbalhho.exe24⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe25⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Jlnbhe32.exeC:\Windows\system32\Jlnbhe32.exe26⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe27⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Kleiid32.exeC:\Windows\system32\Kleiid32.exe28⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Klloichl.exeC:\Windows\system32\Klloichl.exe29⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe30⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ldccid32.exeC:\Windows\system32\Ldccid32.exe32⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Lbgcch32.exeC:\Windows\system32\Lbgcch32.exe33⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mkfnlmkl.exeC:\Windows\system32\Mkfnlmkl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe35⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Nicalpak.exeC:\Windows\system32\Nicalpak.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Oeahap32.exeC:\Windows\system32\Oeahap32.exe38⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe39⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe40⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe41⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Qlnfkgho.exeC:\Windows\system32\Qlnfkgho.exe42⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe43⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe44⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Aiimejap.exeC:\Windows\system32\Aiimejap.exe45⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Amgekh32.exeC:\Windows\system32\Amgekh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe47⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Cfiiggpg.exeC:\Windows\system32\Cfiiggpg.exe50⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe51⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe52⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe53⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Enlqdc32.exeC:\Windows\system32\Enlqdc32.exe54⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Egeemiml.exeC:\Windows\system32\Egeemiml.exe55⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Eqmjen32.exeC:\Windows\system32\Eqmjen32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Fqfmlm32.exeC:\Windows\system32\Fqfmlm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Fcgemhic.exeC:\Windows\system32\Fcgemhic.exe60⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe61⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe62⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gmfpgmil.exeC:\Windows\system32\Gmfpgmil.exe63⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gfaaebnj.exeC:\Windows\system32\Gfaaebnj.exe64⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Hhegjdag.exeC:\Windows\system32\Hhegjdag.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe66⤵PID:2072
-
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3184 -
C:\Windows\SysWOW64\Iaqapggb.exeC:\Windows\system32\Iaqapggb.exe68⤵PID:2320
-
C:\Windows\SysWOW64\Ikifhm32.exeC:\Windows\system32\Ikifhm32.exe69⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe70⤵PID:1852
-
C:\Windows\SysWOW64\Jdhpba32.exeC:\Windows\system32\Jdhpba32.exe71⤵PID:568
-
C:\Windows\SysWOW64\Khmoionj.exeC:\Windows\system32\Khmoionj.exe72⤵PID:2412
-
C:\Windows\SysWOW64\Lnanadfi.exeC:\Windows\system32\Lnanadfi.exe73⤵PID:1732
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe74⤵PID:3920
-
C:\Windows\SysWOW64\Mbmbiqqp.exeC:\Windows\system32\Mbmbiqqp.exe75⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Nnimia32.exeC:\Windows\system32\Nnimia32.exe76⤵PID:4624
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe77⤵PID:2388
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe78⤵PID:3232
-
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe79⤵PID:4656
-
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe80⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Oagbljcp.exeC:\Windows\system32\Oagbljcp.exe81⤵
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe82⤵
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Phfcdcfg.exeC:\Windows\system32\Phfcdcfg.exe83⤵PID:4980
-
C:\Windows\SysWOW64\Paennh32.exeC:\Windows\system32\Paennh32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Aiclodaj.exeC:\Windows\system32\Aiclodaj.exe85⤵PID:1088
-
C:\Windows\SysWOW64\Aeofoe32.exeC:\Windows\system32\Aeofoe32.exe86⤵PID:4308
-
C:\Windows\SysWOW64\Bpidhmoi.exeC:\Windows\system32\Bpidhmoi.exe87⤵PID:3172
-
C:\Windows\SysWOW64\Biaiqb32.exeC:\Windows\system32\Biaiqb32.exe88⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe89⤵PID:1972
-
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4484 -
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe91⤵PID:4580
-
C:\Windows\SysWOW64\Cimhlakl.exeC:\Windows\system32\Cimhlakl.exe92⤵PID:2508
-
C:\Windows\SysWOW64\Caimachg.exeC:\Windows\system32\Caimachg.exe93⤵PID:1280
-
C:\Windows\SysWOW64\Chbenm32.exeC:\Windows\system32\Chbenm32.exe94⤵PID:2056
-
C:\Windows\SysWOW64\Commjgga.exeC:\Windows\system32\Commjgga.exe95⤵PID:4632
-
C:\Windows\SysWOW64\Dhndil32.exeC:\Windows\system32\Dhndil32.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Dcdifdem.exeC:\Windows\system32\Dcdifdem.exe97⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Dhqaokcd.exeC:\Windows\system32\Dhqaokcd.exe98⤵PID:5068
-
C:\Windows\SysWOW64\Ebkbmqhb.exeC:\Windows\system32\Ebkbmqhb.exe99⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe100⤵PID:3360
-
C:\Windows\SysWOW64\Ebnocpfp.exeC:\Windows\system32\Ebnocpfp.exe101⤵PID:4476
-
C:\Windows\SysWOW64\Elccpife.exeC:\Windows\system32\Elccpife.exe102⤵PID:2168
-
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe103⤵PID:2208
-
C:\Windows\SysWOW64\Ehjdejkj.exeC:\Windows\system32\Ehjdejkj.exe104⤵PID:1616
-
C:\Windows\SysWOW64\Fmjjqhpn.exeC:\Windows\system32\Fmjjqhpn.exe105⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe106⤵PID:4108
-
C:\Windows\SysWOW64\Gijmlh32.exeC:\Windows\system32\Gijmlh32.exe107⤵PID:4184
-
C:\Windows\SysWOW64\Gcpaiq32.exeC:\Windows\system32\Gcpaiq32.exe108⤵PID:3504
-
C:\Windows\SysWOW64\Gjjjfkdj.exeC:\Windows\system32\Gjjjfkdj.exe109⤵PID:4512
-
C:\Windows\SysWOW64\Gmmome32.exeC:\Windows\system32\Gmmome32.exe110⤵PID:2060
-
C:\Windows\SysWOW64\Hfjmajbc.exeC:\Windows\system32\Hfjmajbc.exe111⤵PID:656
-
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe112⤵PID:4768
-
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe113⤵PID:2096
-
C:\Windows\SysWOW64\Imklncch.exeC:\Windows\system32\Imklncch.exe114⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Jjmhie32.exeC:\Windows\system32\Jjmhie32.exe115⤵PID:4448
-
C:\Windows\SysWOW64\Jagqfp32.exeC:\Windows\system32\Jagqfp32.exe116⤵PID:1092
-
C:\Windows\SysWOW64\Jbhmnhcm.exeC:\Windows\system32\Jbhmnhcm.exe117⤵PID:2636
-
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe118⤵PID:5092
-
C:\Windows\SysWOW64\Jbmfig32.exeC:\Windows\system32\Jbmfig32.exe119⤵PID:3864
-
C:\Windows\SysWOW64\Kdophj32.exeC:\Windows\system32\Kdophj32.exe120⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Kilhqq32.exeC:\Windows\system32\Kilhqq32.exe121⤵PID:5140
-
C:\Windows\SysWOW64\Kcdmifip.exeC:\Windows\system32\Kcdmifip.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-