Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 19:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e312311006399d3e695a479d832bec10_exe32.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e312311006399d3e695a479d832bec10_exe32.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e312311006399d3e695a479d832bec10_exe32.exe
-
Size
59KB
-
MD5
e312311006399d3e695a479d832bec10
-
SHA1
405cd819391aef65546bbccf2ff6466d8b0e3cc7
-
SHA256
08f4ff05ea6b6121e4d08aa0d4c07fb7103b358e2010a959a2776c0ce286d9ee
-
SHA512
bdf73d76a8257c120bb42b0410ca9033cbfd9fab8c1802cd9b3308305e3c61b08569aa7f05c0d449f05ee2db5bb605a662768c16fcff720a478b806355f927f9
-
SSDEEP
768:ImHazfgLtOqrtUxmn+dC/eQ5pygt4ceViM48FXlgz22225KHwqZDDIsgZ/1H5+5p:Im6rghNU8Soyq9SBXZnIsiYNCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coohhlpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofmobmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkfbocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpnjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajaelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqmlccdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjhbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfpckhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemmac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkknmgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdialdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpell32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmdkcnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhckcgpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe -
Executes dropped EXE 64 IoCs
pid Process 3008 Ncabfkqo.exe 4176 Nnfgcd32.exe 3864 Nccokk32.exe 1740 Nnicid32.exe 4412 Nlmdbh32.exe 4988 Oeehkn32.exe 3656 Ojbacd32.exe 3672 Odjeljhd.exe 3336 Onpjichj.exe 1916 Oejbfmpg.exe 1536 Ojgjndno.exe 112 Odoogi32.exe 4456 Oodcdb32.exe 3936 Oeokal32.exe 2096 Okkdic32.exe 1084 Pddhbipj.exe 4828 Pknqoc32.exe 1400 Phaahggp.exe 4136 Pefabkej.exe 800 Pmaffnce.exe 2036 Pkegpb32.exe 4704 Pdmkhgho.exe 1684 Pocpfphe.exe 3888 Qdphngfl.exe 3424 Qeodhjmo.exe 4328 Qklmpalf.exe 3320 Alkijdci.exe 5004 Aahbbkaq.exe 792 Anobgl32.exe 2320 Alpbecod.exe 2948 Anaomkdb.exe 1064 Ahgcjddh.exe 332 Anclbkbp.exe 3516 Ahippdbe.exe 4204 Bochmn32.exe 4276 Bdpaeehj.exe 3396 Bnhenj32.exe 412 Bdbnjdfg.exe 3088 Bklfgo32.exe 2344 Bebjdgmj.exe 2956 Bllbaa32.exe 212 Bnmoijje.exe 5064 Bhbcfbjk.exe 4884 Bakgoh32.exe 4612 Coohhlpe.exe 4436 Chglab32.exe 3768 Cfkmkf32.exe 2592 Cdpjlb32.exe 1548 Ckjbhmad.exe 3800 Cdbfab32.exe 4128 Ckmonl32.exe 2448 Cfbcke32.exe 4816 Dmlkhofd.exe 964 Dnmhpg32.exe 3436 Dhclmp32.exe 3036 Dkhnjk32.exe 224 Eiloco32.exe 728 Ebdcld32.exe 4112 Eoideh32.exe 2412 Ebgpad32.exe 4972 Eiahnnph.exe 4820 Ebimgcfi.exe 4312 Emoadlfo.exe 3832 Eblimcdf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpjgaoqm.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Mfjnfknb.dll Mcbpjg32.exe File created C:\Windows\SysWOW64\Mfkkqmiq.exe Loacdc32.exe File created C:\Windows\SysWOW64\Ohgohiia.dll Gjaphgpl.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Oodcdb32.exe File created C:\Windows\SysWOW64\Qeodhjmo.exe Qdphngfl.exe File created C:\Windows\SysWOW64\Cpabibmg.dll Hidgai32.exe File created C:\Windows\SysWOW64\Fallih32.dll Hbgkei32.exe File created C:\Windows\SysWOW64\Gnohnffc.exe Gjaphgpl.exe File opened for modification C:\Windows\SysWOW64\Nccokk32.exe Nnfgcd32.exe File created C:\Windows\SysWOW64\Mnjqmpgg.exe Mfchlbfd.exe File created C:\Windows\SysWOW64\Ieppioao.dll Egohdegl.exe File created C:\Windows\SysWOW64\Mlbmonhi.dll Fndpmndl.exe File created C:\Windows\SysWOW64\Loofnccf.exe Llqjbhdc.exe File created C:\Windows\SysWOW64\Bmladm32.exe Bbfmgd32.exe File created C:\Windows\SysWOW64\Jnifpf32.dll Mqfpckhm.exe File created C:\Windows\SysWOW64\Nphihiif.dll Oanokhdb.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Phajna32.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Hbldphde.exe File opened for modification C:\Windows\SysWOW64\Fjhmbihg.exe Fdkdibjp.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Jgkmgk32.exe Jleijb32.exe File created C:\Windows\SysWOW64\Jjjojj32.dll Npbceggm.exe File created C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nlmdbh32.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Aknbkjfh.exe File opened for modification C:\Windows\SysWOW64\Bbaclegm.exe Bmdkcnie.exe File opened for modification C:\Windows\SysWOW64\Fneggdhg.exe Felbnn32.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Phajna32.exe File created C:\Windows\SysWOW64\Aonhghjl.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Fbbicl32.exe Fndpmndl.exe File created C:\Windows\SysWOW64\Ohfkgknc.dll Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Oejbfmpg.exe Onpjichj.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Pknqoc32.exe File created C:\Windows\SysWOW64\Hhjamhbn.dll Dhclmp32.exe File opened for modification C:\Windows\SysWOW64\Fcekfnkb.exe Fnhbmgmk.exe File opened for modification C:\Windows\SysWOW64\Lindkm32.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Hkajlm32.dll Qklmpalf.exe File created C:\Windows\SysWOW64\Bochmn32.exe Ahippdbe.exe File created C:\Windows\SysWOW64\Kibeoo32.exe Jllhpkfk.exe File created C:\Windows\SysWOW64\Jjjfeo32.dll Djgdkk32.exe File created C:\Windows\SysWOW64\Fqikob32.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Ccegac32.dll Hlkfbocp.exe File created C:\Windows\SysWOW64\Amoppdld.dll Bbfmgd32.exe File created C:\Windows\SysWOW64\Figgdg32.exe Ekajec32.exe File created C:\Windows\SysWOW64\Jhnojl32.exe Jbagbebm.exe File opened for modification C:\Windows\SysWOW64\Bmladm32.exe Bbfmgd32.exe File created C:\Windows\SysWOW64\Oklfllgp.dll Pddhbipj.exe File opened for modification C:\Windows\SysWOW64\Knenkbio.exe Kgkfnh32.exe File opened for modification C:\Windows\SysWOW64\Bacjdbch.exe Bgnffj32.exe File created C:\Windows\SysWOW64\Ndoell32.dll Glipgf32.exe File created C:\Windows\SysWOW64\Likage32.dll Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Kplqhmfl.dll Ecikjoep.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Egohdegl.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Iijfhbhl.exe File opened for modification C:\Windows\SysWOW64\Ncqlkemc.exe Nncccnol.exe File created C:\Windows\SysWOW64\Fkdjqkoj.dll Gkaclqkk.exe File created C:\Windows\SysWOW64\Dinael32.exe Cacmpj32.exe File created C:\Windows\SysWOW64\Eibmbgdm.dll Ggkqgaol.exe File created C:\Windows\SysWOW64\Ehkaqc32.dll Ibcaknbi.exe File created C:\Windows\SysWOW64\Iojbpo32.exe Imiehfao.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10052 9904 WerFault.exe 472 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijkmod.dll" Oeehkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fneggdhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Kpnjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll" Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll" Fdpnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklfllgp.dll" Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmeede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkknmgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baannc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpepbgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll" Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqbcbkab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idknpoad.dll" Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmidnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajaelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" Pefabkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmkcc32.dll" Aimogakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihgfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Fnnjmbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcdlpbd.dll" Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gnnccl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3008 5076 e312311006399d3e695a479d832bec10_exe32.exe 82 PID 5076 wrote to memory of 3008 5076 e312311006399d3e695a479d832bec10_exe32.exe 82 PID 5076 wrote to memory of 3008 5076 e312311006399d3e695a479d832bec10_exe32.exe 82 PID 3008 wrote to memory of 4176 3008 Ncabfkqo.exe 83 PID 3008 wrote to memory of 4176 3008 Ncabfkqo.exe 83 PID 3008 wrote to memory of 4176 3008 Ncabfkqo.exe 83 PID 4176 wrote to memory of 3864 4176 Nnfgcd32.exe 84 PID 4176 wrote to memory of 3864 4176 Nnfgcd32.exe 84 PID 4176 wrote to memory of 3864 4176 Nnfgcd32.exe 84 PID 3864 wrote to memory of 1740 3864 Nccokk32.exe 85 PID 3864 wrote to memory of 1740 3864 Nccokk32.exe 85 PID 3864 wrote to memory of 1740 3864 Nccokk32.exe 85 PID 1740 wrote to memory of 4412 1740 Nnicid32.exe 86 PID 1740 wrote to memory of 4412 1740 Nnicid32.exe 86 PID 1740 wrote to memory of 4412 1740 Nnicid32.exe 86 PID 4412 wrote to memory of 4988 4412 Nlmdbh32.exe 87 PID 4412 wrote to memory of 4988 4412 Nlmdbh32.exe 87 PID 4412 wrote to memory of 4988 4412 Nlmdbh32.exe 87 PID 4988 wrote to memory of 3656 4988 Oeehkn32.exe 88 PID 4988 wrote to memory of 3656 4988 Oeehkn32.exe 88 PID 4988 wrote to memory of 3656 4988 Oeehkn32.exe 88 PID 3656 wrote to memory of 3672 3656 Ojbacd32.exe 89 PID 3656 wrote to memory of 3672 3656 Ojbacd32.exe 89 PID 3656 wrote to memory of 3672 3656 Ojbacd32.exe 89 PID 3672 wrote to memory of 3336 3672 Odjeljhd.exe 90 PID 3672 wrote to memory of 3336 3672 Odjeljhd.exe 90 PID 3672 wrote to memory of 3336 3672 Odjeljhd.exe 90 PID 3336 wrote to memory of 1916 3336 Onpjichj.exe 91 PID 3336 wrote to memory of 1916 3336 Onpjichj.exe 91 PID 3336 wrote to memory of 1916 3336 Onpjichj.exe 91 PID 1916 wrote to memory of 1536 1916 Oejbfmpg.exe 92 PID 1916 wrote to memory of 1536 1916 Oejbfmpg.exe 92 PID 1916 wrote to memory of 1536 1916 Oejbfmpg.exe 92 PID 1536 wrote to memory of 112 1536 Ojgjndno.exe 93 PID 1536 wrote to memory of 112 1536 Ojgjndno.exe 93 PID 1536 wrote to memory of 112 1536 Ojgjndno.exe 93 PID 112 wrote to memory of 4456 112 Odoogi32.exe 94 PID 112 wrote to memory of 4456 112 Odoogi32.exe 94 PID 112 wrote to memory of 4456 112 Odoogi32.exe 94 PID 4456 wrote to memory of 3936 4456 Oodcdb32.exe 95 PID 4456 wrote to memory of 3936 4456 Oodcdb32.exe 95 PID 4456 wrote to memory of 3936 4456 Oodcdb32.exe 95 PID 3936 wrote to memory of 2096 3936 Oeokal32.exe 96 PID 3936 wrote to memory of 2096 3936 Oeokal32.exe 96 PID 3936 wrote to memory of 2096 3936 Oeokal32.exe 96 PID 2096 wrote to memory of 1084 2096 Okkdic32.exe 97 PID 2096 wrote to memory of 1084 2096 Okkdic32.exe 97 PID 2096 wrote to memory of 1084 2096 Okkdic32.exe 97 PID 1084 wrote to memory of 4828 1084 Pddhbipj.exe 98 PID 1084 wrote to memory of 4828 1084 Pddhbipj.exe 98 PID 1084 wrote to memory of 4828 1084 Pddhbipj.exe 98 PID 4828 wrote to memory of 1400 4828 Pknqoc32.exe 99 PID 4828 wrote to memory of 1400 4828 Pknqoc32.exe 99 PID 4828 wrote to memory of 1400 4828 Pknqoc32.exe 99 PID 1400 wrote to memory of 4136 1400 Phaahggp.exe 100 PID 1400 wrote to memory of 4136 1400 Phaahggp.exe 100 PID 1400 wrote to memory of 4136 1400 Phaahggp.exe 100 PID 4136 wrote to memory of 800 4136 Pefabkej.exe 102 PID 4136 wrote to memory of 800 4136 Pefabkej.exe 102 PID 4136 wrote to memory of 800 4136 Pefabkej.exe 102 PID 800 wrote to memory of 2036 800 Pmaffnce.exe 103 PID 800 wrote to memory of 2036 800 Pmaffnce.exe 103 PID 800 wrote to memory of 2036 800 Pmaffnce.exe 103 PID 2036 wrote to memory of 4704 2036 Pkegpb32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e312311006399d3e695a479d832bec10_exe32.exe"C:\Users\Admin\AppData\Local\Temp\e312311006399d3e695a479d832bec10_exe32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe23⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe26⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe28⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe29⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe30⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe31⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe34⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe36⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe37⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe38⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe39⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe41⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe42⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe43⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe44⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe45⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe47⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe48⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe52⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe54⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe55⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe57⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe58⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe61⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe62⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe63⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe64⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe65⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe66⤵PID:220
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe67⤵PID:436
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe69⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe70⤵PID:4452
-
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe71⤵PID:3780
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe72⤵PID:1956
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe73⤵PID:1436
-
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe74⤵PID:3156
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe75⤵PID:3432
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe76⤵PID:3988
-
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe77⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe78⤵PID:1532
-
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe79⤵PID:4252
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5104 -
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe81⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe83⤵PID:1892
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe84⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe86⤵PID:5032
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe87⤵PID:4552
-
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe88⤵PID:1544
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe89⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe90⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe91⤵
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe94⤵PID:4920
-
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe95⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe97⤵PID:4592
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe98⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe100⤵PID:5184
-
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe101⤵PID:5224
-
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe102⤵PID:5264
-
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe103⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe104⤵PID:5356
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe105⤵PID:5396
-
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe106⤵PID:5440
-
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe107⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe108⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe109⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe110⤵PID:5612
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe111⤵PID:5656
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe112⤵PID:5700
-
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe113⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe114⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe115⤵PID:5828
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe116⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe118⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe119⤵PID:6004
-
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe120⤵PID:6052
-
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe121⤵PID:6128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-