Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 08:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9940b76acb532cbf3931cc3ad915d97c.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9940b76acb532cbf3931cc3ad915d97c.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9940b76acb532cbf3931cc3ad915d97c.exe
-
Size
479KB
-
MD5
9940b76acb532cbf3931cc3ad915d97c
-
SHA1
0c0e58b51211dcbf4122c512aa125fdc6d31d73c
-
SHA256
c1d14d1b3ab510c0b91049f8b3ef3e95ad4c447fb560b727a7c6e5e636f511ac
-
SHA512
95d33a258d019c11324fbc5a00a95809a39b3161fc098d157d798550b56da42475e4bc4eb3adf7a68d682ba292095db51d553edcd552cbcfae455119c9911eb1
-
SSDEEP
6144:+e1nqF+DqhstcPOwXYrMdlvkGr0f+uPOwXYrMdl2MPnhd8+ZDI:F1nqF+DqhQwIaJwISfPI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifcejnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgemcli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coknoaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfcia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlieda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkbjjbda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknqoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnodaecc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjemflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknbil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkbjqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghppm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjcbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2564 Mifcejnj.exe 4628 Mbognp32.exe 1100 Npchgdcd.exe 3772 Niklpj32.exe 3748 Npjnhc32.exe 2228 Ncjginjn.exe 4644 Oghppm32.exe 4112 Olgemcli.exe 1408 Oileggkb.exe 1012 Ppjgoaoj.exe 3456 Pgdokkfg.exe 2052 Ppmcdq32.exe 2224 Plcdiabk.exe 1480 Pcpikkge.exe 792 Pqcjepfo.exe 2080 Qfpbmfdf.exe 1136 Qgpogili.exe 2836 Qqhcpo32.exe 5064 Afelhf32.exe 856 Agiamhdo.exe 2676 Aqaffn32.exe 2468 Bfqkddfd.exe 4664 Bcelmhen.exe 4512 Biadeoce.exe 4396 Bfhadc32.exe 4844 Bclang32.exe 3196 Bihjfnmm.exe 3708 Dfoplpla.exe 2828 Epjajeqo.exe 4540 Ehcfaboo.exe 1040 Ealkjh32.exe 4308 Edmclccp.exe 4196 Edopabqn.exe 4796 Fkihnmhj.exe 2092 Fdamgb32.exe 3168 Fkkeclfh.exe 3736 Fphnlcdo.exe 3932 Fknbil32.exe 2596 Fagjfflb.exe 3016 Fkpool32.exe 2528 Fajgkfio.exe 1636 Fggocmhf.exe 4056 Fmqgpgoc.exe 4636 Fdkpma32.exe 1332 Gigheh32.exe 1268 Gpaqbbld.exe 4860 Ggkiol32.exe 3496 Gpcmga32.exe 548 Gkiaej32.exe 3712 Gdafnpqh.exe 8 Ginnfgop.exe 1760 Gphgbafl.exe 4052 Gnlgleef.exe 532 Gpkchqdj.exe 3440 Hnodaecc.exe 2384 Hhdhon32.exe 1928 Hdkidohn.exe 3756 Hkeaqi32.exe 1264 Hpbiip32.exe 1992 Hhiajmod.exe 404 Hnfjbdmk.exe 452 Hhknpmma.exe 2588 Hnhghcki.exe 4320 Idbodn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qofcff32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Pkhnpc32.dll Nbgcih32.exe File created C:\Windows\SysWOW64\Agadmk32.dll Pifnhpmi.exe File created C:\Windows\SysWOW64\Gemdebha.dll Kfpcoefj.exe File created C:\Windows\SysWOW64\Pialao32.dll Mifcejnj.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gbabigfj.exe File created C:\Windows\SysWOW64\Cbbnpg32.exe Ckhecmcf.exe File created C:\Windows\SysWOW64\Fmkqpkla.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Nchkcb32.dll Dnmaea32.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oblmdhdo.exe File created C:\Windows\SysWOW64\Gfkbde32.exe Gdlfhj32.exe File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe Mjdebfnd.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Pknqoc32.exe File opened for modification C:\Windows\SysWOW64\Bihjfnmm.exe Bclang32.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Lnnbqnjn.exe File opened for modification C:\Windows\SysWOW64\Nbqmiinl.exe Njiegl32.exe File opened for modification C:\Windows\SysWOW64\Bkafmd32.exe Bjpjel32.exe File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Phlepppi.dll Ahfmpnql.exe File created C:\Windows\SysWOW64\Aqaffn32.exe Agiamhdo.exe File opened for modification C:\Windows\SysWOW64\Malgcg32.exe Mnnkgl32.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Nognnj32.exe File opened for modification C:\Windows\SysWOW64\Pllgnl32.exe Oeaoab32.exe File created C:\Windows\SysWOW64\Gpnmbl32.exe Fideeaco.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Efpomccg.exe Enigke32.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Efpomccg.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Jbiejoaj.exe Jdedak32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jcanll32.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Kkjaopom.dll Gbabigfj.exe File created C:\Windows\SysWOW64\Gkiaej32.exe Gpcmga32.exe File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Gnlgleef.exe File created C:\Windows\SysWOW64\Pchlpfjb.exe Plndcl32.exe File created C:\Windows\SysWOW64\Aojlaeei.exe Ahqddk32.exe File created C:\Windows\SysWOW64\Cmjemflb.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Agnjelkm.dll Kghjhemo.exe File created C:\Windows\SysWOW64\Eciplm32.exe Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Pjkmomfn.exe File opened for modification C:\Windows\SysWOW64\Nbefdijg.exe Nknobkje.exe File opened for modification C:\Windows\SysWOW64\Bhoqeibl.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bbgeno32.exe File created C:\Windows\SysWOW64\Fphppfgi.dll Kjhcjq32.exe File opened for modification C:\Windows\SysWOW64\Mlmbfqoj.exe Mecjif32.exe File created C:\Windows\SysWOW64\Dhblne32.dll Blhpqhlh.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fbcfhibj.exe File opened for modification C:\Windows\SysWOW64\Pmlmkn32.exe Pknqoc32.exe File created C:\Windows\SysWOW64\Iohejo32.exe Imgicgca.exe File created C:\Windows\SysWOW64\Jnpfop32.exe Jgenbfoa.exe File created C:\Windows\SysWOW64\Oiknlagg.exe Obafpg32.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Oileggkb.exe Olgemcli.exe File opened for modification C:\Windows\SysWOW64\Fimhjl32.exe Fngcmcfe.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qfmmplad.exe File opened for modification C:\Windows\SysWOW64\Aphnnafb.exe Amjbbfgo.exe File opened for modification C:\Windows\SysWOW64\Adhdjpjf.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Fbcfhibj.exe Fikbocki.exe File opened for modification C:\Windows\SysWOW64\Ppjbmc32.exe Pjmjdm32.exe File created C:\Windows\SysWOW64\Pnclimck.dll Qkmdkgob.exe File created C:\Windows\SysWOW64\Eifhdd32.exe Efhlhh32.exe File created C:\Windows\SysWOW64\Kmephjke.dll Pplobcpp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12328 2468 WerFault.exe 652 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhffdban.dll" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoemi32.dll" Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achhaode.dll" Fagjfflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kollmhpg.dll" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimmggfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjgbadl.dll" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejkiial.dll" Plndcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offnhpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhoqeibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll" Cocjiehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqhcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plopnh32.dll" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glaecb32.dll" Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbognp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpipfd32.dll" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdgc32.dll" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidkle32.dll" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkkgm32.dll" Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhhc32.dll" Pajeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phedhmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggocmhf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4148 wrote to memory of 2564 4148 9940b76acb532cbf3931cc3ad915d97c.exe 83 PID 4148 wrote to memory of 2564 4148 9940b76acb532cbf3931cc3ad915d97c.exe 83 PID 4148 wrote to memory of 2564 4148 9940b76acb532cbf3931cc3ad915d97c.exe 83 PID 2564 wrote to memory of 4628 2564 Mifcejnj.exe 84 PID 2564 wrote to memory of 4628 2564 Mifcejnj.exe 84 PID 2564 wrote to memory of 4628 2564 Mifcejnj.exe 84 PID 4628 wrote to memory of 1100 4628 Mbognp32.exe 85 PID 4628 wrote to memory of 1100 4628 Mbognp32.exe 85 PID 4628 wrote to memory of 1100 4628 Mbognp32.exe 85 PID 1100 wrote to memory of 3772 1100 Npchgdcd.exe 87 PID 1100 wrote to memory of 3772 1100 Npchgdcd.exe 87 PID 1100 wrote to memory of 3772 1100 Npchgdcd.exe 87 PID 3772 wrote to memory of 3748 3772 Niklpj32.exe 88 PID 3772 wrote to memory of 3748 3772 Niklpj32.exe 88 PID 3772 wrote to memory of 3748 3772 Niklpj32.exe 88 PID 3748 wrote to memory of 2228 3748 Npjnhc32.exe 90 PID 3748 wrote to memory of 2228 3748 Npjnhc32.exe 90 PID 3748 wrote to memory of 2228 3748 Npjnhc32.exe 90 PID 2228 wrote to memory of 4644 2228 Ncjginjn.exe 91 PID 2228 wrote to memory of 4644 2228 Ncjginjn.exe 91 PID 2228 wrote to memory of 4644 2228 Ncjginjn.exe 91 PID 4644 wrote to memory of 4112 4644 Oghppm32.exe 92 PID 4644 wrote to memory of 4112 4644 Oghppm32.exe 92 PID 4644 wrote to memory of 4112 4644 Oghppm32.exe 92 PID 4112 wrote to memory of 1408 4112 Olgemcli.exe 93 PID 4112 wrote to memory of 1408 4112 Olgemcli.exe 93 PID 4112 wrote to memory of 1408 4112 Olgemcli.exe 93 PID 1408 wrote to memory of 1012 1408 Oileggkb.exe 95 PID 1408 wrote to memory of 1012 1408 Oileggkb.exe 95 PID 1408 wrote to memory of 1012 1408 Oileggkb.exe 95 PID 1012 wrote to memory of 3456 1012 Ppjgoaoj.exe 96 PID 1012 wrote to memory of 3456 1012 Ppjgoaoj.exe 96 PID 1012 wrote to memory of 3456 1012 Ppjgoaoj.exe 96 PID 3456 wrote to memory of 2052 3456 Pgdokkfg.exe 97 PID 3456 wrote to memory of 2052 3456 Pgdokkfg.exe 97 PID 3456 wrote to memory of 2052 3456 Pgdokkfg.exe 97 PID 2052 wrote to memory of 2224 2052 Ppmcdq32.exe 98 PID 2052 wrote to memory of 2224 2052 Ppmcdq32.exe 98 PID 2052 wrote to memory of 2224 2052 Ppmcdq32.exe 98 PID 2224 wrote to memory of 1480 2224 Plcdiabk.exe 99 PID 2224 wrote to memory of 1480 2224 Plcdiabk.exe 99 PID 2224 wrote to memory of 1480 2224 Plcdiabk.exe 99 PID 1480 wrote to memory of 792 1480 Pcpikkge.exe 100 PID 1480 wrote to memory of 792 1480 Pcpikkge.exe 100 PID 1480 wrote to memory of 792 1480 Pcpikkge.exe 100 PID 792 wrote to memory of 2080 792 Pqcjepfo.exe 101 PID 792 wrote to memory of 2080 792 Pqcjepfo.exe 101 PID 792 wrote to memory of 2080 792 Pqcjepfo.exe 101 PID 2080 wrote to memory of 1136 2080 Qfpbmfdf.exe 102 PID 2080 wrote to memory of 1136 2080 Qfpbmfdf.exe 102 PID 2080 wrote to memory of 1136 2080 Qfpbmfdf.exe 102 PID 1136 wrote to memory of 2836 1136 Qgpogili.exe 103 PID 1136 wrote to memory of 2836 1136 Qgpogili.exe 103 PID 1136 wrote to memory of 2836 1136 Qgpogili.exe 103 PID 2836 wrote to memory of 5064 2836 Qqhcpo32.exe 104 PID 2836 wrote to memory of 5064 2836 Qqhcpo32.exe 104 PID 2836 wrote to memory of 5064 2836 Qqhcpo32.exe 104 PID 5064 wrote to memory of 856 5064 Afelhf32.exe 105 PID 5064 wrote to memory of 856 5064 Afelhf32.exe 105 PID 5064 wrote to memory of 856 5064 Afelhf32.exe 105 PID 856 wrote to memory of 2676 856 Agiamhdo.exe 106 PID 856 wrote to memory of 2676 856 Agiamhdo.exe 106 PID 856 wrote to memory of 2676 856 Agiamhdo.exe 106 PID 2676 wrote to memory of 2468 2676 Aqaffn32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9940b76acb532cbf3931cc3ad915d97c.exe"C:\Users\Admin\AppData\Local\Temp\9940b76acb532cbf3931cc3ad915d97c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe23⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe24⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe26⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe28⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe31⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe32⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe33⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe35⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe36⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe37⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe38⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe41⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe42⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe44⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe45⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe46⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe47⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe48⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe50⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe51⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe52⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe53⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe55⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe57⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe58⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe59⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe60⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe61⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe62⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe63⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe64⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe65⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe67⤵
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe68⤵PID:2884
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4356 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe70⤵PID:5056
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe71⤵PID:2356
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe72⤵PID:760
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe73⤵PID:4872
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe75⤵PID:4296
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe76⤵PID:4392
-
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe77⤵PID:4700
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe78⤵PID:684
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe79⤵PID:1488
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe80⤵PID:1448
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4552 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe84⤵PID:2720
-
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe85⤵PID:208
-
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5072 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe87⤵PID:2860
-
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe88⤵
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe89⤵PID:3968
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe90⤵PID:5156
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe91⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe93⤵PID:5296
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe95⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe96⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe97⤵PID:5468
-
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe98⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe99⤵PID:5556
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe100⤵PID:5604
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe101⤵PID:5648
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe102⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe103⤵PID:5728
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe104⤵PID:5772
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe105⤵PID:5812
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe106⤵PID:5856
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe108⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe109⤵
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe110⤵PID:6044
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe112⤵PID:6132
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe113⤵PID:5140
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe114⤵PID:5196
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe115⤵PID:5284
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe116⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe117⤵PID:5432
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe118⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe119⤵PID:5544
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe121⤵PID:5676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-