Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2023 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bafd7d2c08e0f8d302c760373477d9e0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bafd7d2c08e0f8d302c760373477d9e0.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bafd7d2c08e0f8d302c760373477d9e0.exe
-
Size
109KB
-
MD5
bafd7d2c08e0f8d302c760373477d9e0
-
SHA1
de3b8acfbbbc2e9b8a80a89fc9c9d23715a7a0d2
-
SHA256
4e511998ccd705bc6089b52bbc24af7f5ccaae02516e12789c0efcf02dfd642f
-
SHA512
b9c322e644fb6d18f740bf7eb7eae89a61179f65224cb85a5434d1d6e96dd4270b1a35e6ababa2800c85e4cdf6a0a73a2d04519f43c7cc7c297fe1abc2b038ea
-
SSDEEP
3072:RixjcRBq3q3tCxYzYnKUsfMrkzC8fo3PXl9Z7S/yCsKh2EzZA/z:RixvqQ0YKIsCgo35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofemaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laeoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdeqaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkmhlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jacnegep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfkqpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqhknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjfmjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpjihee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfnmhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlgegcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjqec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkmnkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildpbfmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipjokik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhocgqjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfogiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhmkgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghadidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjflblll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faqflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbfohbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgfmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maohdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Homadjin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdlkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgiiclkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikechced.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibijbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npabeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqopeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnpami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifipmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paqebike.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogefqeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihlahjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmodfqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgdklb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eippgckc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbajp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhdeinhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dehkbkip.exe -
Executes dropped EXE 64 IoCs
pid Process 5036 Fjocbhbo.exe 2340 Gqkhda32.exe 2328 Gnohnffc.exe 3620 Gkcigjel.exe 3576 Gndbie32.exe 3904 Gbbkocid.exe 3376 Hjmodffo.exe 4608 Heepfn32.exe 3920 Ibgmaqfl.exe 3220 Jejbhk32.exe 212 Jdopjh32.exe 5016 Kopcbo32.exe 2724 Kkgdhp32.exe 4616 Klgqabib.exe 964 Lhmafcnf.exe 772 Llkjmb32.exe 1648 Llngbabj.exe 1048 Lcjldk32.exe 3932 Moalil32.exe 3540 Mlemcq32.exe 4384 Mlgjhp32.exe 3872 Mhnjna32.exe 4916 Mccokj32.exe 4308 Mcfkpjng.exe 5060 Nlnpio32.exe 4364 Nheqnpjk.exe 1920 Ndlacapp.exe 3200 Nfknmd32.exe 4984 Nbbnbemf.exe 1688 Ohncdobq.exe 3912 Odgqopeb.exe 4476 Odjmdocp.exe 1128 Ohhfknjf.exe 1020 Pdngpo32.exe 1604 Pfncia32.exe 4908 Pofhbgmn.exe 4904 Piolkm32.exe 992 Pfbmdabh.exe 2524 Pfeijqqe.exe 3476 Piceflpi.exe 1452 Qejfkmem.exe 1472 Qfjcep32.exe 4208 Amfhgj32.exe 2292 Aimhmkgn.exe 1040 Abjfqpji.exe 3012 Aidomjaf.exe 4604 Bfhofnpp.exe 3816 Bldgoeog.exe 4368 Bboplo32.exe 4064 Bemlhj32.exe 2652 Bcnleb32.exe 2820 Bliajd32.exe 1320 Bfoegm32.exe 3468 Bpgjpb32.exe 4712 Cmmgof32.exe 1972 Cdjlap32.exe 2912 Cmbpjfij.exe 4024 Cmdmpe32.exe 4156 Cfmahknh.exe 3832 Clijablo.exe 2840 Dmifkecb.exe 2980 Dipgpf32.exe 4692 Dbhlikpf.exe 4372 Dlqpaafg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ehedic32.dll Efnennjc.exe File created C:\Windows\SysWOW64\Agcdhclm.dll Ajbegg32.exe File opened for modification C:\Windows\SysWOW64\Cpipkl32.exe Bfpkbfdi.exe File created C:\Windows\SysWOW64\Lokceimi.dll Bggnijof.exe File created C:\Windows\SysWOW64\Neahna32.dll Hmlicp32.exe File created C:\Windows\SysWOW64\Bfpgnpee.dll Plfipakk.exe File created C:\Windows\SysWOW64\Nocphd32.exe Mndcnafd.exe File created C:\Windows\SysWOW64\Bbgiibja.exe Blmamh32.exe File created C:\Windows\SysWOW64\Edcfml32.dll Eldbbjof.exe File created C:\Windows\SysWOW64\Lfloio32.dll Oggllnkl.exe File opened for modification C:\Windows\SysWOW64\Midoph32.exe Mpkkgbmi.exe File opened for modification C:\Windows\SysWOW64\Nbjpjl32.exe Nlphmafm.exe File created C:\Windows\SysWOW64\Dkjmea32.exe Dememj32.exe File created C:\Windows\SysWOW64\Fbelak32.dll Cfmahknh.exe File created C:\Windows\SysWOW64\Anlkidnm.dll Eggbbhkj.exe File created C:\Windows\SysWOW64\Mnlcpp32.dll Djgkbp32.exe File opened for modification C:\Windows\SysWOW64\Dkedjbgg.exe Dehkbkip.exe File created C:\Windows\SysWOW64\Blploo32.dll Dhidcffq.exe File created C:\Windows\SysWOW64\Einenbgg.dll Laeoec32.exe File opened for modification C:\Windows\SysWOW64\Pfmlok32.exe Pkhhbbck.exe File opened for modification C:\Windows\SysWOW64\Kilphk32.exe Kcphpdil.exe File created C:\Windows\SysWOW64\Alhpkldp.exe Akgcdc32.exe File created C:\Windows\SysWOW64\Ifqikhho.dll Pcijoh32.exe File created C:\Windows\SysWOW64\Iebfmfdg.exe Ijmapm32.exe File created C:\Windows\SysWOW64\Knipeblj.dll Jndmlj32.exe File opened for modification C:\Windows\SysWOW64\Hhehkepj.exe Hcipcnac.exe File opened for modification C:\Windows\SysWOW64\Bdfnmhnj.exe Bnlfqngm.exe File created C:\Windows\SysWOW64\Bdjnmobg.dll Cofndo32.exe File created C:\Windows\SysWOW64\Ahiiqafa.exe Ablahjhj.exe File created C:\Windows\SysWOW64\Nddfmc32.dll Qnfkgfdp.exe File created C:\Windows\SysWOW64\Dnmdil32.dll Hjjldpdf.exe File created C:\Windows\SysWOW64\Jndmlj32.exe Jgjeppkp.exe File created C:\Windows\SysWOW64\Glchjedc.exe Gckcap32.exe File opened for modification C:\Windows\SysWOW64\Qlomemlj.exe Qkmqne32.exe File created C:\Windows\SysWOW64\Ohgohiia.dll Gqkhda32.exe File opened for modification C:\Windows\SysWOW64\Hhleefhe.exe Hgkimn32.exe File created C:\Windows\SysWOW64\Ianfdf32.dll Ljhchc32.exe File created C:\Windows\SysWOW64\Dcqmpa32.exe Dmfecgim.exe File created C:\Windows\SysWOW64\Mgfqgkib.exe Mmnlnfcb.exe File created C:\Windows\SysWOW64\Jppphk32.dll Dlkplk32.exe File opened for modification C:\Windows\SysWOW64\Pidamcgd.exe Oplmdnpc.exe File created C:\Windows\SysWOW64\Jileoc32.dll Epjfehbd.exe File opened for modification C:\Windows\SysWOW64\Fdiafc32.exe Flnlaahl.exe File created C:\Windows\SysWOW64\Gfghkgkc.dll Jdfcla32.exe File created C:\Windows\SysWOW64\Dghadidj.exe Dlcmgqdd.exe File created C:\Windows\SysWOW64\Higpgk32.dll Kdjhkp32.exe File created C:\Windows\SysWOW64\Abdfkj32.exe Agobna32.exe File created C:\Windows\SysWOW64\Qajlje32.exe Qdflaa32.exe File created C:\Windows\SysWOW64\Eapmedef.exe Ejfeij32.exe File created C:\Windows\SysWOW64\Mcfqjihp.dll Gmpcmkaa.exe File opened for modification C:\Windows\SysWOW64\Dphipidf.exe Dagiba32.exe File created C:\Windows\SysWOW64\Bhfoen32.dll Ojfmdk32.exe File created C:\Windows\SysWOW64\Jejbhk32.exe Ibgmaqfl.exe File created C:\Windows\SysWOW64\Nejgbn32.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Kenognbk.dll Dfqdid32.exe File opened for modification C:\Windows\SysWOW64\Jjgcgo32.exe Jfikaqme.exe File created C:\Windows\SysWOW64\Ekngqqol.exe Dccbln32.exe File created C:\Windows\SysWOW64\Eagchmne.dll Jgjeppkp.exe File created C:\Windows\SysWOW64\Fmoclg32.exe Fcfocb32.exe File created C:\Windows\SysWOW64\Gdlnkc32.exe Fckacknf.exe File created C:\Windows\SysWOW64\Ibncmchl.exe Iifodmak.exe File created C:\Windows\SysWOW64\Fnlnac32.dll Icgqqmib.exe File opened for modification C:\Windows\SysWOW64\Ndokko32.exe Nlhbja32.exe File created C:\Windows\SysWOW64\Gmoikj32.dll Mlgjhp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6072 4108 WerFault.exe 990 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdqfa32.dll" Daeddlco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkoikcjk.dll" Eahomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accqgi32.dll" Pmdkmnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admnof32.dll" Dnmgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blmamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdgpfni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qejfkmem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eebgqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdjhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgfpe32.dll" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjlgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjkgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lglopjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efdbhpbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcdbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjkhme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jioajliq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagchmne.dll" Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganjgf32.dll" Ijedehgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiaogfai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfikaqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apnkfelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfcinq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bggnijof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkqhpmkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boaeioej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdclhp.dll" Hhjqec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olmficce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkiqla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbbpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loancd32.dll" Infqklol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppamjcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnckjif.dll" Pboblika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnjednnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnfgmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgoj32.dll" Abdfkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmcldhfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pidamcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeomnh32.dll" Mndcnafd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ninafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poohcg32.dll" Fiajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fifdqhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcggjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfgeh32.dll" Npabeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadnfkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghifmbc.dll" Ejegdngb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qebpipij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndakp32.dll" Cbgbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcipcnac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aacjofkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpijfgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcakk32.dll" Fbhnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhdbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagbljcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqmjhm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 5036 1080 bafd7d2c08e0f8d302c760373477d9e0.exe 86 PID 1080 wrote to memory of 5036 1080 bafd7d2c08e0f8d302c760373477d9e0.exe 86 PID 1080 wrote to memory of 5036 1080 bafd7d2c08e0f8d302c760373477d9e0.exe 86 PID 5036 wrote to memory of 2340 5036 Fjocbhbo.exe 88 PID 5036 wrote to memory of 2340 5036 Fjocbhbo.exe 88 PID 5036 wrote to memory of 2340 5036 Fjocbhbo.exe 88 PID 2340 wrote to memory of 2328 2340 Gqkhda32.exe 89 PID 2340 wrote to memory of 2328 2340 Gqkhda32.exe 89 PID 2340 wrote to memory of 2328 2340 Gqkhda32.exe 89 PID 2328 wrote to memory of 3620 2328 Gnohnffc.exe 90 PID 2328 wrote to memory of 3620 2328 Gnohnffc.exe 90 PID 2328 wrote to memory of 3620 2328 Gnohnffc.exe 90 PID 3620 wrote to memory of 3576 3620 Gkcigjel.exe 91 PID 3620 wrote to memory of 3576 3620 Gkcigjel.exe 91 PID 3620 wrote to memory of 3576 3620 Gkcigjel.exe 91 PID 3576 wrote to memory of 3904 3576 Gndbie32.exe 92 PID 3576 wrote to memory of 3904 3576 Gndbie32.exe 92 PID 3576 wrote to memory of 3904 3576 Gndbie32.exe 92 PID 3904 wrote to memory of 3376 3904 Gbbkocid.exe 93 PID 3904 wrote to memory of 3376 3904 Gbbkocid.exe 93 PID 3904 wrote to memory of 3376 3904 Gbbkocid.exe 93 PID 3376 wrote to memory of 4608 3376 Hjmodffo.exe 95 PID 3376 wrote to memory of 4608 3376 Hjmodffo.exe 95 PID 3376 wrote to memory of 4608 3376 Hjmodffo.exe 95 PID 4608 wrote to memory of 3920 4608 Heepfn32.exe 96 PID 4608 wrote to memory of 3920 4608 Heepfn32.exe 96 PID 4608 wrote to memory of 3920 4608 Heepfn32.exe 96 PID 3920 wrote to memory of 3220 3920 Ibgmaqfl.exe 97 PID 3920 wrote to memory of 3220 3920 Ibgmaqfl.exe 97 PID 3920 wrote to memory of 3220 3920 Ibgmaqfl.exe 97 PID 3220 wrote to memory of 212 3220 Jejbhk32.exe 98 PID 3220 wrote to memory of 212 3220 Jejbhk32.exe 98 PID 3220 wrote to memory of 212 3220 Jejbhk32.exe 98 PID 212 wrote to memory of 5016 212 Jdopjh32.exe 99 PID 212 wrote to memory of 5016 212 Jdopjh32.exe 99 PID 212 wrote to memory of 5016 212 Jdopjh32.exe 99 PID 5016 wrote to memory of 2724 5016 Kopcbo32.exe 100 PID 5016 wrote to memory of 2724 5016 Kopcbo32.exe 100 PID 5016 wrote to memory of 2724 5016 Kopcbo32.exe 100 PID 2724 wrote to memory of 4616 2724 Kkgdhp32.exe 101 PID 2724 wrote to memory of 4616 2724 Kkgdhp32.exe 101 PID 2724 wrote to memory of 4616 2724 Kkgdhp32.exe 101 PID 4616 wrote to memory of 964 4616 Klgqabib.exe 102 PID 4616 wrote to memory of 964 4616 Klgqabib.exe 102 PID 4616 wrote to memory of 964 4616 Klgqabib.exe 102 PID 964 wrote to memory of 772 964 Lhmafcnf.exe 103 PID 964 wrote to memory of 772 964 Lhmafcnf.exe 103 PID 964 wrote to memory of 772 964 Lhmafcnf.exe 103 PID 772 wrote to memory of 1648 772 Llkjmb32.exe 104 PID 772 wrote to memory of 1648 772 Llkjmb32.exe 104 PID 772 wrote to memory of 1648 772 Llkjmb32.exe 104 PID 1648 wrote to memory of 1048 1648 Llngbabj.exe 105 PID 1648 wrote to memory of 1048 1648 Llngbabj.exe 105 PID 1648 wrote to memory of 1048 1648 Llngbabj.exe 105 PID 1048 wrote to memory of 3932 1048 Lcjldk32.exe 106 PID 1048 wrote to memory of 3932 1048 Lcjldk32.exe 106 PID 1048 wrote to memory of 3932 1048 Lcjldk32.exe 106 PID 3932 wrote to memory of 3540 3932 Moalil32.exe 107 PID 3932 wrote to memory of 3540 3932 Moalil32.exe 107 PID 3932 wrote to memory of 3540 3932 Moalil32.exe 107 PID 3540 wrote to memory of 4384 3540 Mlemcq32.exe 108 PID 3540 wrote to memory of 4384 3540 Mlemcq32.exe 108 PID 3540 wrote to memory of 4384 3540 Mlemcq32.exe 108 PID 4384 wrote to memory of 3872 4384 Mlgjhp32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\bafd7d2c08e0f8d302c760373477d9e0.exe"C:\Users\Admin\AppData\Local\Temp\bafd7d2c08e0f8d302c760373477d9e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe23⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe25⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe26⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe27⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe29⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe30⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe31⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe33⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe34⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe35⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe36⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe37⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe38⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe39⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe40⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe43⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe44⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe46⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe47⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe48⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe50⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe51⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe52⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe54⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe55⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe56⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe57⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe59⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe61⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe62⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe63⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe64⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe65⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe66⤵PID:3800
-
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe67⤵
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4456 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe69⤵PID:2996
-
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe70⤵PID:1592
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe71⤵PID:376
-
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe72⤵PID:804
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe73⤵PID:452
-
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe74⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe75⤵PID:3784
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe77⤵PID:4660
-
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe78⤵PID:2320
-
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe79⤵PID:4596
-
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe80⤵PID:556
-
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe81⤵PID:4108
-
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe82⤵PID:4344
-
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe83⤵PID:688
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe84⤵PID:4528
-
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe85⤵PID:4332
-
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe86⤵PID:3156
-
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe87⤵PID:2360
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe88⤵PID:3388
-
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe89⤵PID:8
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe90⤵PID:5124
-
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe91⤵PID:5164
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe92⤵PID:5204
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe93⤵PID:5256
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe94⤵PID:5296
-
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe95⤵PID:5340
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe96⤵PID:5380
-
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe97⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe98⤵PID:5460
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe99⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe100⤵PID:5544
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe101⤵PID:5588
-
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe102⤵PID:5640
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe103⤵PID:5684
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe104⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe105⤵PID:5772
-
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe106⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe107⤵PID:5848
-
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe108⤵PID:5892
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe109⤵PID:5948
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe110⤵PID:5988
-
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe111⤵PID:6036
-
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe112⤵PID:6080
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:6120 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe114⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe115⤵PID:5188
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe118⤵PID:5376
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe119⤵PID:5452
-
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe120⤵PID:5524
-
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-