Analysis
-
max time kernel
167s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7b802d7bf78fb5cb8c70ffc673b70e2.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c7b802d7bf78fb5cb8c70ffc673b70e2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c7b802d7bf78fb5cb8c70ffc673b70e2.exe
-
Size
276KB
-
MD5
c7b802d7bf78fb5cb8c70ffc673b70e2
-
SHA1
78a2be638efb57ce0539a824e99dbe1b993a101b
-
SHA256
334bc8cc2c292abbedda93781a30a5a08f10a26f48af0adc0d6a49609689c8c8
-
SHA512
c574116db1a2aaa7b2a5fab920249151bb1f7ffacdf6fc7d11c34621e589a9f2d43a05a0d6ec373b104cc474994ac4aee2c0d175eb1750e39c44422fd2e961a8
-
SSDEEP
3072:n2j/4Cffni4p2/XReVJPeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDrM8d7w:2j/nX26PdZMGXF5ahdt3rM8d7TtLa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enomic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipebqij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapgdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkmhlpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcngfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Impeib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoldl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omdghmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efjbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikihlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckcap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miklkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plejoode.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofdkcmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkihedld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiocde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odaiodbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajeiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbnfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfkednq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jelhcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqgahoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggoaje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eglkmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqknci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceaofmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcnnjoam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facjlhil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqgjoenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glkdejcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhpcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idljll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpjifl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekpljgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiibdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimgba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfeij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgmnooom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbglgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghgljg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jamhflqq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbngn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imgbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkmgali.exe -
Executes dropped EXE 64 IoCs
pid Process 3952 Jlgoek32.exe 1816 Kamjda32.exe 3664 Likhem32.exe 1244 Llqjbhdc.exe 3176 Mfpell32.exe 4328 Mljmhflh.exe 4864 Nbnlaldg.exe 564 Nqfbpb32.exe 1976 Ojcpdg32.exe 2936 Ockdmmoj.exe 468 Pbekii32.exe 2124 Amnebo32.exe 988 Bapgdm32.exe 3192 Bmladm32.exe 1692 Cancekeo.exe 4852 Dmjmekgn.exe 3748 Epdime32.exe 3356 Fkemfl32.exe 3180 Fbfkceca.exe 3208 Gggmgk32.exe 3464 Halaloif.exe 4364 Hgeihiac.exe 1480 Hghfnioq.exe 2616 Igmoih32.exe 3540 Jnnnfalp.exe 2880 Jhmhpfmi.exe 5052 Mhknhabf.exe 3432 Mllccpfj.exe 3244 Mcfkpjng.exe 3204 Namegfql.exe 4984 Oloipmfd.exe 3064 Pdngpo32.exe 4872 Poidhg32.exe 440 Bclppboi.exe 1628 Blgddd32.exe 1384 Cpifeb32.exe 2536 Cmmgof32.exe 4200 Cfhhml32.exe 3736 Cdlhgpag.exe 1324 Ddcogo32.exe 3284 Enllgbcl.exe 4444 Fpandm32.exe 3504 Ffpcbchm.exe 4600 Ifmldo32.exe 2660 Janpnfee.exe 3864 Jelhcd32.exe 1668 Jcaeea32.exe 3312 Logbigbg.exe 3056 Lechkaga.exe 1100 Mopeofjl.exe 3436 Mhhjhlqm.exe 4260 Pkjegb32.exe 4280 Qdllffpo.exe 2996 Akhaipei.exe 1616 Ailabddb.exe 4912 Aofjoo32.exe 3320 Bkdqdokk.exe 4968 Bgmnooom.exe 2592 Blkgen32.exe 1676 Cgagjo32.exe 3780 Cbglgg32.exe 4452 Cnpibh32.exe 3920 Dimcppgm.exe 2688 Dlnlak32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhnako32.dll Lgqhki32.exe File opened for modification C:\Windows\SysWOW64\Ccigpbga.exe Cnmoglij.exe File opened for modification C:\Windows\SysWOW64\Bpgnmcdh.exe Ainfpi32.exe File created C:\Windows\SysWOW64\Eoeoqoni.dll Komoed32.exe File opened for modification C:\Windows\SysWOW64\Boanniao.exe Bidefbcg.exe File opened for modification C:\Windows\SysWOW64\Cchikf32.exe Cipebqij.exe File opened for modification C:\Windows\SysWOW64\Mhhjhlqm.exe Mopeofjl.exe File created C:\Windows\SysWOW64\Ockhfbgl.dll Apaofk32.exe File created C:\Windows\SysWOW64\Idfkednq.exe Hoibmmpi.exe File created C:\Windows\SysWOW64\Jbhmnhcm.exe Jpgdlm32.exe File opened for modification C:\Windows\SysWOW64\Jqbbno32.exe Jmopmalc.exe File created C:\Windows\SysWOW64\Dmmbbodp.dll Qhbhapha.exe File created C:\Windows\SysWOW64\Omdghmfo.exe Ofjokc32.exe File created C:\Windows\SysWOW64\Pdngpo32.exe Oloipmfd.exe File created C:\Windows\SysWOW64\Dncmld32.dll Djoohk32.exe File created C:\Windows\SysWOW64\Cnlhme32.exe Ccfcpm32.exe File created C:\Windows\SysWOW64\Djjobedk.exe Dncnnd32.exe File created C:\Windows\SysWOW64\Hnblmnfa.exe Gaibhj32.exe File opened for modification C:\Windows\SysWOW64\Lmdbooik.exe Kclnfi32.exe File opened for modification C:\Windows\SysWOW64\Nldjnk32.exe Nehekq32.exe File opened for modification C:\Windows\SysWOW64\Adadbi32.exe Ajlpepbi.exe File opened for modification C:\Windows\SysWOW64\Aohbbqme.exe Aepmjk32.exe File opened for modification C:\Windows\SysWOW64\Cipebqij.exe Clldhljp.exe File created C:\Windows\SysWOW64\Fpflmkci.dll Jmnakqcc.exe File opened for modification C:\Windows\SysWOW64\Nqklfe32.exe Ngbgmpcq.exe File created C:\Windows\SysWOW64\Fchjfl32.dll Dlnlak32.exe File opened for modification C:\Windows\SysWOW64\Odaiodbp.exe Omgabj32.exe File created C:\Windows\SysWOW64\Akopoi32.exe Aqilaplo.exe File created C:\Windows\SysWOW64\Nfhoiabf.dll Pghaghfn.exe File created C:\Windows\SysWOW64\Eqblfm32.dll Ofjokc32.exe File created C:\Windows\SysWOW64\Fdpnbald.dll Omgabj32.exe File opened for modification C:\Windows\SysWOW64\Aqilaplo.exe Ahkkhnpg.exe File created C:\Windows\SysWOW64\Mebncnbm.dll Qfanbpjg.exe File created C:\Windows\SysWOW64\Kjinplje.dll Jhmfba32.exe File created C:\Windows\SysWOW64\Aldeap32.exe Ablahjhj.exe File created C:\Windows\SysWOW64\Gebkco32.dll Hbldkllm.exe File opened for modification C:\Windows\SysWOW64\Miipencp.exe Mmbopm32.exe File created C:\Windows\SysWOW64\Ajqmddce.dll Oahgnh32.exe File created C:\Windows\SysWOW64\Ppccemjk.exe Pgknlg32.exe File created C:\Windows\SysWOW64\Debbff32.dll Kamjda32.exe File opened for modification C:\Windows\SysWOW64\Mhknhabf.exe Jhmhpfmi.exe File opened for modification C:\Windows\SysWOW64\Ofadlbhj.exe Omhpcm32.exe File created C:\Windows\SysWOW64\Aiclodaj.exe Aonhblad.exe File created C:\Windows\SysWOW64\Ahnljade.dll Kmbfiokn.exe File created C:\Windows\SysWOW64\Pqpiiqce.dll Jlblcdpf.exe File opened for modification C:\Windows\SysWOW64\Hnblmnfa.exe Gaibhj32.exe File created C:\Windows\SysWOW64\Bbgalejf.dll Apbngn32.exe File opened for modification C:\Windows\SysWOW64\Boldcj32.exe Bhblfpng.exe File opened for modification C:\Windows\SysWOW64\Maefnk32.exe Lcbikd32.exe File created C:\Windows\SysWOW64\Logbigbg.exe Jcaeea32.exe File created C:\Windows\SysWOW64\Eikpan32.exe Dehnpp32.exe File opened for modification C:\Windows\SysWOW64\Ooalibaf.exe Obnlpnbm.exe File created C:\Windows\SysWOW64\Pacahhib.exe Pblhalfm.exe File created C:\Windows\SysWOW64\Nhfcjc32.dll Peajngoi.exe File created C:\Windows\SysWOW64\Boijog32.dll Cbfema32.exe File opened for modification C:\Windows\SysWOW64\Ccfcpm32.exe Cjlbag32.exe File opened for modification C:\Windows\SysWOW64\Cnpibh32.exe Cbglgg32.exe File opened for modification C:\Windows\SysWOW64\Bgggockk.exe Bnobfn32.exe File opened for modification C:\Windows\SysWOW64\Oqmhlego.exe Nkqpcnig.exe File opened for modification C:\Windows\SysWOW64\Ojjfpjjj.exe Onaieifh.exe File created C:\Windows\SysWOW64\Mcolikbl.dll Ldlmieaa.exe File opened for modification C:\Windows\SysWOW64\Jhmfba32.exe Imgbdh32.exe File created C:\Windows\SysWOW64\Gdfhil32.exe Gmlplbib.exe File created C:\Windows\SysWOW64\Bchgnoai.exe Bmlofhca.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5404 4460 WerFault.exe 473 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdplb32.dll" Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eglkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgdlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdpakhk.dll" Bkdqdokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomiaim.dll" Akopoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll" Jhmhpfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll" Ojcpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbahgbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll" Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbngnddf.dll" Mopeofjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfcmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgeadjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqboal32.dll" Clldhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgidhllf.dll" Cjflblll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcldbpf.dll" Omhpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll" Pdngpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pafcofcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facjlhil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pllppnnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Addahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npfchkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacgfeed.dll" Ngcngfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idljll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blobgill.dll" Lcqgahoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmbbodp.dll" Qhbhapha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moacbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjefecei.dll" Qbggmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlifcjm.dll" Bojhnjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phajblpj.dll" Fghcqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgphggpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepbphj.dll" Glajeiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boahmbic.dll" Idmhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnkgbibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlofhca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmklnk32.dll" Hoibmmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqgjoenq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gceaofmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhkecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akkmocjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmgckid.dll" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jolodqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohakkkfn.dll" Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpnmb32.dll" Idfkednq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcbikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hghfnioq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll" Oloipmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geamaapg.dll" Fhjoilop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ainfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apbngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhblfpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copekbjm.dll" Icedkn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1104 wrote to memory of 3952 1104 c7b802d7bf78fb5cb8c70ffc673b70e2.exe 91 PID 1104 wrote to memory of 3952 1104 c7b802d7bf78fb5cb8c70ffc673b70e2.exe 91 PID 1104 wrote to memory of 3952 1104 c7b802d7bf78fb5cb8c70ffc673b70e2.exe 91 PID 3952 wrote to memory of 1816 3952 Jlgoek32.exe 92 PID 3952 wrote to memory of 1816 3952 Jlgoek32.exe 92 PID 3952 wrote to memory of 1816 3952 Jlgoek32.exe 92 PID 1816 wrote to memory of 3664 1816 Kamjda32.exe 93 PID 1816 wrote to memory of 3664 1816 Kamjda32.exe 93 PID 1816 wrote to memory of 3664 1816 Kamjda32.exe 93 PID 3664 wrote to memory of 1244 3664 Likhem32.exe 94 PID 3664 wrote to memory of 1244 3664 Likhem32.exe 94 PID 3664 wrote to memory of 1244 3664 Likhem32.exe 94 PID 1244 wrote to memory of 3176 1244 Llqjbhdc.exe 95 PID 1244 wrote to memory of 3176 1244 Llqjbhdc.exe 95 PID 1244 wrote to memory of 3176 1244 Llqjbhdc.exe 95 PID 3176 wrote to memory of 4328 3176 Mfpell32.exe 96 PID 3176 wrote to memory of 4328 3176 Mfpell32.exe 96 PID 3176 wrote to memory of 4328 3176 Mfpell32.exe 96 PID 4328 wrote to memory of 4864 4328 Mljmhflh.exe 97 PID 4328 wrote to memory of 4864 4328 Mljmhflh.exe 97 PID 4328 wrote to memory of 4864 4328 Mljmhflh.exe 97 PID 4864 wrote to memory of 564 4864 Nbnlaldg.exe 98 PID 4864 wrote to memory of 564 4864 Nbnlaldg.exe 98 PID 4864 wrote to memory of 564 4864 Nbnlaldg.exe 98 PID 564 wrote to memory of 1976 564 Nqfbpb32.exe 99 PID 564 wrote to memory of 1976 564 Nqfbpb32.exe 99 PID 564 wrote to memory of 1976 564 Nqfbpb32.exe 99 PID 1976 wrote to memory of 2936 1976 Ojcpdg32.exe 100 PID 1976 wrote to memory of 2936 1976 Ojcpdg32.exe 100 PID 1976 wrote to memory of 2936 1976 Ojcpdg32.exe 100 PID 2936 wrote to memory of 468 2936 Ockdmmoj.exe 102 PID 2936 wrote to memory of 468 2936 Ockdmmoj.exe 102 PID 2936 wrote to memory of 468 2936 Ockdmmoj.exe 102 PID 468 wrote to memory of 2124 468 Pbekii32.exe 103 PID 468 wrote to memory of 2124 468 Pbekii32.exe 103 PID 468 wrote to memory of 2124 468 Pbekii32.exe 103 PID 2124 wrote to memory of 988 2124 Amnebo32.exe 104 PID 2124 wrote to memory of 988 2124 Amnebo32.exe 104 PID 2124 wrote to memory of 988 2124 Amnebo32.exe 104 PID 988 wrote to memory of 3192 988 Bapgdm32.exe 105 PID 988 wrote to memory of 3192 988 Bapgdm32.exe 105 PID 988 wrote to memory of 3192 988 Bapgdm32.exe 105 PID 3192 wrote to memory of 1692 3192 Bmladm32.exe 106 PID 3192 wrote to memory of 1692 3192 Bmladm32.exe 106 PID 3192 wrote to memory of 1692 3192 Bmladm32.exe 106 PID 1692 wrote to memory of 4852 1692 Cancekeo.exe 107 PID 1692 wrote to memory of 4852 1692 Cancekeo.exe 107 PID 1692 wrote to memory of 4852 1692 Cancekeo.exe 107 PID 4852 wrote to memory of 3748 4852 Dmjmekgn.exe 108 PID 4852 wrote to memory of 3748 4852 Dmjmekgn.exe 108 PID 4852 wrote to memory of 3748 4852 Dmjmekgn.exe 108 PID 3748 wrote to memory of 3356 3748 Epdime32.exe 109 PID 3748 wrote to memory of 3356 3748 Epdime32.exe 109 PID 3748 wrote to memory of 3356 3748 Epdime32.exe 109 PID 3356 wrote to memory of 3180 3356 Fkemfl32.exe 110 PID 3356 wrote to memory of 3180 3356 Fkemfl32.exe 110 PID 3356 wrote to memory of 3180 3356 Fkemfl32.exe 110 PID 3180 wrote to memory of 3208 3180 Fbfkceca.exe 112 PID 3180 wrote to memory of 3208 3180 Fbfkceca.exe 112 PID 3180 wrote to memory of 3208 3180 Fbfkceca.exe 112 PID 3208 wrote to memory of 3464 3208 Gggmgk32.exe 113 PID 3208 wrote to memory of 3464 3208 Gggmgk32.exe 113 PID 3208 wrote to memory of 3464 3208 Gggmgk32.exe 113 PID 3464 wrote to memory of 4364 3464 Halaloif.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7b802d7bf78fb5cb8c70ffc673b70e2.exe"C:\Users\Admin\AppData\Local\Temp\c7b802d7bf78fb5cb8c70ffc673b70e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Ojcpdg32.exeC:\Windows\system32\Ojcpdg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe23⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe26⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe28⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe29⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe30⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe31⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe34⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe35⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe36⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe38⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4200 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe40⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe41⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe42⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe43⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe44⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe45⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe46⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe49⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe50⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe52⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe53⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe54⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe56⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe57⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe60⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe61⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe63⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe64⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe66⤵PID:2192
-
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe67⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe68⤵PID:4076
-
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe69⤵PID:1292
-
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe70⤵PID:1600
-
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe71⤵PID:4228
-
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe72⤵PID:2984
-
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe73⤵PID:1484
-
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe74⤵PID:4544
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe75⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe76⤵PID:2428
-
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe77⤵PID:1364
-
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe80⤵PID:5200
-
C:\Windows\SysWOW64\Gomkkagl.exeC:\Windows\system32\Gomkkagl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe84⤵PID:5372
-
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe85⤵PID:5432
-
C:\Windows\SysWOW64\Jmopmalc.exeC:\Windows\system32\Jmopmalc.exe86⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe89⤵PID:5608
-
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe90⤵PID:5656
-
C:\Windows\SysWOW64\Kmbfiokn.exeC:\Windows\system32\Kmbfiokn.exe91⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe92⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Lmdbooik.exeC:\Windows\system32\Lmdbooik.exe93⤵PID:5776
-
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe94⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Ljhchc32.exeC:\Windows\system32\Ljhchc32.exe95⤵PID:5856
-
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe97⤵PID:5952
-
C:\Windows\SysWOW64\Lfcmhc32.exeC:\Windows\system32\Lfcmhc32.exe98⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe99⤵PID:6040
-
C:\Windows\SysWOW64\Midfjnge.exeC:\Windows\system32\Midfjnge.exe100⤵PID:6080
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe101⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Mmbopm32.exeC:\Windows\system32\Mmbopm32.exe102⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe103⤵PID:5196
-
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe104⤵PID:5284
-
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe106⤵PID:5416
-
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe107⤵PID:2276
-
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe108⤵PID:1112
-
C:\Windows\SysWOW64\Npognfpo.exeC:\Windows\system32\Npognfpo.exe109⤵PID:5512
-
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe110⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe111⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe113⤵PID:4924
-
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe114⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe115⤵PID:5940
-
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe116⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe119⤵PID:4656
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe120⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe121⤵
- Drops file in System32 directory
PID:5300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-