Analysis
-
max time kernel
181s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 20:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a80eec4be3d1d82570f8afbd1b923378.exe
Resource
win7-20231215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
a80eec4be3d1d82570f8afbd1b923378.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a80eec4be3d1d82570f8afbd1b923378.exe
-
Size
2.8MB
-
MD5
a80eec4be3d1d82570f8afbd1b923378
-
SHA1
d72e9397f6fc3fb918ce72e05e9561fb7abdf0ff
-
SHA256
fa347159e382522abbf94b2c0ae93559ba0b0bd23031ef742e9df9d994c3dc19
-
SHA512
b6e192b0fcedc948b745885b9716b0833b9b236a73074e91d7b92d1033d19a88a2147a6b4ec4badcfb2e70cfa585e9b9c826031433a189124c0e63cd5a256870
-
SSDEEP
24576:Caq5h3q5hOq5h3q5hMdY9q5h3q5hVarq5hMdY9q5h3q5hOq5h3q5hMdY9q5h3q5h:
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginega32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngjmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cneknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiljpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljaooodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qojjmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcehop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcadcgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhggbgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjonh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocmbdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiodm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgapfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldbiabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmodmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjehip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hillnoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glmhnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnpeclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdppjnji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmeebgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkadhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgjhop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldeie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoaocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiplff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijdahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnnphhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphihnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcphkhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egihhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdoiaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppedpkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aichng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maealn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmacpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgiqocoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfnji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblkke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnklnfpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hingefqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkmpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbflc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1408 Pfjgbapo.exe 1992 Eqkmpo32.exe 532 Ijpcbn32.exe 112 Lhiodm32.exe 4832 Oilmhhfd.exe 1288 Aldeap32.exe 3408 Bpidhmoi.exe 2172 Hppedpkf.exe 5100 Mallojmd.exe 3428 Nqdeefpi.exe 2060 Onhoehpp.exe 2632 Pjhbah32.exe 4364 Ceoillaj.exe 1000 Deanhj32.exe 1800 Gkhbnm32.exe 1292 Hillnoif.exe 548 Ifjoma32.exe 5016 Jpkfmfok.exe 1420 Kpeibdfp.exe 2168 Lbjlpo32.exe 4516 Olcbfp32.exe 3288 Pgefogop.exe 2004 Aqijdk32.exe 1772 Aclpkffa.exe 776 Bmngjj32.exe 1816 Cnffjl32.exe 1512 Dhkjooqb.exe 1636 Eoilfidj.exe 4468 Fnmeic32.exe 3400 Gfomfo32.exe 2232 Jngjmm32.exe 2200 Jkkjfa32.exe 2500 Kpbfbo32.exe 4020 Lbnnphhk.exe 436 Moglkikl.exe 640 Mefmbbod.exe 2444 Mlbbel32.exe 4120 Nockfgao.exe 3156 Noehlgol.exe 5020 Nhnlelfm.exe 3744 Nebmnqdf.exe 2692 Afboll32.exe 1536 Aokceaoa.exe 784 Aichng32.exe 2460 Ackiqpce.exe 4780 Acnefoac.exe 3352 Bogcqpdd.exe 2828 Bgpggm32.exe 684 Ejabgcdp.exe 4376 Efhcld32.exe 3928 Fmehnn32.exe 1992 Filicodb.exe 4732 Fineho32.exe 1980 Gdoiaf32.exe 1708 Gacjkjgb.exe 4472 Hdfobe32.exe 2248 Halmaiog.exe 4880 Hpaibe32.exe 232 Ignndo32.exe 3620 Ihdaoajd.exe 2184 Jbmehf32.exe 228 Jbobnf32.exe 4412 Jdpkoalc.exe 560 Jdbheajp.exe -
Loads dropped DLL 1 IoCs
pid Process 1648 Kqnbea32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhpklo32.dll Dgdnmfai.exe File created C:\Windows\SysWOW64\Jclaea32.dll Gnmlbl32.exe File created C:\Windows\SysWOW64\Fojehjmo.exe Ebcdcigk.exe File opened for modification C:\Windows\SysWOW64\Fjjnblhi.exe Fjhaml32.exe File created C:\Windows\SysWOW64\Qgecbebc.dll Iemdep32.exe File created C:\Windows\SysWOW64\Jmamlgon.exe Jonlbcpd.exe File created C:\Windows\SysWOW64\Ninijb32.exe Nabdep32.exe File created C:\Windows\SysWOW64\Kqnbea32.exe Kqkeoama.exe File created C:\Windows\SysWOW64\Cnnlfneo.exe Cpipea32.exe File opened for modification C:\Windows\SysWOW64\Bpqjcp32.exe Bpnnnp32.exe File created C:\Windows\SysWOW64\Hcgjajmo.exe Hcdmlk32.exe File opened for modification C:\Windows\SysWOW64\Bbpepn32.exe Bihaghob.exe File created C:\Windows\SysWOW64\Hppedpkf.exe Bpidhmoi.exe File created C:\Windows\SysWOW64\Hnphio32.exe Hehdpjki.exe File opened for modification C:\Windows\SysWOW64\Cbllfboa.exe Cidgnm32.exe File created C:\Windows\SysWOW64\Ooedlgdi.dll Iggomhab.exe File created C:\Windows\SysWOW64\Lhlmop32.dll Cpipea32.exe File created C:\Windows\SysWOW64\Kpbfbo32.exe Jkkjfa32.exe File created C:\Windows\SysWOW64\Mepfbflb.exe Mkhajq32.exe File opened for modification C:\Windows\SysWOW64\Jlphnbfe.exe Iolhdn32.exe File opened for modification C:\Windows\SysWOW64\Ieijkcej.exe Hegmec32.exe File opened for modification C:\Windows\SysWOW64\Defhnldg.exe Dlnceg32.exe File opened for modification C:\Windows\SysWOW64\Jonlbcpd.exe Jfehjm32.exe File created C:\Windows\SysWOW64\Edllfqcq.dll Hoqmeqei.exe File opened for modification C:\Windows\SysWOW64\Ljfodd32.exe Lankloml.exe File created C:\Windows\SysWOW64\Jlphnbfe.exe Iolhdn32.exe File created C:\Windows\SysWOW64\Afkijo32.exe Aighqk32.exe File opened for modification C:\Windows\SysWOW64\Kbgapfao.exe Kiomgq32.exe File created C:\Windows\SysWOW64\Hbdinhip.dll Mcicff32.exe File created C:\Windows\SysWOW64\Kalepg32.dll Pamikh32.exe File opened for modification C:\Windows\SysWOW64\Fplebcfk.exe Fchdio32.exe File opened for modification C:\Windows\SysWOW64\Hmbflc32.exe Hdehho32.exe File created C:\Windows\SysWOW64\Hchhaj32.dll Fggdic32.exe File opened for modification C:\Windows\SysWOW64\Kagbmkch.exe Khondelh.exe File created C:\Windows\SysWOW64\Fplnhmbo.exe Fbhnoh32.exe File created C:\Windows\SysWOW64\Ghiagc32.dll Jmamlgon.exe File opened for modification C:\Windows\SysWOW64\Dhaipl32.exe Dniegfhf.exe File created C:\Windows\SysWOW64\Ggcphj32.dll Aldeap32.exe File opened for modification C:\Windows\SysWOW64\Olphlcdb.exe Nbcjhobg.exe File created C:\Windows\SysWOW64\Iecdmeig.dll Oboinqoa.exe File created C:\Windows\SysWOW64\Ifnbin32.exe Igiehbkd.exe File created C:\Windows\SysWOW64\Kdmile32.dll Olphlcdb.exe File created C:\Windows\SysWOW64\Gndima32.exe Gelddk32.exe File opened for modification C:\Windows\SysWOW64\Mceccbpj.exe Mepfbflb.exe File created C:\Windows\SysWOW64\Qpnegbpo.exe Piapehkd.exe File created C:\Windows\SysWOW64\Iggomhab.exe Hcgjajmo.exe File created C:\Windows\SysWOW64\Lfbonm32.dll Cnnlfneo.exe File opened for modification C:\Windows\SysWOW64\Ackiqpce.exe Aichng32.exe File created C:\Windows\SysWOW64\Qicnip32.dll Ljfodd32.exe File created C:\Windows\SysWOW64\Bdqoql32.dll Glpmkm32.exe File created C:\Windows\SysWOW64\Bijdddfp.dll Qpnegbpo.exe File created C:\Windows\SysWOW64\Nbdcnp32.dll Infhohhe.exe File created C:\Windows\SysWOW64\Eidqdkkn.exe Dpllle32.exe File opened for modification C:\Windows\SysWOW64\Icmbmmoo.exe Ikcmfpqp.exe File created C:\Windows\SysWOW64\Pqhejl32.dll Kgjggkqi.exe File created C:\Windows\SysWOW64\Ofkkpagl.dll Kgefae32.exe File opened for modification C:\Windows\SysWOW64\Bbgbjo32.exe Anijdahg.exe File created C:\Windows\SysWOW64\Diamde32.exe Dlnlkq32.exe File opened for modification C:\Windows\SysWOW64\Kmmlhe32.exe Kcehop32.exe File created C:\Windows\SysWOW64\Qfilifah.dll Ljglgbjf.exe File created C:\Windows\SysWOW64\Noehlgol.exe Nockfgao.exe File opened for modification C:\Windows\SysWOW64\Jjdoeh32.exe Jajmfc32.exe File opened for modification C:\Windows\SysWOW64\Nmajmaoi.exe Npnjcm32.exe File opened for modification C:\Windows\SysWOW64\Gndima32.exe Gelddk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcicff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdhokji.dll" Iphihnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeapa32.dll" Amdbffme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkllgnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqpomo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekngob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahklied.dll" Hkjoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aghlfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfomfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofqbhn32.dll" Lbgaecjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fldeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igchnabi.dll" Dlnceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbimiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifga32.dll" Lblkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbqmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqjaanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdnmfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnfidhmg.dll" Bnmcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opclqp32.dll" Hocjkpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdlolmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfpinq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjppeng.dll" Dmifdjio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcdcigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglpdkpa.dll" Jfjaemfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnbmeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapac32.dll" Jfphdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfkbglj.dll" Ifjoma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefogop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Licfgmpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmoebd.dll" Dlnlkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkiic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbmknqn.dll" Nbhcna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnaie32.dll" Nqdeefpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deanhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehikmohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicgjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmkqqcf.dll" Cbllfboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glmhnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclpmdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocpiaocd.dll" Enkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fniiabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ildibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekkgo32.dll" Ppiklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdphl32.dll" Aqijdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpjde32.dll" Hmbflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idabhnpm.dll" Pnchbdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelpjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqqpmc32.dll" Hhmmffbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehdpjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabkldcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmekic32.dll" Bpnnnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdfkhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caciik32.dll" Icdhojka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fenhcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egknco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdlfdfj.dll" Fplnhmbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Limpcebj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1408 2460 a80eec4be3d1d82570f8afbd1b923378.exe 93 PID 2460 wrote to memory of 1408 2460 a80eec4be3d1d82570f8afbd1b923378.exe 93 PID 2460 wrote to memory of 1408 2460 a80eec4be3d1d82570f8afbd1b923378.exe 93 PID 1408 wrote to memory of 1992 1408 Pfjgbapo.exe 94 PID 1408 wrote to memory of 1992 1408 Pfjgbapo.exe 94 PID 1408 wrote to memory of 1992 1408 Pfjgbapo.exe 94 PID 1992 wrote to memory of 532 1992 Eqkmpo32.exe 95 PID 1992 wrote to memory of 532 1992 Eqkmpo32.exe 95 PID 1992 wrote to memory of 532 1992 Eqkmpo32.exe 95 PID 532 wrote to memory of 112 532 Ijpcbn32.exe 96 PID 532 wrote to memory of 112 532 Ijpcbn32.exe 96 PID 532 wrote to memory of 112 532 Ijpcbn32.exe 96 PID 112 wrote to memory of 4832 112 Lhiodm32.exe 97 PID 112 wrote to memory of 4832 112 Lhiodm32.exe 97 PID 112 wrote to memory of 4832 112 Lhiodm32.exe 97 PID 4832 wrote to memory of 1288 4832 Oilmhhfd.exe 98 PID 4832 wrote to memory of 1288 4832 Oilmhhfd.exe 98 PID 4832 wrote to memory of 1288 4832 Oilmhhfd.exe 98 PID 1288 wrote to memory of 3408 1288 Aldeap32.exe 99 PID 1288 wrote to memory of 3408 1288 Aldeap32.exe 99 PID 1288 wrote to memory of 3408 1288 Aldeap32.exe 99 PID 3408 wrote to memory of 2172 3408 Bpidhmoi.exe 101 PID 3408 wrote to memory of 2172 3408 Bpidhmoi.exe 101 PID 3408 wrote to memory of 2172 3408 Bpidhmoi.exe 101 PID 2172 wrote to memory of 5100 2172 Hppedpkf.exe 102 PID 2172 wrote to memory of 5100 2172 Hppedpkf.exe 102 PID 2172 wrote to memory of 5100 2172 Hppedpkf.exe 102 PID 5100 wrote to memory of 3428 5100 Mallojmd.exe 103 PID 5100 wrote to memory of 3428 5100 Mallojmd.exe 103 PID 5100 wrote to memory of 3428 5100 Mallojmd.exe 103 PID 3428 wrote to memory of 2060 3428 Nqdeefpi.exe 104 PID 3428 wrote to memory of 2060 3428 Nqdeefpi.exe 104 PID 3428 wrote to memory of 2060 3428 Nqdeefpi.exe 104 PID 2060 wrote to memory of 2632 2060 Onhoehpp.exe 105 PID 2060 wrote to memory of 2632 2060 Onhoehpp.exe 105 PID 2060 wrote to memory of 2632 2060 Onhoehpp.exe 105 PID 2632 wrote to memory of 4364 2632 Pjhbah32.exe 106 PID 2632 wrote to memory of 4364 2632 Pjhbah32.exe 106 PID 2632 wrote to memory of 4364 2632 Pjhbah32.exe 106 PID 4364 wrote to memory of 1000 4364 Ceoillaj.exe 107 PID 4364 wrote to memory of 1000 4364 Ceoillaj.exe 107 PID 4364 wrote to memory of 1000 4364 Ceoillaj.exe 107 PID 1000 wrote to memory of 1800 1000 Deanhj32.exe 108 PID 1000 wrote to memory of 1800 1000 Deanhj32.exe 108 PID 1000 wrote to memory of 1800 1000 Deanhj32.exe 108 PID 1800 wrote to memory of 1292 1800 Gkhbnm32.exe 109 PID 1800 wrote to memory of 1292 1800 Gkhbnm32.exe 109 PID 1800 wrote to memory of 1292 1800 Gkhbnm32.exe 109 PID 1292 wrote to memory of 548 1292 Hillnoif.exe 110 PID 1292 wrote to memory of 548 1292 Hillnoif.exe 110 PID 1292 wrote to memory of 548 1292 Hillnoif.exe 110 PID 548 wrote to memory of 5016 548 Ifjoma32.exe 111 PID 548 wrote to memory of 5016 548 Ifjoma32.exe 111 PID 548 wrote to memory of 5016 548 Ifjoma32.exe 111 PID 5016 wrote to memory of 1420 5016 Jpkfmfok.exe 112 PID 5016 wrote to memory of 1420 5016 Jpkfmfok.exe 112 PID 5016 wrote to memory of 1420 5016 Jpkfmfok.exe 112 PID 1420 wrote to memory of 2168 1420 Kpeibdfp.exe 113 PID 1420 wrote to memory of 2168 1420 Kpeibdfp.exe 113 PID 1420 wrote to memory of 2168 1420 Kpeibdfp.exe 113 PID 2168 wrote to memory of 4516 2168 Lbjlpo32.exe 114 PID 2168 wrote to memory of 4516 2168 Lbjlpo32.exe 114 PID 2168 wrote to memory of 4516 2168 Lbjlpo32.exe 114 PID 4516 wrote to memory of 3288 4516 Olcbfp32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\a80eec4be3d1d82570f8afbd1b923378.exe"C:\Users\Admin\AppData\Local\Temp\a80eec4be3d1d82570f8afbd1b923378.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Pfjgbapo.exeC:\Windows\system32\Pfjgbapo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Eqkmpo32.exeC:\Windows\system32\Eqkmpo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Lhiodm32.exeC:\Windows\system32\Lhiodm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Oilmhhfd.exeC:\Windows\system32\Oilmhhfd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Aldeap32.exeC:\Windows\system32\Aldeap32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Bpidhmoi.exeC:\Windows\system32\Bpidhmoi.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Hppedpkf.exeC:\Windows\system32\Hppedpkf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mallojmd.exeC:\Windows\system32\Mallojmd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Nqdeefpi.exeC:\Windows\system32\Nqdeefpi.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Onhoehpp.exeC:\Windows\system32\Onhoehpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Pjhbah32.exeC:\Windows\system32\Pjhbah32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ceoillaj.exeC:\Windows\system32\Ceoillaj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Deanhj32.exeC:\Windows\system32\Deanhj32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Gkhbnm32.exeC:\Windows\system32\Gkhbnm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Hillnoif.exeC:\Windows\system32\Hillnoif.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ifjoma32.exeC:\Windows\system32\Ifjoma32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Jpkfmfok.exeC:\Windows\system32\Jpkfmfok.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Kpeibdfp.exeC:\Windows\system32\Kpeibdfp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Lbjlpo32.exeC:\Windows\system32\Lbjlpo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Olcbfp32.exeC:\Windows\system32\Olcbfp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Pgefogop.exeC:\Windows\system32\Pgefogop.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Aqijdk32.exeC:\Windows\system32\Aqijdk32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Aclpkffa.exeC:\Windows\system32\Aclpkffa.exe25⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Bmngjj32.exeC:\Windows\system32\Bmngjj32.exe26⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Cnffjl32.exeC:\Windows\system32\Cnffjl32.exe27⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dhkjooqb.exeC:\Windows\system32\Dhkjooqb.exe28⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Eoilfidj.exeC:\Windows\system32\Eoilfidj.exe29⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Fnmeic32.exeC:\Windows\system32\Fnmeic32.exe30⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Gfomfo32.exeC:\Windows\system32\Gfomfo32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Jngjmm32.exeC:\Windows\system32\Jngjmm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jkkjfa32.exeC:\Windows\system32\Jkkjfa32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Kpbfbo32.exeC:\Windows\system32\Kpbfbo32.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lbnnphhk.exeC:\Windows\system32\Lbnnphhk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Moglkikl.exeC:\Windows\system32\Moglkikl.exe36⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Mefmbbod.exeC:\Windows\system32\Mefmbbod.exe37⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Mlbbel32.exeC:\Windows\system32\Mlbbel32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Nockfgao.exeC:\Windows\system32\Nockfgao.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Noehlgol.exeC:\Windows\system32\Noehlgol.exe40⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Nhnlelfm.exeC:\Windows\system32\Nhnlelfm.exe41⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Nebmnqdf.exeC:\Windows\system32\Nebmnqdf.exe42⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Afboll32.exeC:\Windows\system32\Afboll32.exe43⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Aokceaoa.exeC:\Windows\system32\Aokceaoa.exe44⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Aichng32.exeC:\Windows\system32\Aichng32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ackiqpce.exeC:\Windows\system32\Ackiqpce.exe46⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Acnefoac.exeC:\Windows\system32\Acnefoac.exe47⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Bogcqpdd.exeC:\Windows\system32\Bogcqpdd.exe48⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Bgpggm32.exeC:\Windows\system32\Bgpggm32.exe49⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ejabgcdp.exeC:\Windows\system32\Ejabgcdp.exe50⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Efhcld32.exeC:\Windows\system32\Efhcld32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Fmehnn32.exeC:\Windows\system32\Fmehnn32.exe52⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Filicodb.exeC:\Windows\system32\Filicodb.exe53⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Fineho32.exeC:\Windows\system32\Fineho32.exe54⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Gdoiaf32.exeC:\Windows\system32\Gdoiaf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Gacjkjgb.exeC:\Windows\system32\Gacjkjgb.exe56⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hdfobe32.exeC:\Windows\system32\Hdfobe32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4472 -
C:\Windows\SysWOW64\Halmaiog.exeC:\Windows\system32\Halmaiog.exe58⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hpaibe32.exeC:\Windows\system32\Hpaibe32.exe59⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ignndo32.exeC:\Windows\system32\Ignndo32.exe60⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ihdaoajd.exeC:\Windows\system32\Ihdaoajd.exe61⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Jbmehf32.exeC:\Windows\system32\Jbmehf32.exe62⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Jbobnf32.exeC:\Windows\system32\Jbobnf32.exe63⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jdpkoalc.exeC:\Windows\system32\Jdpkoalc.exe64⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Jdbheajp.exeC:\Windows\system32\Jdbheajp.exe65⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jnklnfpq.exeC:\Windows\system32\Jnklnfpq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Jgcafl32.exeC:\Windows\system32\Jgcafl32.exe67⤵PID:3168
-
C:\Windows\SysWOW64\Kqkeoama.exeC:\Windows\system32\Kqkeoama.exe68⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Kqnbea32.exeC:\Windows\system32\Kqnbea32.exe69⤵
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Kjffngap.exeC:\Windows\system32\Kjffngap.exe70⤵PID:264
-
C:\Windows\SysWOW64\Kgjggkqi.exeC:\Windows\system32\Kgjggkqi.exe71⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Kijcanhl.exeC:\Windows\system32\Kijcanhl.exe72⤵PID:1584
-
C:\Windows\SysWOW64\Kaehepeg.exeC:\Windows\system32\Kaehepeg.exe73⤵PID:1844
-
C:\Windows\SysWOW64\Ljmmnf32.exeC:\Windows\system32\Ljmmnf32.exe74⤵
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Linmlm32.exeC:\Windows\system32\Linmlm32.exe75⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Lbgaecjg.exeC:\Windows\system32\Lbgaecjg.exe76⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Ljbfiegb.exeC:\Windows\system32\Ljbfiegb.exe77⤵PID:2680
-
C:\Windows\SysWOW64\Licfgmpa.exeC:\Windows\system32\Licfgmpa.exe78⤵
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Lankloml.exeC:\Windows\system32\Lankloml.exe79⤵
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\Ljfodd32.exeC:\Windows\system32\Ljfodd32.exe80⤵
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Lelcbmcc.exeC:\Windows\system32\Lelcbmcc.exe81⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Mbpdkabl.exeC:\Windows\system32\Mbpdkabl.exe82⤵PID:2696
-
C:\Windows\SysWOW64\Maealn32.exeC:\Windows\system32\Maealn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4196 -
C:\Windows\SysWOW64\Mbenfq32.exeC:\Windows\system32\Mbenfq32.exe84⤵PID:5008
-
C:\Windows\SysWOW64\Mlmbofdh.exeC:\Windows\system32\Mlmbofdh.exe85⤵PID:1600
-
C:\Windows\SysWOW64\Meefhl32.exeC:\Windows\system32\Meefhl32.exe86⤵PID:1272
-
C:\Windows\SysWOW64\Mnnkaa32.exeC:\Windows\system32\Mnnkaa32.exe87⤵PID:3176
-
C:\Windows\SysWOW64\Nlbkjf32.exeC:\Windows\system32\Nlbkjf32.exe88⤵PID:572
-
C:\Windows\SysWOW64\Njghkb32.exeC:\Windows\system32\Njghkb32.exe89⤵PID:3244
-
C:\Windows\SysWOW64\Nbqmbo32.exeC:\Windows\system32\Nbqmbo32.exe90⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Nbcjhobg.exeC:\Windows\system32\Nbcjhobg.exe91⤵
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Olphlcdb.exeC:\Windows\system32\Olphlcdb.exe92⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Okedmp32.exeC:\Windows\system32\Okedmp32.exe93⤵PID:3336
-
C:\Windows\SysWOW64\Ohiefdhd.exeC:\Windows\system32\Ohiefdhd.exe94⤵PID:4720
-
C:\Windows\SysWOW64\Oaajoj32.exeC:\Windows\system32\Oaajoj32.exe95⤵PID:3144
-
C:\Windows\SysWOW64\Ooejhn32.exeC:\Windows\system32\Ooejhn32.exe96⤵PID:876
-
C:\Windows\SysWOW64\Poggnnkk.exeC:\Windows\system32\Poggnnkk.exe97⤵PID:3476
-
C:\Windows\SysWOW64\Phpkgc32.exeC:\Windows\system32\Phpkgc32.exe98⤵PID:3188
-
C:\Windows\SysWOW64\Pcepdl32.exeC:\Windows\system32\Pcepdl32.exe99⤵PID:4544
-
C:\Windows\SysWOW64\Pkqdhnom.exeC:\Windows\system32\Pkqdhnom.exe100⤵PID:1056
-
C:\Windows\SysWOW64\Pibdff32.exeC:\Windows\system32\Pibdff32.exe101⤵PID:4724
-
C:\Windows\SysWOW64\Pamikh32.exeC:\Windows\system32\Pamikh32.exe102⤵
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Pcmeek32.exeC:\Windows\system32\Pcmeek32.exe103⤵PID:2968
-
C:\Windows\SysWOW64\Efepln32.exeC:\Windows\system32\Efepln32.exe104⤵PID:2868
-
C:\Windows\SysWOW64\Ecipeb32.exeC:\Windows\system32\Ecipeb32.exe105⤵PID:4968
-
C:\Windows\SysWOW64\Fldeie32.exeC:\Windows\system32\Fldeie32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Flgaodbm.exeC:\Windows\system32\Flgaodbm.exe107⤵PID:4768
-
C:\Windows\SysWOW64\Fjhaml32.exeC:\Windows\system32\Fjhaml32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Fjjnblhi.exeC:\Windows\system32\Fjjnblhi.exe109⤵PID:1128
-
C:\Windows\SysWOW64\Fbecgned.exeC:\Windows\system32\Fbecgned.exe110⤵PID:5128
-
C:\Windows\SysWOW64\Glpdecjb.exeC:\Windows\system32\Glpdecjb.exe111⤵PID:5168
-
C:\Windows\SysWOW64\Gfhehlhe.exeC:\Windows\system32\Gfhehlhe.exe112⤵PID:5212
-
C:\Windows\SysWOW64\Gpqjaanf.exeC:\Windows\system32\Gpqjaanf.exe113⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Gpcffalc.exeC:\Windows\system32\Gpcffalc.exe114⤵PID:5304
-
C:\Windows\SysWOW64\Hingefqa.exeC:\Windows\system32\Hingefqa.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Hdehho32.exeC:\Windows\system32\Hdehho32.exe116⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Hmbflc32.exeC:\Windows\system32\Hmbflc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Iildfd32.exeC:\Windows\system32\Iildfd32.exe118⤵PID:5472
-
C:\Windows\SysWOW64\Icdhojka.exeC:\Windows\system32\Icdhojka.exe119⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Iphihnjk.exeC:\Windows\system32\Iphihnjk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Ijqmacpl.exeC:\Windows\system32\Ijqmacpl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-