Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2024 15:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c15787f5eaacab13759555dad047ac95.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c15787f5eaacab13759555dad047ac95.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
c15787f5eaacab13759555dad047ac95.exe
-
Size
93KB
-
MD5
c15787f5eaacab13759555dad047ac95
-
SHA1
f58e3110ebe72481ffd9cb08506967dc269d1a63
-
SHA256
13dd22ce8defefb2869aa30168d125967eba8aef7dfaad1e34026751a7f45d7e
-
SHA512
cdea78383e24efea5e4232e3bcff9cb98fc62eb98973fe70258da26ad6f73497770f6e560cac371bca85a6004955b91d28df9f726a6d2d31e122d98952413c1e
-
SSDEEP
1536:6+uE/ZlhPkxAEBtL0mggP+QaHjGd7BxRv8CIUCMzPmJysA3TPjiwg58:6+uEPhP4AEBGmFaHadtxRv7Pr3Y58
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhapmphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhlmgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dooaip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadgadai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddhofjpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfeag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddbmedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibnlbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmdfknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgjekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfoqhpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjodff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agfpoqog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgdjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foekbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldlbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Komhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcocmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgalelin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjfloeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mndapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjbjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojcidelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oampdkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeelcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inpclnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmfhelke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqhdmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmqhlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbbngjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hheoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pamikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bijncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclimi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kefiheqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njploeoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqgjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddbmedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjcgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iophnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfhfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loedajao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdgqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kckqlpck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchhooaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkalnjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onekeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbakiina.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkllgnco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpboj32.exe -
Executes dropped EXE 64 IoCs
pid Process 3288 Jfmekm32.exe 4340 Mklpof32.exe 4420 Namnmp32.exe 3476 Oafacn32.exe 2684 Ofhcdlgg.exe 3420 Pklamb32.exe 3504 Abdfkj32.exe 3672 Bgfhnpde.exe 2404 Bbklli32.exe 3584 Bijncb32.exe 4744 Bgokdomj.exe 2484 Clpppmqn.exe 3272 Cpbbak32.exe 3424 Dbckcf32.exe 1356 Dlbfmjqi.exe 696 Eldbbjof.exe 2496 Epiaig32.exe 2832 Fgjpfqpi.exe 2652 Gplged32.exe 736 Gjdknjep.exe 2320 Geklckkd.exe 3484 Hcipcnac.exe 4112 Hladlc32.exe 1084 Ifnbph32.exe 1828 Jqklnp32.exe 3496 Kgngqico.exe 3228 Lhammfci.exe 3768 Lplaaiqd.exe 1956 Npjnbg32.exe 1116 Nhcbidcd.exe 2568 Okkalnjm.exe 3580 Phiekaql.exe 3368 Pknghk32.exe 2836 Adkelplc.exe 4144 Ajmgof32.exe 4780 Biigildg.exe 3364 Bbbkbbkg.exe 2632 Cicjokll.exe 816 Dlhlleeh.exe 3324 Ebejem32.exe 4288 Fhbbmc32.exe 4180 Glinjqhb.exe 2760 Gclimi32.exe 2700 Hhiaepfl.exe 1032 Hojpbigq.exe 1756 Iofpnhmc.exe 4544 Ijkdkq32.exe 2200 Jkcfch32.exe 1392 Limioiia.exe 5080 Nbmmoklg.exe 1600 Nfjeej32.exe 3104 Ofdhlh32.exe 4636 Anjikoip.exe 1552 Bjhpqn32.exe 1332 Bqahmhpi.exe 4312 Cddjofbj.exe 408 Faiplcmk.exe 3356 Genobp32.exe 4392 Gmjcgb32.exe 440 Gajibq32.exe 436 Hdokok32.exe 1672 Hmhphqoe.exe 4540 Hhmdeink.exe 3816 Ionbcb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kgdpgo32.exe Komhfa32.exe File created C:\Windows\SysWOW64\Kolakkii.exe Khbioa32.exe File created C:\Windows\SysWOW64\Pjhihm32.exe Pqoepgca.exe File created C:\Windows\SysWOW64\Bminokil.exe Babmjj32.exe File created C:\Windows\SysWOW64\Bhnqoo32.exe Ahpdnaci.exe File opened for modification C:\Windows\SysWOW64\Dbckcf32.exe Cpbbak32.exe File created C:\Windows\SysWOW64\Gfomfo32.exe Gkjhif32.exe File created C:\Windows\SysWOW64\Mhbaaa32.dll Phfjmlhh.exe File opened for modification C:\Windows\SysWOW64\Ednajepe.exe Ecmebm32.exe File created C:\Windows\SysWOW64\Mkekhacb.dll Lfqgjh32.exe File created C:\Windows\SysWOW64\Qgmnmagm.dll Pllggbje.exe File created C:\Windows\SysWOW64\Dhdgih32.dll Lohqgj32.exe File created C:\Windows\SysWOW64\Cpbbak32.exe Clpppmqn.exe File created C:\Windows\SysWOW64\Kffkpkqi.dll Gpgihh32.exe File created C:\Windows\SysWOW64\Jlcnnhjo.dll Njploeoi.exe File opened for modification C:\Windows\SysWOW64\Ghiogkfp.exe Goqkne32.exe File created C:\Windows\SysWOW64\Ghmbhd32.exe Gacjkjgb.exe File created C:\Windows\SysWOW64\Ljibdifc.exe Kcpjgo32.exe File created C:\Windows\SysWOW64\Kmijliej.exe Kikafjoc.exe File opened for modification C:\Windows\SysWOW64\Mfkkjbnn.exe Laiiie32.exe File opened for modification C:\Windows\SysWOW64\Hhmdeink.exe Hmhphqoe.exe File opened for modification C:\Windows\SysWOW64\Ikndpm32.exe Iddlccfp.exe File created C:\Windows\SysWOW64\Kllibo32.dll Jqhaolli.exe File opened for modification C:\Windows\SysWOW64\Dlbfmjqi.exe Dbckcf32.exe File created C:\Windows\SysWOW64\Gnfhob32.exe Ghiogkfp.exe File created C:\Windows\SysWOW64\Idfaolpb.exe Ijqmacpl.exe File created C:\Windows\SysWOW64\Mdhanfoi.dll Jjeflc32.exe File created C:\Windows\SysWOW64\Blagpcop.dll Edknjonl.exe File created C:\Windows\SysWOW64\Nnpncc32.dll Fipkch32.exe File created C:\Windows\SysWOW64\Njhglelp.exe Nqkihpie.exe File opened for modification C:\Windows\SysWOW64\Hladlc32.exe Hcipcnac.exe File created C:\Windows\SysWOW64\Dlnjek32.dll Hbkgfode.exe File created C:\Windows\SysWOW64\Jpbjophf.exe Jemfbgiq.exe File created C:\Windows\SysWOW64\Negbbgbj.dll Oqkkdh32.exe File opened for modification C:\Windows\SysWOW64\Abpcdfha.exe Aihoka32.exe File created C:\Windows\SysWOW64\Odejmglm.dll Ipaeedpp.exe File opened for modification C:\Windows\SysWOW64\Ckaffjbg.exe Bhnqoo32.exe File created C:\Windows\SysWOW64\Ofiima32.dll Jidpblik.exe File created C:\Windows\SysWOW64\Bmeagjbo.exe Bgkijp32.exe File created C:\Windows\SysWOW64\Pgcpdn32.exe Pbfglg32.exe File opened for modification C:\Windows\SysWOW64\Iophnl32.exe Hdcnpd32.exe File created C:\Windows\SysWOW64\Fakhaa32.dll Hdlphjaf.exe File opened for modification C:\Windows\SysWOW64\Kbgfad32.exe Kkpnqf32.exe File opened for modification C:\Windows\SysWOW64\Bhohfj32.exe Anbkbe32.exe File created C:\Windows\SysWOW64\Pfpbkj32.dll Ocgbej32.exe File created C:\Windows\SysWOW64\Onaokmmm.dll Jpbjophf.exe File created C:\Windows\SysWOW64\Befkma32.dll Nkmmbe32.exe File created C:\Windows\SysWOW64\Pnjbbemd.dll Oefpoi32.exe File created C:\Windows\SysWOW64\Mlajbe32.dll Jnelha32.exe File created C:\Windows\SysWOW64\Mgeekolf.dll Lcocmi32.exe File created C:\Windows\SysWOW64\Eehdii32.exe Elpppcdl.exe File created C:\Windows\SysWOW64\Ojigbcoh.dll Boeelcmm.exe File created C:\Windows\SysWOW64\Fhgkhi32.dll Gjmmfq32.exe File created C:\Windows\SysWOW64\Dnhdkgcp.dll Fbeeco32.exe File opened for modification C:\Windows\SysWOW64\Fbiooolb.exe Fqfeag32.exe File created C:\Windows\SysWOW64\Nkodld32.dll Pbgghn32.exe File opened for modification C:\Windows\SysWOW64\Aadgadai.exe Afocdkac.exe File created C:\Windows\SysWOW64\Hijohoki.exe Hoakpi32.exe File created C:\Windows\SysWOW64\Bakobdbb.dll Agfpoqog.exe File created C:\Windows\SysWOW64\Liikiccg.exe Lcocmi32.exe File opened for modification C:\Windows\SysWOW64\Omalii32.exe Oblhlpne.exe File created C:\Windows\SysWOW64\Dkgqpaed.exe Ddmhcg32.exe File created C:\Windows\SysWOW64\Kbebdpca.exe Kmijliej.exe File created C:\Windows\SysWOW64\Fcpadd32.exe Edaamihh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bogapc32.dll" Mfkkjbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhljpcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnffai32.dll" Gonnhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibhlmgdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbcngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kikafjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaedbq32.dll" Fbecgned.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecpaeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdoidcjk.dll" Pbfglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjfmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoebkabl.dll" Cdfbbhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajckbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offoebpp.dll" Dnmhim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjd32.dll" Jfnbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gggmqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakhaa32.dll" Hdlphjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdmkbmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgkmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnheqff.dll" Aijlqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hboaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcbibeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nljgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqojlbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npimoech.dll" Joqapmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omhicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pklamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jncapf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmgjbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njploeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgiflnoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahmoefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclaea32.dll" Gnmlbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhfkab.dll" Chagiqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfqgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emphhhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfceo32.dll" Kinefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onekeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eimegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbjk32.dll" Alioloje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemqcngl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okmpjpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opqopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnplhg.dll" Afocdkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkpnqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjljlijg.dll" Aiifeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aofemaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aojepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcgmffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kepdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beomhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjodgmlo.dll" Bllbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcpjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddbbngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchihe32.dll" Cfbcfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekfcj32.dll" Qgalelin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phfjmlhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoadecal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 3288 2664 c15787f5eaacab13759555dad047ac95.exe 94 PID 2664 wrote to memory of 3288 2664 c15787f5eaacab13759555dad047ac95.exe 94 PID 2664 wrote to memory of 3288 2664 c15787f5eaacab13759555dad047ac95.exe 94 PID 3288 wrote to memory of 4340 3288 Jfmekm32.exe 95 PID 3288 wrote to memory of 4340 3288 Jfmekm32.exe 95 PID 3288 wrote to memory of 4340 3288 Jfmekm32.exe 95 PID 4340 wrote to memory of 4420 4340 Mklpof32.exe 96 PID 4340 wrote to memory of 4420 4340 Mklpof32.exe 96 PID 4340 wrote to memory of 4420 4340 Mklpof32.exe 96 PID 4420 wrote to memory of 3476 4420 Namnmp32.exe 97 PID 4420 wrote to memory of 3476 4420 Namnmp32.exe 97 PID 4420 wrote to memory of 3476 4420 Namnmp32.exe 97 PID 3476 wrote to memory of 2684 3476 Oafacn32.exe 98 PID 3476 wrote to memory of 2684 3476 Oafacn32.exe 98 PID 3476 wrote to memory of 2684 3476 Oafacn32.exe 98 PID 2684 wrote to memory of 3420 2684 Ofhcdlgg.exe 99 PID 2684 wrote to memory of 3420 2684 Ofhcdlgg.exe 99 PID 2684 wrote to memory of 3420 2684 Ofhcdlgg.exe 99 PID 3420 wrote to memory of 3504 3420 Pklamb32.exe 100 PID 3420 wrote to memory of 3504 3420 Pklamb32.exe 100 PID 3420 wrote to memory of 3504 3420 Pklamb32.exe 100 PID 3504 wrote to memory of 3672 3504 Abdfkj32.exe 101 PID 3504 wrote to memory of 3672 3504 Abdfkj32.exe 101 PID 3504 wrote to memory of 3672 3504 Abdfkj32.exe 101 PID 3672 wrote to memory of 2404 3672 Bgfhnpde.exe 102 PID 3672 wrote to memory of 2404 3672 Bgfhnpde.exe 102 PID 3672 wrote to memory of 2404 3672 Bgfhnpde.exe 102 PID 2404 wrote to memory of 3584 2404 Bbklli32.exe 103 PID 2404 wrote to memory of 3584 2404 Bbklli32.exe 103 PID 2404 wrote to memory of 3584 2404 Bbklli32.exe 103 PID 3584 wrote to memory of 4744 3584 Bijncb32.exe 104 PID 3584 wrote to memory of 4744 3584 Bijncb32.exe 104 PID 3584 wrote to memory of 4744 3584 Bijncb32.exe 104 PID 4744 wrote to memory of 2484 4744 Bgokdomj.exe 105 PID 4744 wrote to memory of 2484 4744 Bgokdomj.exe 105 PID 4744 wrote to memory of 2484 4744 Bgokdomj.exe 105 PID 2484 wrote to memory of 3272 2484 Clpppmqn.exe 106 PID 2484 wrote to memory of 3272 2484 Clpppmqn.exe 106 PID 2484 wrote to memory of 3272 2484 Clpppmqn.exe 106 PID 3272 wrote to memory of 3424 3272 Cpbbak32.exe 107 PID 3272 wrote to memory of 3424 3272 Cpbbak32.exe 107 PID 3272 wrote to memory of 3424 3272 Cpbbak32.exe 107 PID 3424 wrote to memory of 1356 3424 Dbckcf32.exe 108 PID 3424 wrote to memory of 1356 3424 Dbckcf32.exe 108 PID 3424 wrote to memory of 1356 3424 Dbckcf32.exe 108 PID 1356 wrote to memory of 696 1356 Dlbfmjqi.exe 109 PID 1356 wrote to memory of 696 1356 Dlbfmjqi.exe 109 PID 1356 wrote to memory of 696 1356 Dlbfmjqi.exe 109 PID 696 wrote to memory of 2496 696 Eldbbjof.exe 110 PID 696 wrote to memory of 2496 696 Eldbbjof.exe 110 PID 696 wrote to memory of 2496 696 Eldbbjof.exe 110 PID 2496 wrote to memory of 2832 2496 Epiaig32.exe 111 PID 2496 wrote to memory of 2832 2496 Epiaig32.exe 111 PID 2496 wrote to memory of 2832 2496 Epiaig32.exe 111 PID 2832 wrote to memory of 2652 2832 Fgjpfqpi.exe 112 PID 2832 wrote to memory of 2652 2832 Fgjpfqpi.exe 112 PID 2832 wrote to memory of 2652 2832 Fgjpfqpi.exe 112 PID 2652 wrote to memory of 736 2652 Gplged32.exe 113 PID 2652 wrote to memory of 736 2652 Gplged32.exe 113 PID 2652 wrote to memory of 736 2652 Gplged32.exe 113 PID 736 wrote to memory of 2320 736 Gjdknjep.exe 114 PID 736 wrote to memory of 2320 736 Gjdknjep.exe 114 PID 736 wrote to memory of 2320 736 Gjdknjep.exe 114 PID 2320 wrote to memory of 3484 2320 Geklckkd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\c15787f5eaacab13759555dad047ac95.exe"C:\Users\Admin\AppData\Local\Temp\c15787f5eaacab13759555dad047ac95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Fgjpfqpi.exeC:\Windows\system32\Fgjpfqpi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Gplged32.exeC:\Windows\system32\Gplged32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe24⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Ifnbph32.exeC:\Windows\system32\Ifnbph32.exe25⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe27⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe28⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe30⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe31⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe33⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe35⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe36⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe37⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe38⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe39⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe40⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe41⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe43⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Gclimi32.exeC:\Windows\system32\Gclimi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe45⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe46⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe47⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe48⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Jkcfch32.exeC:\Windows\system32\Jkcfch32.exe49⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe50⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Nbmmoklg.exeC:\Windows\system32\Nbmmoklg.exe51⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Nfjeej32.exeC:\Windows\system32\Nfjeej32.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe53⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe54⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Bjhpqn32.exeC:\Windows\system32\Bjhpqn32.exe55⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe56⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe57⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe58⤵PID:4904
-
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe59⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe60⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Gmjcgb32.exeC:\Windows\system32\Gmjcgb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe63⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Hmhphqoe.exeC:\Windows\system32\Hmhphqoe.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Hhmdeink.exeC:\Windows\system32\Hhmdeink.exe65⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe66⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe67⤵PID:4924
-
C:\Windows\SysWOW64\Jddnah32.exeC:\Windows\system32\Jddnah32.exe68⤵PID:3836
-
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe69⤵PID:3740
-
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe70⤵PID:1656
-
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe71⤵PID:400
-
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe72⤵PID:1244
-
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe73⤵PID:768
-
C:\Windows\SysWOW64\Aofemaog.exeC:\Windows\system32\Aofemaog.exe74⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cfbcfh32.exeC:\Windows\system32\Cfbcfh32.exe75⤵
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe76⤵PID:3304
-
C:\Windows\SysWOW64\Eqbcqnph.exeC:\Windows\system32\Eqbcqnph.exe77⤵PID:2472
-
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe78⤵PID:4688
-
C:\Windows\SysWOW64\Gpgihh32.exeC:\Windows\system32\Gpgihh32.exe79⤵
- Drops file in System32 directory
PID:4916 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe80⤵
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Hnpognhd.exeC:\Windows\system32\Hnpognhd.exe81⤵PID:748
-
C:\Windows\SysWOW64\Hdcnpd32.exeC:\Windows\system32\Hdcnpd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Iophnl32.exeC:\Windows\system32\Iophnl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4736 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe84⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Jhapmphg.exeC:\Windows\system32\Jhapmphg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Jolhjj32.exeC:\Windows\system32\Jolhjj32.exe86⤵PID:2872
-
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe87⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Kahpgcch.exeC:\Windows\system32\Kahpgcch.exe88⤵PID:692
-
C:\Windows\SysWOW64\Mqimdomb.exeC:\Windows\system32\Mqimdomb.exe89⤵PID:4508
-
C:\Windows\SysWOW64\Mggolhaj.exeC:\Windows\system32\Mggolhaj.exe90⤵PID:5024
-
C:\Windows\SysWOW64\Mqpcdn32.exeC:\Windows\system32\Mqpcdn32.exe91⤵PID:3284
-
C:\Windows\SysWOW64\Nkmmbe32.exeC:\Windows\system32\Nkmmbe32.exe92⤵
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Qpikao32.exeC:\Windows\system32\Qpikao32.exe93⤵PID:1020
-
C:\Windows\SysWOW64\Alioloje.exeC:\Windows\system32\Alioloje.exe94⤵
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Cohdoh32.exeC:\Windows\system32\Cohdoh32.exe95⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Djkdnool.exeC:\Windows\system32\Djkdnool.exe96⤵PID:5032
-
C:\Windows\SysWOW64\Dpemjifi.exeC:\Windows\system32\Dpemjifi.exe97⤵PID:4912
-
C:\Windows\SysWOW64\Dcdifdem.exeC:\Windows\system32\Dcdifdem.exe98⤵PID:2204
-
C:\Windows\SysWOW64\Djnaco32.exeC:\Windows\system32\Djnaco32.exe99⤵PID:2696
-
C:\Windows\SysWOW64\Fbeeco32.exeC:\Windows\system32\Fbeeco32.exe100⤵
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\Fqfeag32.exeC:\Windows\system32\Fqfeag32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Fbiooolb.exeC:\Windows\system32\Fbiooolb.exe102⤵PID:3108
-
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe103⤵PID:1836
-
C:\Windows\SysWOW64\Gcdkdpih.exeC:\Windows\system32\Gcdkdpih.exe104⤵PID:4896
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe105⤵
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Iffmmihf.exeC:\Windows\system32\Iffmmihf.exe106⤵PID:3272
-
C:\Windows\SysWOW64\Jbccbi32.exeC:\Windows\system32\Jbccbi32.exe107⤵PID:1132
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe108⤵PID:1084
-
C:\Windows\SysWOW64\Kkihedld.exeC:\Windows\system32\Kkihedld.exe109⤵PID:2092
-
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe110⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Kkmapc32.exeC:\Windows\system32\Kkmapc32.exe111⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Kpjjhj32.exeC:\Windows\system32\Kpjjhj32.exe112⤵PID:620
-
C:\Windows\SysWOW64\Lanpml32.exeC:\Windows\system32\Lanpml32.exe113⤵PID:3644
-
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe114⤵PID:4608
-
C:\Windows\SysWOW64\Mjqjbn32.exeC:\Windows\system32\Mjqjbn32.exe115⤵PID:3584
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe116⤵PID:5040
-
C:\Windows\SysWOW64\Nbfoeiei.exeC:\Windows\system32\Nbfoeiei.exe117⤵PID:1800
-
C:\Windows\SysWOW64\Ocqncp32.exeC:\Windows\system32\Ocqncp32.exe118⤵PID:1032
-
C:\Windows\SysWOW64\Occkhp32.exeC:\Windows\system32\Occkhp32.exe119⤵PID:1756
-
C:\Windows\SysWOW64\Oqgkadod.exeC:\Windows\system32\Oqgkadod.exe120⤵PID:4352
-
C:\Windows\SysWOW64\Okloomoj.exeC:\Windows\system32\Okloomoj.exe121⤵PID:4480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-