Analysis
-
max time kernel
173s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 18:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8465905709676415449aee24d078987.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d8465905709676415449aee24d078987.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
d8465905709676415449aee24d078987.exe
-
Size
95KB
-
MD5
d8465905709676415449aee24d078987
-
SHA1
25d5e03e3b35df7c22d8d696fd5ac1a5d936d1be
-
SHA256
8cf779364afb4dc8849ba8fd3ba2370b6d263192b746b140e0a9007049fa8dea
-
SHA512
5100f0a6ae6ca204cbbaf9372c1f12f6617e6ace530c32d190d7d19f43f9632a132c1d55b02b47992a94d6673492dc00603b6c14e04ad9f4143e3388d08becd6
-
SSDEEP
1536:7yuZChpp9L4w14q6E151BooB5lu8vaxF96s4UoMPOM6bOLXi8PmCofGV:7yUCh9L4zEj1yoQ8CxF96s4UoMPDrLXz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcglfjgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagfeioc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbifl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbfafel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Indkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilmckml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alelkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldgmgml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkkdigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phombg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnafgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqpomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckeeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcajflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphqdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhnqoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbjmdlcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimdbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aikbpckb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jncfmgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hadkib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbheajp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmefob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidpblik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaemba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nconal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjoaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggbmlba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibncmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjmea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqffaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emenhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlljglpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcdqbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhfqmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngombd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfedhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkligd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njdeklca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfjjkgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncifdlii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfojmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infhohhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhkdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niglfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgnmcdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emfebjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljbnpbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbdiecbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mldmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phmjdbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpmfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfafpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeelge32.exe -
Executes dropped EXE 64 IoCs
pid Process 3496 Fhefmjlp.exe 2560 Hhckeeam.exe 2200 Ioffhn32.exe 1788 Jpdbjleo.exe 1840 Lpbokjho.exe 1136 Mjafoapj.exe 392 Mfmpob32.exe 4724 Nagngjmj.exe 1420 Nhafcd32.exe 1600 Niglfl32.exe 2040 Nhhldc32.exe 4596 Ophjdehd.exe 2400 Oajccgmd.exe 3772 Oggllnkl.exe 448 Pnjgog32.exe 5028 Phpklp32.exe 4548 Adkelplc.exe 4048 Bqkigp32.exe 4904 Biigildg.exe 3808 Cjaiac32.exe 4476 Eiobbgcl.exe 3256 Ghpooanf.exe 2884 Gaoihfoo.exe 312 Hhpheo32.exe 4804 Jmepcj32.exe 3648 Kcfnqccd.exe 3768 Mimbfg32.exe 1984 Ndjldo32.exe 3672 Qciebg32.exe 2404 Anccjp32.exe 3948 Akgcdc32.exe 3140 Bgggockk.exe 1852 Cqinng32.exe 1056 Flfjjkgi.exe 2760 Hlkmlhea.exe 1748 Jlkfbe32.exe 2880 Komhkn32.exe 3872 Nmhglopl.exe 1792 Nmmqgo32.exe 1404 Nldjnk32.exe 4076 Oimdbnip.exe 4852 Pfenga32.exe 964 Ppeipfdm.exe 4032 Peaahmcd.exe 1992 Qbeaba32.exe 2272 Qefkcl32.exe 4132 Aooolbep.exe 836 Alelkf32.exe 4896 Bpgnmcdh.exe 776 Blqlgdhi.exe 2340 Ccdgjm32.exe 3400 Cckmklac.exe 2364 Dnekcd32.exe 5024 Dcglfjgf.exe 4416 Eqpfknbj.exe 4748 Fgencf32.exe 2856 Ggldde32.exe 4644 Gadimkpb.exe 3636 Hpqlof32.exe 5036 Jopaejlo.exe 3272 Kolaqh32.exe 2460 Lhkkjl32.exe 4224 Mnjqhcno.exe 2268 Mkangg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oicccj32.exe Oqfbihll.exe File opened for modification C:\Windows\SysWOW64\Fpoahbdh.exe Fegqejfe.exe File created C:\Windows\SysWOW64\Ghkebd32.exe Fapdomgg.exe File created C:\Windows\SysWOW64\Iildfd32.exe Icalij32.exe File created C:\Windows\SysWOW64\Qacnjegb.dll Blieeglf.exe File created C:\Windows\SysWOW64\Piaihn32.dll Nqaini32.exe File created C:\Windows\SysWOW64\Kcobje32.dll Ohncnegn.exe File created C:\Windows\SysWOW64\Cckmklac.exe Ccdgjm32.exe File created C:\Windows\SysWOW64\Ipilln32.dll Eqpfknbj.exe File opened for modification C:\Windows\SysWOW64\Ooaghe32.exe Ohgokknb.exe File opened for modification C:\Windows\SysWOW64\Mccfnc32.exe Mnfnfl32.exe File created C:\Windows\SysWOW64\Akdameeh.dll Kkfkod32.exe File created C:\Windows\SysWOW64\Aeodapcl.exe Pdkolm32.exe File created C:\Windows\SysWOW64\Lecoomqj.exe Llkjfh32.exe File opened for modification C:\Windows\SysWOW64\Blkdgheg.exe Aaqgop32.exe File created C:\Windows\SysWOW64\Pjbkal32.exe Pchcdbck.exe File opened for modification C:\Windows\SysWOW64\Phhhbi32.exe Pckpja32.exe File created C:\Windows\SysWOW64\Polbgh32.dll Chepehne.exe File created C:\Windows\SysWOW64\Heckgj32.dll Qejfeb32.exe File created C:\Windows\SysWOW64\Akicfe32.dll Fjqgpl32.exe File opened for modification C:\Windows\SysWOW64\Bhaeli32.exe Blkdgheg.exe File created C:\Windows\SysWOW64\Cmbobi32.dll Afboll32.exe File created C:\Windows\SysWOW64\Pjkbidaj.dll Poomom32.exe File created C:\Windows\SysWOW64\Ccdgjm32.exe Blqlgdhi.exe File opened for modification C:\Windows\SysWOW64\Kllodfpd.exe Johnkbaj.exe File created C:\Windows\SysWOW64\Biigildg.exe Bqkigp32.exe File created C:\Windows\SysWOW64\Hfncib32.dll Qciebg32.exe File opened for modification C:\Windows\SysWOW64\Hkfookmo.exe Hbnjfefo.exe File created C:\Windows\SysWOW64\Lcggbd32.exe Lmmoekem.exe File created C:\Windows\SysWOW64\Gacjkjgb.exe Ghkebd32.exe File opened for modification C:\Windows\SysWOW64\Jqbbicel.exe Jncfmgfi.exe File created C:\Windows\SysWOW64\Nijqml32.exe Nlljglpc.exe File opened for modification C:\Windows\SysWOW64\Cqinng32.exe Bgggockk.exe File opened for modification C:\Windows\SysWOW64\Qnfkgfdp.exe Peljha32.exe File opened for modification C:\Windows\SysWOW64\Fkcibnmd.exe Fhbpqb32.exe File opened for modification C:\Windows\SysWOW64\Fjpppipq.exe Fcfhco32.exe File opened for modification C:\Windows\SysWOW64\Bnkbmp32.exe Blieeglf.exe File created C:\Windows\SysWOW64\Hjaihk32.exe Hchqlqpj.exe File opened for modification C:\Windows\SysWOW64\Lcjchd32.exe Lqkgli32.exe File created C:\Windows\SysWOW64\Injgen32.dll Fkhppgic.exe File created C:\Windows\SysWOW64\Kahihagd.exe Kaemba32.exe File created C:\Windows\SysWOW64\Amfhao32.exe Aflpde32.exe File created C:\Windows\SysWOW64\Dmnpojej.exe Dgcgbp32.exe File opened for modification C:\Windows\SysWOW64\Peaahmcd.exe Ppeipfdm.exe File created C:\Windows\SysWOW64\Eofgioah.exe Eilomd32.exe File created C:\Windows\SysWOW64\Cbhifj32.exe Cagmnaad.exe File created C:\Windows\SysWOW64\Llkjfh32.exe Leabincm.exe File opened for modification C:\Windows\SysWOW64\Fkhppgic.exe Fenhcnaf.exe File created C:\Windows\SysWOW64\Olkkbe32.dll Piocoi32.exe File created C:\Windows\SysWOW64\Iakipo32.dll Pjopil32.exe File opened for modification C:\Windows\SysWOW64\Pcdqbk32.exe Pbddhhbo.exe File created C:\Windows\SysWOW64\Appaangd.exe Qajhigcj.exe File created C:\Windows\SysWOW64\Eopjbfig.dll Alcfoo32.exe File opened for modification C:\Windows\SysWOW64\Bhkmoifp.exe Baadbo32.exe File created C:\Windows\SysWOW64\Dhlfim32.dll Beajnm32.exe File created C:\Windows\SysWOW64\Ebggep32.exe Epgndedc.exe File opened for modification C:\Windows\SysWOW64\Fnipliip.exe Fimhcbkh.exe File created C:\Windows\SysWOW64\Ljnloi32.exe Lcdcbokq.exe File created C:\Windows\SysWOW64\Mbclgiio.dll Qjdpoacp.exe File opened for modification C:\Windows\SysWOW64\Kkkdjcjb.exe Kkfkod32.exe File created C:\Windows\SysWOW64\Deokhc32.exe Dkifkkpf.exe File created C:\Windows\SysWOW64\Dccldb32.dll Hdnlmj32.exe File opened for modification C:\Windows\SysWOW64\Hddbmedc.exe Ggpbcaei.exe File created C:\Windows\SysWOW64\Ehcllpla.dll Fqpomo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aelcjbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amodnenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hipdjfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnkbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niifnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgioah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpmnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbecgdc.dll" Biigildg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkec32.dll" Pjbkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffclml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plkoeeae.dll" Lpqioclc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ennqpkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibdpefnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaibcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkkbp32.dll" Cgijnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckghp32.dll" Cakghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhcpe32.dll" Aoioeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmdjgqg.dll" Kblpnall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmejknqp.dll" Opqdbhlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflkmqpj.dll" Mccfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnipliip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phombg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekggijge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mholmlmp.dll" Podkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcijke32.dll" Nifldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmgmd32.dll" Efhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mambaa32.dll" Jlikdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Appjblkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojhjc32.dll" Nnmojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfhigmk.dll" Npfkqpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjdbk32.dll" Afnljenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfmecpm.dll" Clknii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcfhco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbjg32.dll" Ohgokknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocopncke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahmoefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhlpe32.dll" Qpmnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghkcamn.dll" Mdanjaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opqopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkhjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqaini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpjde32.dll" Icalij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkjjncgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjkabdh.dll" Ecdkno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imbaobmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afelal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpkfmfok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nedjdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlikdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koljaeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbandfpf.dll" Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmapl32.dll" Nkojheoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohgokknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnfmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdgji32.dll" Ilhcmpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kniggnim.dll" Jgigfg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4584 wrote to memory of 3496 4584 d8465905709676415449aee24d078987.exe 94 PID 4584 wrote to memory of 3496 4584 d8465905709676415449aee24d078987.exe 94 PID 4584 wrote to memory of 3496 4584 d8465905709676415449aee24d078987.exe 94 PID 3496 wrote to memory of 2560 3496 Fhefmjlp.exe 95 PID 3496 wrote to memory of 2560 3496 Fhefmjlp.exe 95 PID 3496 wrote to memory of 2560 3496 Fhefmjlp.exe 95 PID 2560 wrote to memory of 2200 2560 Hhckeeam.exe 96 PID 2560 wrote to memory of 2200 2560 Hhckeeam.exe 96 PID 2560 wrote to memory of 2200 2560 Hhckeeam.exe 96 PID 2200 wrote to memory of 1788 2200 Ioffhn32.exe 97 PID 2200 wrote to memory of 1788 2200 Ioffhn32.exe 97 PID 2200 wrote to memory of 1788 2200 Ioffhn32.exe 97 PID 1788 wrote to memory of 1840 1788 Jpdbjleo.exe 98 PID 1788 wrote to memory of 1840 1788 Jpdbjleo.exe 98 PID 1788 wrote to memory of 1840 1788 Jpdbjleo.exe 98 PID 1840 wrote to memory of 1136 1840 Lpbokjho.exe 99 PID 1840 wrote to memory of 1136 1840 Lpbokjho.exe 99 PID 1840 wrote to memory of 1136 1840 Lpbokjho.exe 99 PID 1136 wrote to memory of 392 1136 Mjafoapj.exe 100 PID 1136 wrote to memory of 392 1136 Mjafoapj.exe 100 PID 1136 wrote to memory of 392 1136 Mjafoapj.exe 100 PID 392 wrote to memory of 4724 392 Mfmpob32.exe 101 PID 392 wrote to memory of 4724 392 Mfmpob32.exe 101 PID 392 wrote to memory of 4724 392 Mfmpob32.exe 101 PID 4724 wrote to memory of 1420 4724 Nagngjmj.exe 102 PID 4724 wrote to memory of 1420 4724 Nagngjmj.exe 102 PID 4724 wrote to memory of 1420 4724 Nagngjmj.exe 102 PID 1420 wrote to memory of 1600 1420 Nhafcd32.exe 103 PID 1420 wrote to memory of 1600 1420 Nhafcd32.exe 103 PID 1420 wrote to memory of 1600 1420 Nhafcd32.exe 103 PID 1600 wrote to memory of 2040 1600 Niglfl32.exe 104 PID 1600 wrote to memory of 2040 1600 Niglfl32.exe 104 PID 1600 wrote to memory of 2040 1600 Niglfl32.exe 104 PID 2040 wrote to memory of 4596 2040 Nhhldc32.exe 105 PID 2040 wrote to memory of 4596 2040 Nhhldc32.exe 105 PID 2040 wrote to memory of 4596 2040 Nhhldc32.exe 105 PID 4596 wrote to memory of 2400 4596 Ophjdehd.exe 106 PID 4596 wrote to memory of 2400 4596 Ophjdehd.exe 106 PID 4596 wrote to memory of 2400 4596 Ophjdehd.exe 106 PID 2400 wrote to memory of 3772 2400 Oajccgmd.exe 107 PID 2400 wrote to memory of 3772 2400 Oajccgmd.exe 107 PID 2400 wrote to memory of 3772 2400 Oajccgmd.exe 107 PID 3772 wrote to memory of 448 3772 Oggllnkl.exe 108 PID 3772 wrote to memory of 448 3772 Oggllnkl.exe 108 PID 3772 wrote to memory of 448 3772 Oggllnkl.exe 108 PID 448 wrote to memory of 5028 448 Pnjgog32.exe 109 PID 448 wrote to memory of 5028 448 Pnjgog32.exe 109 PID 448 wrote to memory of 5028 448 Pnjgog32.exe 109 PID 5028 wrote to memory of 4548 5028 Phpklp32.exe 110 PID 5028 wrote to memory of 4548 5028 Phpklp32.exe 110 PID 5028 wrote to memory of 4548 5028 Phpklp32.exe 110 PID 4548 wrote to memory of 4048 4548 Adkelplc.exe 111 PID 4548 wrote to memory of 4048 4548 Adkelplc.exe 111 PID 4548 wrote to memory of 4048 4548 Adkelplc.exe 111 PID 4048 wrote to memory of 4904 4048 Bqkigp32.exe 112 PID 4048 wrote to memory of 4904 4048 Bqkigp32.exe 112 PID 4048 wrote to memory of 4904 4048 Bqkigp32.exe 112 PID 4904 wrote to memory of 3808 4904 Biigildg.exe 114 PID 4904 wrote to memory of 3808 4904 Biigildg.exe 114 PID 4904 wrote to memory of 3808 4904 Biigildg.exe 114 PID 3808 wrote to memory of 4476 3808 Cjaiac32.exe 115 PID 3808 wrote to memory of 4476 3808 Cjaiac32.exe 115 PID 3808 wrote to memory of 4476 3808 Cjaiac32.exe 115 PID 4476 wrote to memory of 3256 4476 Eiobbgcl.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8465905709676415449aee24d078987.exe"C:\Users\Admin\AppData\Local\Temp\d8465905709676415449aee24d078987.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Jpdbjleo.exeC:\Windows\system32\Jpdbjleo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Nhhldc32.exeC:\Windows\system32\Nhhldc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe23⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe24⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hhpheo32.exeC:\Windows\system32\Hhpheo32.exe25⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe26⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe27⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe28⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe29⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Anccjp32.exeC:\Windows\system32\Anccjp32.exe31⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe32⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Cqinng32.exeC:\Windows\system32\Cqinng32.exe34⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe36⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe37⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Komhkn32.exeC:\Windows\system32\Komhkn32.exe38⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nmhglopl.exeC:\Windows\system32\Nmhglopl.exe39⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe40⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Nldjnk32.exeC:\Windows\system32\Nldjnk32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe43⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Ppeipfdm.exeC:\Windows\system32\Ppeipfdm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe45⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Qbeaba32.exeC:\Windows\system32\Qbeaba32.exe46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe47⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe48⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Alelkf32.exeC:\Windows\system32\Alelkf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bpgnmcdh.exeC:\Windows\system32\Bpgnmcdh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Ccdgjm32.exeC:\Windows\system32\Ccdgjm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cckmklac.exeC:\Windows\system32\Cckmklac.exe53⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Dnekcd32.exeC:\Windows\system32\Dnekcd32.exe54⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Dcglfjgf.exeC:\Windows\system32\Dcglfjgf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Fgencf32.exeC:\Windows\system32\Fgencf32.exe57⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ggldde32.exeC:\Windows\system32\Ggldde32.exe58⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Gadimkpb.exeC:\Windows\system32\Gadimkpb.exe59⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Hpqlof32.exeC:\Windows\system32\Hpqlof32.exe60⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe61⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Kolaqh32.exeC:\Windows\system32\Kolaqh32.exe62⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Mnjqhcno.exeC:\Windows\system32\Mnjqhcno.exe64⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Mkangg32.exeC:\Windows\system32\Mkangg32.exe65⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mggolhaj.exeC:\Windows\system32\Mggolhaj.exe66⤵PID:4588
-
C:\Windows\SysWOW64\Mbmbiqqp.exeC:\Windows\system32\Mbmbiqqp.exe67⤵PID:3868
-
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe68⤵PID:1884
-
C:\Windows\SysWOW64\Nkojheoe.exeC:\Windows\system32\Nkojheoe.exe69⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Ondleo32.exeC:\Windows\system32\Ondleo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:216 -
C:\Windows\SysWOW64\Oendaipn.exeC:\Windows\system32\Oendaipn.exe71⤵PID:4728
-
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe72⤵PID:1312
-
C:\Windows\SysWOW64\Pldljbmn.exeC:\Windows\system32\Pldljbmn.exe73⤵PID:3420
-
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe75⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe76⤵PID:2232
-
C:\Windows\SysWOW64\Aihfjd32.exeC:\Windows\system32\Aihfjd32.exe77⤵PID:2836
-
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5004 -
C:\Windows\SysWOW64\Bpidhmoi.exeC:\Windows\system32\Bpidhmoi.exe79⤵PID:2936
-
C:\Windows\SysWOW64\Bhdilold.exeC:\Windows\system32\Bhdilold.exe80⤵
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe81⤵PID:1160
-
C:\Windows\SysWOW64\Cemcqcgi.exeC:\Windows\system32\Cemcqcgi.exe82⤵PID:936
-
C:\Windows\SysWOW64\Cimhlakl.exeC:\Windows\system32\Cimhlakl.exe83⤵PID:1280
-
C:\Windows\SysWOW64\Cediab32.exeC:\Windows\system32\Cediab32.exe84⤵PID:3804
-
C:\Windows\SysWOW64\Dcmcfeke.exeC:\Windows\system32\Dcmcfeke.exe85⤵PID:4464
-
C:\Windows\SysWOW64\Djgkbp32.exeC:\Windows\system32\Djgkbp32.exe86⤵PID:4744
-
C:\Windows\SysWOW64\Dagiba32.exeC:\Windows\system32\Dagiba32.exe87⤵PID:636
-
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe88⤵PID:1332
-
C:\Windows\SysWOW64\Ehjdejkj.exeC:\Windows\system32\Ehjdejkj.exe89⤵PID:2160
-
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe90⤵PID:2740
-
C:\Windows\SysWOW64\Fjqgpl32.exeC:\Windows\system32\Fjqgpl32.exe91⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Gimjag32.exeC:\Windows\system32\Gimjag32.exe92⤵PID:1256
-
C:\Windows\SysWOW64\Gjlfkj32.exeC:\Windows\system32\Gjlfkj32.exe93⤵PID:3324
-
C:\Windows\SysWOW64\Gqfohdjd.exeC:\Windows\system32\Gqfohdjd.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Gbgkpm32.exeC:\Windows\system32\Gbgkpm32.exe95⤵PID:2496
-
C:\Windows\SysWOW64\Hadkib32.exeC:\Windows\system32\Hadkib32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Iippne32.exeC:\Windows\system32\Iippne32.exe97⤵PID:3424
-
C:\Windows\SysWOW64\Imbaobmp.exeC:\Windows\system32\Imbaobmp.exe98⤵
- Modifies registry class
PID:4844 -
C:\Windows\SysWOW64\Jjmhie32.exeC:\Windows\system32\Jjmhie32.exe99⤵PID:3556
-
C:\Windows\SysWOW64\Jfffcf32.exeC:\Windows\system32\Jfffcf32.exe100⤵PID:212
-
C:\Windows\SysWOW64\Kdlcbjfj.exeC:\Windows\system32\Kdlcbjfj.exe101⤵PID:4020
-
C:\Windows\SysWOW64\Kkfkod32.exeC:\Windows\system32\Kkfkod32.exe102⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Kkkdjcjb.exeC:\Windows\system32\Kkkdjcjb.exe103⤵PID:692
-
C:\Windows\SysWOW64\Lgikpc32.exeC:\Windows\system32\Lgikpc32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Lngmhm32.exeC:\Windows\system32\Lngmhm32.exe105⤵PID:672
-
C:\Windows\SysWOW64\Mnochl32.exeC:\Windows\system32\Mnochl32.exe106⤵PID:2612
-
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe107⤵PID:3584
-
C:\Windows\SysWOW64\Nnmojj32.exeC:\Windows\system32\Nnmojj32.exe108⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Odkaac32.exeC:\Windows\system32\Odkaac32.exe109⤵PID:2328
-
C:\Windows\SysWOW64\Ojjfpjjj.exeC:\Windows\system32\Ojjfpjjj.exe110⤵PID:4804
-
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe111⤵PID:3036
-
C:\Windows\SysWOW64\Ogqcon32.exeC:\Windows\system32\Ogqcon32.exe112⤵PID:4964
-
C:\Windows\SysWOW64\Pqihgcma.exeC:\Windows\system32\Pqihgcma.exe113⤵PID:312
-
C:\Windows\SysWOW64\Pgcpdn32.exeC:\Windows\system32\Pgcpdn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Pgemimck.exeC:\Windows\system32\Pgemimck.exe115⤵PID:1788
-
C:\Windows\SysWOW64\Pkcepl32.exeC:\Windows\system32\Pkcepl32.exe116⤵PID:5128
-
C:\Windows\SysWOW64\Peljha32.exeC:\Windows\system32\Peljha32.exe117⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Qnfkgfdp.exeC:\Windows\system32\Qnfkgfdp.exe118⤵PID:5224
-
C:\Windows\SysWOW64\Aejfjocb.exeC:\Windows\system32\Aejfjocb.exe119⤵PID:5264
-
C:\Windows\SysWOW64\Ajfobfaj.exeC:\Windows\system32\Ajfobfaj.exe120⤵PID:5304
-
C:\Windows\SysWOW64\Aaqgop32.exeC:\Windows\system32\Aaqgop32.exe121⤵
- Drops file in System32 directory
PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-