Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 00:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe
-
Size
80KB
-
MD5
5d4464e36eaf7623ae4682eac3780552
-
SHA1
80778bf4b7e3d32c3436a7f06b6ed157fd2ff410
-
SHA256
b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842
-
SHA512
76a0b5c15af5cd98f036e43ff83dc451aa5b83089baedae0ba053eaf6713ccdcab7a618c335895d875ca0375c98529102eaa99e2ca3f0e92189758fd5cafe2ee
-
SSDEEP
1536:IfBB99ykd7i572LeS5DUHRbPa9b6i+sIk:IfBBqk05YeS5DSCopsIk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mioabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhjblpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidlgdlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhikme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmhaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbfdfbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepfgdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdlkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijklknbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphkbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anolkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdojcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgblmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elldgehk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjdopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcmbgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knekla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okojkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafbadcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgmcmgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbafi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmcnqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpmfqap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbpnk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1420 Dlahng32.exe 2520 Epoqde32.exe 2544 Ejgemkbm.exe 2960 Ebcjamoh.exe 2428 Elhnof32.exe 3008 Enlglnci.exe 520 Ehakigbo.exe 2788 Fnndan32.exe 480 Fnqqgm32.exe 2164 Fncmmmma.exe 1644 Fgkbeb32.exe 668 Fnejbmko.exe 2668 Fpffje32.exe 1392 Fmjgcipg.exe 1052 Ffcllo32.exe 2864 Gcglec32.exe 2596 Gicdnj32.exe 1780 Gnpmfqap.exe 760 Gifaciae.exe 1196 Gppipc32.exe 1560 Gnefapmj.exe 1812 Gjlgfaco.exe 884 Hafock32.exe 2968 Hahlhkhi.exe 2172 Hicqmmfc.exe 568 Hdiejfej.exe 2088 Hjcmgp32.exe 2264 Hlffdh32.exe 2560 Hflkaq32.exe 3036 Ipdojfgh.exe 2540 Iaelanmg.exe 928 Ilkpogmm.exe 2448 Ikpmpc32.exe 2916 Imoilo32.exe 2736 Iggned32.exe 464 Ionefb32.exe 2808 Ippbnjni.exe 2140 Idknoi32.exe 1640 Igijkd32.exe 1652 Idmkdh32.exe 1416 Jkgcab32.exe 328 Jcbhee32.exe 940 Jcedkd32.exe 612 Jpiedieo.exe 1892 Jajala32.exe 2024 Jkbfdfbm.exe 2300 Jcjnfdbp.exe 1792 Jlbboiip.exe 620 Kdmgclfk.exe 2820 Knekla32.exe 672 Kdbpnk32.exe 1680 Kqiaclhj.exe 1228 Lihobnap.exe 1112 Lnhdqdnd.exe 880 Liminmmk.exe 2268 Lahmbo32.exe 240 Lipecm32.exe 2888 Mjcoqdoc.exe 1940 Mnojacgm.exe 2988 Meicnm32.exe 2508 Mfjoeeeh.exe 3028 Mnaggcej.exe 2452 Mapccndn.exe 2792 Mfllkece.exe -
Loads dropped DLL 64 IoCs
pid Process 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 1420 Dlahng32.exe 1420 Dlahng32.exe 2520 Epoqde32.exe 2520 Epoqde32.exe 2544 Ejgemkbm.exe 2544 Ejgemkbm.exe 2960 Ebcjamoh.exe 2960 Ebcjamoh.exe 2428 Elhnof32.exe 2428 Elhnof32.exe 3008 Enlglnci.exe 3008 Enlglnci.exe 520 Ehakigbo.exe 520 Ehakigbo.exe 2788 Fnndan32.exe 2788 Fnndan32.exe 480 Fnqqgm32.exe 480 Fnqqgm32.exe 2164 Fncmmmma.exe 2164 Fncmmmma.exe 1644 Fgkbeb32.exe 1644 Fgkbeb32.exe 668 Fnejbmko.exe 668 Fnejbmko.exe 2668 Fpffje32.exe 2668 Fpffje32.exe 1392 Fmjgcipg.exe 1392 Fmjgcipg.exe 1052 Ffcllo32.exe 1052 Ffcllo32.exe 2864 Gcglec32.exe 2864 Gcglec32.exe 2596 Gicdnj32.exe 2596 Gicdnj32.exe 1780 Gnpmfqap.exe 1780 Gnpmfqap.exe 760 Gifaciae.exe 760 Gifaciae.exe 1196 Gppipc32.exe 1196 Gppipc32.exe 1560 Gnefapmj.exe 1560 Gnefapmj.exe 1812 Gjlgfaco.exe 1812 Gjlgfaco.exe 884 Hafock32.exe 884 Hafock32.exe 2968 Hahlhkhi.exe 2968 Hahlhkhi.exe 2172 Hicqmmfc.exe 2172 Hicqmmfc.exe 568 Hdiejfej.exe 568 Hdiejfej.exe 2088 Hjcmgp32.exe 2088 Hjcmgp32.exe 2264 Hlffdh32.exe 2264 Hlffdh32.exe 2560 Hflkaq32.exe 2560 Hflkaq32.exe 3036 Ipdojfgh.exe 3036 Ipdojfgh.exe 2540 Iaelanmg.exe 2540 Iaelanmg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ajfiadlm.dll Ooqpdj32.exe File created C:\Windows\SysWOW64\Bgepiehf.dll Qogbdl32.exe File created C:\Windows\SysWOW64\Afdgfelo.exe Abhkfg32.exe File created C:\Windows\SysWOW64\Oaccbmie.dll Koddccaa.exe File created C:\Windows\SysWOW64\Ahanckfm.dll Caaggpdh.exe File opened for modification C:\Windows\SysWOW64\Elhnof32.exe Ebcjamoh.exe File created C:\Windows\SysWOW64\Oqjnfnij.dll Lahmbo32.exe File created C:\Windows\SysWOW64\Cmgkfh32.dll Ohidmoaa.exe File opened for modification C:\Windows\SysWOW64\Akcldl32.exe Aeidgbaf.exe File created C:\Windows\SysWOW64\Bmcopp32.dll Bpjkiogm.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Koddccaa.exe File created C:\Windows\SysWOW64\Ljghjpfe.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Ppegoheg.dll Fnndan32.exe File created C:\Windows\SysWOW64\Ofinocal.dll Iggned32.exe File opened for modification C:\Windows\SysWOW64\Mioabp32.exe Mfaefd32.exe File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Hjipenda.exe File created C:\Windows\SysWOW64\Fqahnjpk.dll Jdaqmg32.exe File created C:\Windows\SysWOW64\Dclchm32.dll Gnefapmj.exe File created C:\Windows\SysWOW64\Meecopha.dll Gcmoda32.exe File created C:\Windows\SysWOW64\Clgbno32.exe Cemjae32.exe File opened for modification C:\Windows\SysWOW64\Lipecm32.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Kcamjb32.exe Kpcqnf32.exe File created C:\Windows\SysWOW64\Ionefb32.exe Iggned32.exe File created C:\Windows\SysWOW64\Gnhhch32.dll Idmkdh32.exe File created C:\Windows\SysWOW64\Ieljfpdl.dll Cdecha32.exe File opened for modification C:\Windows\SysWOW64\Helgmg32.exe Hnbopmnm.exe File opened for modification C:\Windows\SysWOW64\Amaelomh.exe Anneqafn.exe File created C:\Windows\SysWOW64\Mlncpkde.dll Gnpmfqap.exe File created C:\Windows\SysWOW64\Hicqmmfc.exe Hahlhkhi.exe File created C:\Windows\SysWOW64\Cbaocobg.dll Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Bibpad32.exe Bfccei32.exe File created C:\Windows\SysWOW64\Bdoocd32.dll Ehakigbo.exe File created C:\Windows\SysWOW64\Phnnho32.exe Padeldeo.exe File created C:\Windows\SysWOW64\Fffefjmi.exe Eolmip32.exe File created C:\Windows\SysWOW64\Hdlkcdog.exe Hanogipc.exe File created C:\Windows\SysWOW64\Akkoig32.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Bhdbmf32.dll Qfonkfqd.exe File created C:\Windows\SysWOW64\Abmdafpp.exe Akcldl32.exe File created C:\Windows\SysWOW64\Lngnfnji.exe Lfpeeqig.exe File created C:\Windows\SysWOW64\Onffhdlh.dll Pcdkif32.exe File created C:\Windows\SysWOW64\Abegfa32.exe Akkoig32.exe File created C:\Windows\SysWOW64\Odebolpe.exe Omkjbb32.exe File opened for modification C:\Windows\SysWOW64\Cohkpj32.exe Cljodo32.exe File opened for modification C:\Windows\SysWOW64\Lqcmmjko.exe Lmgalkcf.exe File created C:\Windows\SysWOW64\Obdojcef.exe Olkfmi32.exe File created C:\Windows\SysWOW64\Nbhgbm32.dll Pgckjk32.exe File created C:\Windows\SysWOW64\Hpjeialg.exe Hloiib32.exe File created C:\Windows\SysWOW64\Lokgcf32.exe Lmljgj32.exe File created C:\Windows\SysWOW64\Kfhpaf32.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Cbepdhgc.exe Cpfdhl32.exe File created C:\Windows\SysWOW64\Lbfkfemo.dll Fpffje32.exe File opened for modification C:\Windows\SysWOW64\Gpelnb32.exe Gmgpbf32.exe File created C:\Windows\SysWOW64\Fjjeanhe.dll Ceeieced.exe File created C:\Windows\SysWOW64\Jpcmjq32.dll Cepfgdnj.exe File created C:\Windows\SysWOW64\Nfnneb32.exe Nmejllia.exe File created C:\Windows\SysWOW64\Noacef32.exe Nkegeg32.exe File created C:\Windows\SysWOW64\Ebfbbc32.dll Aababceh.exe File created C:\Windows\SysWOW64\Poeofkoh.dll Jgaiobjn.exe File created C:\Windows\SysWOW64\Pciddedl.exe Ppkhhjei.exe File opened for modification C:\Windows\SysWOW64\Fnejbmko.exe Fgkbeb32.exe File opened for modification C:\Windows\SysWOW64\Imoilo32.exe Ikpmpc32.exe File created C:\Windows\SysWOW64\Oklnff32.exe Npgihn32.exe File created C:\Windows\SysWOW64\Comdkipe.exe Cdgpnqpo.exe File opened for modification C:\Windows\SysWOW64\Cbgmigeq.exe Ccdmnj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohjnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmgclfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liminmmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meicnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepmgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jniefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnqqgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcmopjf.dll" Ebcjamoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdbiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afajafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoldn32.dll" Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllcmj32.dll" Ohojmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcbljh.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffcllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahlhkhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapccndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mioabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgneo32.dll" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihqegkl.dll" Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epoqde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadphb32.dll" Lipecm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadacpgf.dll" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdaemiaj.dll" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhmlbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfonkfqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnoogbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqiaclhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afajafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqejbiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpiog32.dll" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqfcn32.dll" Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjgcipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holphali.dll" Odebolpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 1420 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 28 PID 1904 wrote to memory of 1420 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 28 PID 1904 wrote to memory of 1420 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 28 PID 1904 wrote to memory of 1420 1904 b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe 28 PID 1420 wrote to memory of 2520 1420 Dlahng32.exe 29 PID 1420 wrote to memory of 2520 1420 Dlahng32.exe 29 PID 1420 wrote to memory of 2520 1420 Dlahng32.exe 29 PID 1420 wrote to memory of 2520 1420 Dlahng32.exe 29 PID 2520 wrote to memory of 2544 2520 Epoqde32.exe 30 PID 2520 wrote to memory of 2544 2520 Epoqde32.exe 30 PID 2520 wrote to memory of 2544 2520 Epoqde32.exe 30 PID 2520 wrote to memory of 2544 2520 Epoqde32.exe 30 PID 2544 wrote to memory of 2960 2544 Ejgemkbm.exe 31 PID 2544 wrote to memory of 2960 2544 Ejgemkbm.exe 31 PID 2544 wrote to memory of 2960 2544 Ejgemkbm.exe 31 PID 2544 wrote to memory of 2960 2544 Ejgemkbm.exe 31 PID 2960 wrote to memory of 2428 2960 Ebcjamoh.exe 32 PID 2960 wrote to memory of 2428 2960 Ebcjamoh.exe 32 PID 2960 wrote to memory of 2428 2960 Ebcjamoh.exe 32 PID 2960 wrote to memory of 2428 2960 Ebcjamoh.exe 32 PID 2428 wrote to memory of 3008 2428 Elhnof32.exe 33 PID 2428 wrote to memory of 3008 2428 Elhnof32.exe 33 PID 2428 wrote to memory of 3008 2428 Elhnof32.exe 33 PID 2428 wrote to memory of 3008 2428 Elhnof32.exe 33 PID 3008 wrote to memory of 520 3008 Enlglnci.exe 34 PID 3008 wrote to memory of 520 3008 Enlglnci.exe 34 PID 3008 wrote to memory of 520 3008 Enlglnci.exe 34 PID 3008 wrote to memory of 520 3008 Enlglnci.exe 34 PID 520 wrote to memory of 2788 520 Ehakigbo.exe 35 PID 520 wrote to memory of 2788 520 Ehakigbo.exe 35 PID 520 wrote to memory of 2788 520 Ehakigbo.exe 35 PID 520 wrote to memory of 2788 520 Ehakigbo.exe 35 PID 2788 wrote to memory of 480 2788 Fnndan32.exe 36 PID 2788 wrote to memory of 480 2788 Fnndan32.exe 36 PID 2788 wrote to memory of 480 2788 Fnndan32.exe 36 PID 2788 wrote to memory of 480 2788 Fnndan32.exe 36 PID 480 wrote to memory of 2164 480 Fnqqgm32.exe 37 PID 480 wrote to memory of 2164 480 Fnqqgm32.exe 37 PID 480 wrote to memory of 2164 480 Fnqqgm32.exe 37 PID 480 wrote to memory of 2164 480 Fnqqgm32.exe 37 PID 2164 wrote to memory of 1644 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1644 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1644 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1644 2164 Fncmmmma.exe 38 PID 1644 wrote to memory of 668 1644 Fgkbeb32.exe 39 PID 1644 wrote to memory of 668 1644 Fgkbeb32.exe 39 PID 1644 wrote to memory of 668 1644 Fgkbeb32.exe 39 PID 1644 wrote to memory of 668 1644 Fgkbeb32.exe 39 PID 668 wrote to memory of 2668 668 Fnejbmko.exe 40 PID 668 wrote to memory of 2668 668 Fnejbmko.exe 40 PID 668 wrote to memory of 2668 668 Fnejbmko.exe 40 PID 668 wrote to memory of 2668 668 Fnejbmko.exe 40 PID 2668 wrote to memory of 1392 2668 Fpffje32.exe 41 PID 2668 wrote to memory of 1392 2668 Fpffje32.exe 41 PID 2668 wrote to memory of 1392 2668 Fpffje32.exe 41 PID 2668 wrote to memory of 1392 2668 Fpffje32.exe 41 PID 1392 wrote to memory of 1052 1392 Fmjgcipg.exe 42 PID 1392 wrote to memory of 1052 1392 Fmjgcipg.exe 42 PID 1392 wrote to memory of 1052 1392 Fmjgcipg.exe 42 PID 1392 wrote to memory of 1052 1392 Fmjgcipg.exe 42 PID 1052 wrote to memory of 2864 1052 Ffcllo32.exe 43 PID 1052 wrote to memory of 2864 1052 Ffcllo32.exe 43 PID 1052 wrote to memory of 2864 1052 Ffcllo32.exe 43 PID 1052 wrote to memory of 2864 1052 Ffcllo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe"C:\Users\Admin\AppData\Local\Temp\b6d96b5bf25a081bfbb398131d80082a876ca363ec3516056b3b4de540e5e842.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe37⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe38⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe39⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe42⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe43⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe44⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe45⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe46⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe49⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe54⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe55⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe60⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe62⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe63⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe65⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe66⤵PID:2588
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe67⤵PID:2488
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe68⤵PID:2928
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe69⤵PID:2756
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe70⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe71⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe73⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe75⤵PID:920
-
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe76⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe77⤵PID:1884
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe78⤵PID:2980
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe79⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe80⤵PID:556
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe82⤵PID:1424
-
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe83⤵PID:1948
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe85⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe86⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe87⤵PID:2280
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe88⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe89⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe91⤵PID:2708
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe92⤵PID:2600
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe93⤵PID:2412
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe94⤵PID:1684
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe95⤵PID:2592
-
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe96⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe97⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe98⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe99⤵PID:1468
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe100⤵PID:820
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe101⤵PID:2684
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe103⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe104⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe106⤵PID:1672
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe107⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe108⤵PID:1408
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe110⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe111⤵PID:2952
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe112⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe114⤵PID:2472
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe115⤵PID:2396
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe116⤵PID:2400
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe117⤵PID:828
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe118⤵PID:1928
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe120⤵PID:684
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe121⤵
- Drops file in System32 directory
PID:436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-