Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 20:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe
-
Size
669KB
-
MD5
1def50f9936fa7be3fa1c3361d6b44d4
-
SHA1
aea808d334bef91c5030217b474115560ad22d0c
-
SHA256
092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc
-
SHA512
70db4ee21366445f71a6c8c1a2d23293c2cceddfd9d1c6f1569ffce1edfe2fb453e4a922b3763b418e92fe224dacc165a670afd34c454bcad750501a5a8fcd07
-
SSDEEP
12288:VqEAWnIeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:0EAWnzchMpQnqrdX72LbY6x46uR/qYgL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfcqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmmmqnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbefolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhgbomfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdndbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nejbaqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gckcap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pblolb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkoaagmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejjdlap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joobdfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehcndkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elepei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablahjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdbfpaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdeinhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcpgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbppknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdaajd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkdlall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpdefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foqdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjakkmpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgpajdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfchjddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblflp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdgfen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghcjedcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnfce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjmajbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chiblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkgbibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfchjddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqdkkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoeoedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fifdqhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnnnjfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjehok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefnjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megldcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elepei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhidaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbabnbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copajm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1000 Joahqn32.exe 3336 Mfhbga32.exe 1728 Onmfimga.exe 3632 Oaplqh32.exe 3620 Aagkhd32.exe 3436 Bgnffj32.exe 3564 Chiblk32.exe 1624 Cpfcfmlp.exe 3428 Enfckp32.exe 2956 Ekcgkb32.exe 4604 Gkaclqkk.exe 3768 Giljfddl.exe 4860 Haaaaeim.exe 3528 Jldbpl32.exe 2928 Mqhfoebo.exe 1444 Nmcpoedn.exe 3476 Njjmni32.exe 4280 Ofgdcipq.exe 1604 Qfmfefni.exe 4092 Amkhmoap.exe 2692 Bfmolc32.exe 2644 Ckggnp32.exe 5040 Dickplko.exe 3204 Eaaiahei.exe 1808 Ejagaj32.exe 1960 Fcneeo32.exe 3104 Fkjfakng.exe 1860 Gggmgk32.exe 3144 Hqdkkp32.exe 4996 Hjmodffo.exe 1984 Hkaeih32.exe 3420 Ieeimlep.exe 4680 Jblflp32.exe 448 Jjgkab32.exe 1348 Jjkdlall.exe 4400 Kocphojh.exe 1048 Odbgdp32.exe 2728 Afeban32.exe 4896 Bppcpc32.exe 3552 Beaecjab.exe 4312 Bbefln32.exe 5140 Bipnihgi.exe 5200 Dpjompqc.exe 5280 Egmjpi32.exe 5340 Gnjhhpgl.exe 5384 Gjcfcakn.exe 5432 Hqddqj32.exe 5484 Hqfqfj32.exe 5528 Igjlibib.exe 5572 Imfdaigj.exe 5612 Iqdmghnp.exe 5664 Icefib32.exe 5716 Inkjfk32.exe 5756 Jjakkmpk.exe 5800 Jnocakfb.exe 5840 Jjfdfl32.exe 5888 Jcoioabf.exe 5940 Kebodc32.exe 5996 Mkdiog32.exe 6048 Nhdicjfp.exe 6100 Ogefqeaj.exe 5188 Dfqdid32.exe 5196 Eoladdeo.exe 5304 Fofdkcmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cikkga32.exe Coegih32.exe File created C:\Windows\SysWOW64\Ipimhnjc.dll Ofgdcipq.exe File created C:\Windows\SysWOW64\Hjjmaneh.dll Afeban32.exe File opened for modification C:\Windows\SysWOW64\Mfofjk32.exe Mlialb32.exe File created C:\Windows\SysWOW64\Mgjkkopi.dll Neaokboj.exe File created C:\Windows\SysWOW64\Ncpmjj32.dll Mqkijnkp.exe File opened for modification C:\Windows\SysWOW64\Nieggill.exe Nnpcjplf.exe File opened for modification C:\Windows\SysWOW64\Obgofmjb.exe Ogajid32.exe File created C:\Windows\SysWOW64\Neaokboj.exe Mpdgbkab.exe File created C:\Windows\SysWOW64\Mbkfcabb.exe Mgebfhcl.exe File opened for modification C:\Windows\SysWOW64\Gcpaiq32.exe Gjgmpkfl.exe File opened for modification C:\Windows\SysWOW64\Hfhqkk32.exe Gbjhelnp.exe File created C:\Windows\SysWOW64\Ankpgonc.dll Fjfnphpf.exe File opened for modification C:\Windows\SysWOW64\Lnanadfi.exe Lhdeinhb.exe File opened for modification C:\Windows\SysWOW64\Nildajdg.exe Nkhdgfen.exe File opened for modification C:\Windows\SysWOW64\Qkcackeb.exe Pjjaci32.exe File created C:\Windows\SysWOW64\Aifklc32.dll Bmhibi32.exe File created C:\Windows\SysWOW64\Oioahn32.exe Onjmjegg.exe File created C:\Windows\SysWOW64\Cncnbean.dll Pblolb32.exe File created C:\Windows\SysWOW64\Cpmcffca.dll Dodjemee.exe File opened for modification C:\Windows\SysWOW64\Jaekkfcm.exe Jgpfmncg.exe File created C:\Windows\SysWOW64\Agobcjka.dll Pijiif32.exe File opened for modification C:\Windows\SysWOW64\Dadlmanj.exe Djihhoao.exe File created C:\Windows\SysWOW64\Ehlakjig.exe Ebbinp32.exe File created C:\Windows\SysWOW64\Icefib32.exe Iqdmghnp.exe File created C:\Windows\SysWOW64\Edeanh32.dll Mlialb32.exe File created C:\Windows\SysWOW64\Okbglp32.dll Apbngn32.exe File created C:\Windows\SysWOW64\Oheofn32.dll Jagqfp32.exe File created C:\Windows\SysWOW64\Mbpoop32.exe Mkegbfgp.exe File opened for modification C:\Windows\SysWOW64\Olndnp32.exe Niiaae32.exe File created C:\Windows\SysWOW64\Jhpjbgne.exe Idpdfija.exe File created C:\Windows\SysWOW64\Homcjh32.dll Mkadam32.exe File opened for modification C:\Windows\SysWOW64\Ggldde32.exe Fakfglhm.exe File created C:\Windows\SysWOW64\Ifdgaond.exe Hoibmmpi.exe File opened for modification C:\Windows\SysWOW64\Ifdgaond.exe Hoibmmpi.exe File created C:\Windows\SysWOW64\Ihgqiiph.dll Impldi32.exe File opened for modification C:\Windows\SysWOW64\Coegih32.exe Bhibgo32.exe File opened for modification C:\Windows\SysWOW64\Gjgmpkfl.exe Gobicbgf.exe File opened for modification C:\Windows\SysWOW64\Egmjpi32.exe Dpjompqc.exe File opened for modification C:\Windows\SysWOW64\Nmbhgjoi.exe Ndhgie32.exe File created C:\Windows\SysWOW64\Kblfejda.dll Onngci32.exe File created C:\Windows\SysWOW64\Olndnp32.exe Niiaae32.exe File created C:\Windows\SysWOW64\Geklckkd.exe Gckcap32.exe File created C:\Windows\SysWOW64\Khnfce32.exe Kkhidaeo.exe File created C:\Windows\SysWOW64\Ibillh32.dll Megldcgd.exe File created C:\Windows\SysWOW64\Bcmqin32.exe Blchmdff.exe File created C:\Windows\SysWOW64\Mqkijnkp.exe Mkoaagmh.exe File opened for modification C:\Windows\SysWOW64\Opkfjgmh.exe Oianmm32.exe File created C:\Windows\SysWOW64\Pnigcj32.dll Gjmmfq32.exe File created C:\Windows\SysWOW64\Elkfijgo.dll Nohicdia.exe File created C:\Windows\SysWOW64\Bqpppi32.dll Ehcndkaa.exe File created C:\Windows\SysWOW64\Jkaadebl.exe Jplmglbf.exe File created C:\Windows\SysWOW64\Qgnmff32.dll Khnfce32.exe File created C:\Windows\SysWOW64\Baojkdqb.exe Blbabnbk.exe File opened for modification C:\Windows\SysWOW64\Bhibgo32.exe Baojkdqb.exe File created C:\Windows\SysWOW64\Jpegfm32.exe Jikojcaa.exe File opened for modification C:\Windows\SysWOW64\Jdjfmjhm.exe Jkaadebl.exe File created C:\Windows\SysWOW64\Fhonpi32.exe Fcbehbim.exe File opened for modification C:\Windows\SysWOW64\Gkaclqkk.exe Ekcgkb32.exe File created C:\Windows\SysWOW64\Gjcfcakn.exe Gnjhhpgl.exe File opened for modification C:\Windows\SysWOW64\Dkehlo32.exe Cmdhnhkp.exe File created C:\Windows\SysWOW64\Bedmha32.dll Plgpjhnf.exe File created C:\Windows\SysWOW64\Fdhpoegg.dll Dcmjpl32.exe File created C:\Windows\SysWOW64\Jpmdabfb.exe Jolhjj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjgple32.dll" Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Chiblk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onngci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpdgbkab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmpfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mappie32.dll" Jolhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecgli.dll" Helkdnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafghjbq.dll" Npfchkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehlakjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkcec32.dll" Jikojcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honohb32.dll" Kigoeagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlialb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfmdgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoapldei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjgkab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhdeinhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hameic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll" Nmcpoedn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqdmghnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgpkkf32.dll" Lhiodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blkkaohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehcndkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkoli32.dll" Phhpic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlhn32.dll" Ablahjhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cikkga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkaeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpjdiadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennofanf.dll" Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnlgcd.dll" Obgofmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhndb32.dll" Djnaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkcackeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccigg32.dll" Peaahmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkhmakf.dll" Jplmglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkclkqdm.dll" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaocfebe.dll" Eenflbll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoglbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffjdjmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apeagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfllgl32.dll" Cnndbecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apbngn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fejegaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnnfa32.dll" Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegicjdd.dll" Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfcqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpjkbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjebg32.dll" Oijqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijofaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nehekq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpegfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joahqn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3160 wrote to memory of 1000 3160 092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe 96 PID 3160 wrote to memory of 1000 3160 092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe 96 PID 3160 wrote to memory of 1000 3160 092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe 96 PID 1000 wrote to memory of 3336 1000 Joahqn32.exe 97 PID 1000 wrote to memory of 3336 1000 Joahqn32.exe 97 PID 1000 wrote to memory of 3336 1000 Joahqn32.exe 97 PID 3336 wrote to memory of 1728 3336 Mfhbga32.exe 99 PID 3336 wrote to memory of 1728 3336 Mfhbga32.exe 99 PID 3336 wrote to memory of 1728 3336 Mfhbga32.exe 99 PID 1728 wrote to memory of 3632 1728 Onmfimga.exe 100 PID 1728 wrote to memory of 3632 1728 Onmfimga.exe 100 PID 1728 wrote to memory of 3632 1728 Onmfimga.exe 100 PID 3632 wrote to memory of 3620 3632 Oaplqh32.exe 101 PID 3632 wrote to memory of 3620 3632 Oaplqh32.exe 101 PID 3632 wrote to memory of 3620 3632 Oaplqh32.exe 101 PID 3620 wrote to memory of 3436 3620 Aagkhd32.exe 102 PID 3620 wrote to memory of 3436 3620 Aagkhd32.exe 102 PID 3620 wrote to memory of 3436 3620 Aagkhd32.exe 102 PID 3436 wrote to memory of 3564 3436 Bgnffj32.exe 103 PID 3436 wrote to memory of 3564 3436 Bgnffj32.exe 103 PID 3436 wrote to memory of 3564 3436 Bgnffj32.exe 103 PID 3564 wrote to memory of 1624 3564 Chiblk32.exe 104 PID 3564 wrote to memory of 1624 3564 Chiblk32.exe 104 PID 3564 wrote to memory of 1624 3564 Chiblk32.exe 104 PID 1624 wrote to memory of 3428 1624 Cpfcfmlp.exe 105 PID 1624 wrote to memory of 3428 1624 Cpfcfmlp.exe 105 PID 1624 wrote to memory of 3428 1624 Cpfcfmlp.exe 105 PID 3428 wrote to memory of 2956 3428 Enfckp32.exe 106 PID 3428 wrote to memory of 2956 3428 Enfckp32.exe 106 PID 3428 wrote to memory of 2956 3428 Enfckp32.exe 106 PID 2956 wrote to memory of 4604 2956 Ekcgkb32.exe 107 PID 2956 wrote to memory of 4604 2956 Ekcgkb32.exe 107 PID 2956 wrote to memory of 4604 2956 Ekcgkb32.exe 107 PID 4604 wrote to memory of 3768 4604 Gkaclqkk.exe 108 PID 4604 wrote to memory of 3768 4604 Gkaclqkk.exe 108 PID 4604 wrote to memory of 3768 4604 Gkaclqkk.exe 108 PID 3768 wrote to memory of 4860 3768 Giljfddl.exe 109 PID 3768 wrote to memory of 4860 3768 Giljfddl.exe 109 PID 3768 wrote to memory of 4860 3768 Giljfddl.exe 109 PID 4860 wrote to memory of 3528 4860 Haaaaeim.exe 110 PID 4860 wrote to memory of 3528 4860 Haaaaeim.exe 110 PID 4860 wrote to memory of 3528 4860 Haaaaeim.exe 110 PID 3528 wrote to memory of 2928 3528 Jldbpl32.exe 111 PID 3528 wrote to memory of 2928 3528 Jldbpl32.exe 111 PID 3528 wrote to memory of 2928 3528 Jldbpl32.exe 111 PID 2928 wrote to memory of 1444 2928 Mqhfoebo.exe 112 PID 2928 wrote to memory of 1444 2928 Mqhfoebo.exe 112 PID 2928 wrote to memory of 1444 2928 Mqhfoebo.exe 112 PID 1444 wrote to memory of 3476 1444 Nmcpoedn.exe 113 PID 1444 wrote to memory of 3476 1444 Nmcpoedn.exe 113 PID 1444 wrote to memory of 3476 1444 Nmcpoedn.exe 113 PID 3476 wrote to memory of 4280 3476 Njjmni32.exe 114 PID 3476 wrote to memory of 4280 3476 Njjmni32.exe 114 PID 3476 wrote to memory of 4280 3476 Njjmni32.exe 114 PID 4280 wrote to memory of 1604 4280 Ofgdcipq.exe 115 PID 4280 wrote to memory of 1604 4280 Ofgdcipq.exe 115 PID 4280 wrote to memory of 1604 4280 Ofgdcipq.exe 115 PID 1604 wrote to memory of 4092 1604 Qfmfefni.exe 116 PID 1604 wrote to memory of 4092 1604 Qfmfefni.exe 116 PID 1604 wrote to memory of 4092 1604 Qfmfefni.exe 116 PID 4092 wrote to memory of 2692 4092 Amkhmoap.exe 118 PID 4092 wrote to memory of 2692 4092 Amkhmoap.exe 118 PID 4092 wrote to memory of 2692 4092 Amkhmoap.exe 118 PID 2692 wrote to memory of 2644 2692 Bfmolc32.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe"C:\Users\Admin\AppData\Local\Temp\092f7134ed1b22ad62b9201bed001b1e475a1567281676b40839559ddbfe05cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe23⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe24⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe25⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe26⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe28⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe29⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe31⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe33⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe37⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Odbgdp32.exeC:\Windows\system32\Odbgdp32.exe38⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe40⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe41⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe42⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe43⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe45⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe47⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe48⤵
- Executes dropped EXE
PID:5432 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe49⤵
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe50⤵
- Executes dropped EXE
PID:5528 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Icefib32.exeC:\Windows\system32\Icefib32.exe53⤵
- Executes dropped EXE
PID:5664 -
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe54⤵
- Executes dropped EXE
PID:5716 -
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Jnocakfb.exeC:\Windows\system32\Jnocakfb.exe56⤵
- Executes dropped EXE
PID:5800 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe57⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe58⤵
- Executes dropped EXE
PID:5888 -
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5940 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe60⤵
- Executes dropped EXE
PID:5996 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe61⤵
- Executes dropped EXE
PID:6048 -
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe62⤵
- Executes dropped EXE
PID:6100 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe63⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe64⤵
- Executes dropped EXE
PID:5196 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe65⤵
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe66⤵PID:636
-
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe68⤵PID:5984
-
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe69⤵PID:6044
-
C:\Windows\SysWOW64\Mmbopm32.exeC:\Windows\system32\Mmbopm32.exe70⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4632 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe73⤵PID:5020
-
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe75⤵PID:5128
-
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe76⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe77⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe78⤵PID:1824
-
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe79⤵PID:824
-
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe80⤵PID:5508
-
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe81⤵PID:3372
-
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe83⤵PID:5692
-
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe84⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe85⤵
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe86⤵PID:2932
-
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe87⤵PID:5832
-
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe89⤵PID:6056
-
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe90⤵PID:3548
-
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe91⤵PID:2984
-
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe92⤵PID:5312
-
C:\Windows\SysWOW64\Foqdem32.exeC:\Windows\system32\Foqdem32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe94⤵PID:2384
-
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe95⤵PID:2488
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe96⤵PID:4488
-
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe97⤵PID:1864
-
C:\Windows\SysWOW64\Joobdfei.exeC:\Windows\system32\Joobdfei.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe100⤵PID:744
-
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe101⤵PID:3188
-
C:\Windows\SysWOW64\Miflehaf.exeC:\Windows\system32\Miflehaf.exe102⤵PID:1388
-
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe104⤵PID:5184
-
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe106⤵PID:5152
-
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe107⤵PID:1948
-
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe109⤵PID:1836
-
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe110⤵PID:4164
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe111⤵PID:1960
-
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe112⤵
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe113⤵PID:5652
-
C:\Windows\SysWOW64\Pghaghfn.exeC:\Windows\system32\Pghaghfn.exe114⤵PID:3912
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe115⤵PID:1460
-
C:\Windows\SysWOW64\Bgdjicmn.exeC:\Windows\system32\Bgdjicmn.exe116⤵PID:3476
-
C:\Windows\SysWOW64\Bjhpqn32.exeC:\Windows\system32\Bjhpqn32.exe117⤵PID:4336
-
C:\Windows\SysWOW64\Bmhibi32.exeC:\Windows\system32\Bmhibi32.exe118⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe119⤵PID:5064
-
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe120⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe121⤵PID:4940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-