Analysis
-
max time kernel
161s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 21:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe
-
Size
128KB
-
MD5
c0de1540787d0e8e75ff2b5af3e2c875
-
SHA1
9007ec0fe3ab882051362d83b0ea8ba577a351c5
-
SHA256
76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13
-
SHA512
b264ff657c4a0a08712287639379cfcd38a31d161f505d07c526ee4c9996221406d9c2c828d282574749f8e9d680ae59297a4329396f35d52f4c37204b8c5d65
-
SSDEEP
3072:pX6TgAC2toWWLOCIGp2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:pqTgACnFfIO4BhHmNEcYj9nhV8NCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abimhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpankd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbglgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jognokdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libnapmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbiaigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihckmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipmbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkmpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehoemmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblpnall.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einmaaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjgjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopefnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doeghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcdnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnoefg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onneeceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafgefe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdmkbmnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnbkfek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpcklpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkenkhec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmoekem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobomglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmoekem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibohid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfalhgni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphneijl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foghhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhhkoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpckbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplmglbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekpdoll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneaelqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckaffjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbplgbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibejb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbggeli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhldio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckaolcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbmdnmdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfomfo32.exe -
Executes dropped EXE 64 IoCs
pid Process 3592 Nconfh32.exe 1144 Okceaikl.exe 4664 Pdngpo32.exe 3980 Pcdqhecd.exe 4540 Pomncfge.exe 3148 Qbngeadf.exe 1800 Ammnhilb.exe 1652 Cpifeb32.exe 3092 Ciiaogon.exe 3180 Dllffa32.exe 4280 Dlncla32.exe 2004 Dpllbp32.exe 2304 Emioab32.exe 3188 Ecidpiad.exe 4692 Fdjnolfd.exe 3740 Gqmnpk32.exe 2748 Gmdoel32.exe 2156 Gnckooob.exe 1752 Hfamia32.exe 5016 Hqimlihn.exe 4712 Hfhbipdb.exe 2280 Igjlibib.exe 4500 Infqklol.exe 2668 Icgbob32.exe 3968 Jcjodbgl.exe 5028 Jcaeea32.exe 3296 Kjpgmj32.exe 1184 Kfidgk32.exe 2052 Loiong32.exe 4560 Mkdiog32.exe 1112 Mobbdf32.exe 4168 Nnfkgp32.exe 4520 Noehac32.exe 4460 Poagma32.exe 636 Pfkpiled.exe 1092 Pfmlok32.exe 1360 Phpbffnp.exe 1260 Qbmpjkqk.exe 2536 Akhaipei.exe 4564 Aeglbeea.exe 4756 Bkfmjnii.exe 5136 Cbglgg32.exe 5184 Cemndbci.exe 5236 Eimlgnij.exe 5276 Fhiphi32.exe 5328 Flghognq.exe 5388 Gpodkdll.exe 5492 Kgemahmg.exe 5536 Labkempb.exe 5576 Mpnngh32.exe 5616 Mmdlflki.exe 5660 Mhjpceko.exe 5720 Npadcfnl.exe 5768 Odaiodbp.exe 5800 Opmcod32.exe 5848 Pdklebje.exe 5888 Pncanhaf.exe 5928 Pgkegn32.exe 6028 Paaidf32.exe 6076 Ckfofe32.exe 6112 Fhbbmc32.exe 5156 Fbggkl32.exe 5200 Ghbkdald.exe 5308 Glbapoqh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Odelpm32.exe Omkdcccb.exe File created C:\Windows\SysWOW64\Cndeoqhk.dll Einmaaqb.exe File created C:\Windows\SysWOW64\Cpkgmegi.dll Eblpqono.exe File opened for modification C:\Windows\SysWOW64\Djqbeonf.exe Dpknhfoq.exe File created C:\Windows\SysWOW64\Jgoflpal.exe Jpenoe32.exe File created C:\Windows\SysWOW64\Cihckfoa.dll Odaiodbp.exe File opened for modification C:\Windows\SysWOW64\Jfalhgni.exe Jmihpa32.exe File opened for modification C:\Windows\SysWOW64\Amdddkma.exe Agglld32.exe File created C:\Windows\SysWOW64\Ppjghgdg.exe Pgaboa32.exe File created C:\Windows\SysWOW64\Lamjbc32.exe Khbhdn32.exe File created C:\Windows\SysWOW64\Majoikof.exe Ldohogfe.exe File created C:\Windows\SysWOW64\Nddfmc32.dll Qbbggeli.exe File created C:\Windows\SysWOW64\Ljaooodf.exe Lmmoekem.exe File opened for modification C:\Windows\SysWOW64\Npadcfnl.exe Mhjpceko.exe File created C:\Windows\SysWOW64\Eidbbp32.exe Eibfmp32.exe File created C:\Windows\SysWOW64\Nifldj32.exe Nophfa32.exe File opened for modification C:\Windows\SysWOW64\Dcigneeg.exe Djqbeonf.exe File opened for modification C:\Windows\SysWOW64\Lfeldj32.exe Llmhkd32.exe File created C:\Windows\SysWOW64\Aojmda32.dll Dpllbp32.exe File created C:\Windows\SysWOW64\Bhfogiff.exe Bonjnc32.exe File created C:\Windows\SysWOW64\Oleabh32.dll Onneeceo.exe File created C:\Windows\SysWOW64\Kacpncqg.dll Goediekj.exe File created C:\Windows\SysWOW64\Ecbmle32.dll Lmmoekem.exe File opened for modification C:\Windows\SysWOW64\Kjeiij32.exe Kckqlpck.exe File opened for modification C:\Windows\SysWOW64\Cjlbag32.exe Bnnklg32.exe File created C:\Windows\SysWOW64\Dbllkohi.exe Dbjofp32.exe File created C:\Windows\SysWOW64\Iaobiplh.dll Foebmn32.exe File created C:\Windows\SysWOW64\Hbpgle32.exe Giqlbqcc.exe File opened for modification C:\Windows\SysWOW64\Hdhemn32.exe Gikkof32.exe File opened for modification C:\Windows\SysWOW64\Apeabg32.exe Qhhphebj.exe File opened for modification C:\Windows\SysWOW64\Fimhcbkh.exe Dmcabd32.exe File created C:\Windows\SysWOW64\Lqbgcp32.exe Lkenkhec.exe File created C:\Windows\SysWOW64\Ncmdcq32.dll Emllbe32.exe File opened for modification C:\Windows\SysWOW64\Nbadmege.exe Niipdpae.exe File opened for modification C:\Windows\SysWOW64\Pecefa32.exe Poimigfm.exe File created C:\Windows\SysWOW64\Obombeqb.dll Njnpie32.exe File opened for modification C:\Windows\SysWOW64\Jkimae32.exe Jdodekhg.exe File created C:\Windows\SysWOW64\Mjdghj32.dll Omdpio32.exe File opened for modification C:\Windows\SysWOW64\Caapfnkd.exe Bopgdcnc.exe File created C:\Windows\SysWOW64\Hagqiofj.dll Ggilbb32.exe File created C:\Windows\SysWOW64\Lmmoekem.exe Lcejmeol.exe File created C:\Windows\SysWOW64\Elidlmdb.dll Ebdlkdlp.exe File opened for modification C:\Windows\SysWOW64\Iefnjm32.exe Fjbddh32.exe File opened for modification C:\Windows\SysWOW64\Iffmmihf.exe Fbiooolb.exe File created C:\Windows\SysWOW64\Npckcb32.dll Malgmm32.exe File created C:\Windows\SysWOW64\Lhjadp32.dll Nclida32.exe File opened for modification C:\Windows\SysWOW64\Jggjpgmc.exe Ipmbcm32.exe File created C:\Windows\SysWOW64\Djqbeonf.exe Dpknhfoq.exe File created C:\Windows\SysWOW64\Llppob32.dll Qemhlp32.exe File opened for modification C:\Windows\SysWOW64\Kckqlpck.exe Klahof32.exe File created C:\Windows\SysWOW64\Jnpanb32.dll Kflink32.exe File created C:\Windows\SysWOW64\Mmdlflki.exe Mpnngh32.exe File opened for modification C:\Windows\SysWOW64\Aekdolkj.exe Aploae32.exe File opened for modification C:\Windows\SysWOW64\Gdafgefe.exe Ggnenagl.exe File created C:\Windows\SysWOW64\Ckaffjbg.exe Bfenncdp.exe File created C:\Windows\SysWOW64\Bjokpg32.dll Dhbelp32.exe File opened for modification C:\Windows\SysWOW64\Medqmb32.exe Mpghel32.exe File created C:\Windows\SysWOW64\Ogqaqigd.exe Oafido32.exe File opened for modification C:\Windows\SysWOW64\Mpnngh32.exe Labkempb.exe File created C:\Windows\SysWOW64\Oaajoj32.exe Okgabpgg.exe File created C:\Windows\SysWOW64\Aonokdce.exe Aajoapdk.exe File opened for modification C:\Windows\SysWOW64\Caojigoh.exe Ckealm32.exe File created C:\Windows\SysWOW64\Offeahhp.exe Olqqdo32.exe File created C:\Windows\SysWOW64\Glgjfb32.exe Fikbhiaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2052 6892 WerFault.exe 704 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noehac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjcoqdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjdigpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elomej32.dll" Jcaeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifdhj32.dll" Fpjjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpenoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhbipdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhpjohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbdhkme.dll" Nqioqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domabi32.dll" Clplff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nclbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfogiff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobomglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phgagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdmgi32.dll" Jncobabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaqdc32.dll" Ckealm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Cemndbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbgag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhgcdjje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdafgefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajkgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paelpcgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdmkbmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpodkdll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egijfjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foghhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhihnihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkcchff.dll" Phbhlcpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkjgomgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenfbj32.dll" Jomeoggk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Einmaaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflql32.dll" Pnfiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichcim32.dll" Ageofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkapcei.dll" Oplkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmenmgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libnapmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblpnall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgijnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpoknjfd.dll" Qaofphbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfbgp32.dll" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokeebcd.dll" Jmihpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaoikim.dll" Lhfmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfamk32.dll" Fpagdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoheefad.dll" Jmbhhkoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoaoflcl.dll" Mpghel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjnib32.dll" Aajoapdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldhbnhlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blieeglf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oafido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfnpacjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagqiofj.dll" Ggilbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqpfccgo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3592 4704 76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe 99 PID 4704 wrote to memory of 3592 4704 76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe 99 PID 4704 wrote to memory of 3592 4704 76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe 99 PID 3592 wrote to memory of 1144 3592 Nconfh32.exe 100 PID 3592 wrote to memory of 1144 3592 Nconfh32.exe 100 PID 3592 wrote to memory of 1144 3592 Nconfh32.exe 100 PID 1144 wrote to memory of 4664 1144 Okceaikl.exe 101 PID 1144 wrote to memory of 4664 1144 Okceaikl.exe 101 PID 1144 wrote to memory of 4664 1144 Okceaikl.exe 101 PID 4664 wrote to memory of 3980 4664 Pdngpo32.exe 102 PID 4664 wrote to memory of 3980 4664 Pdngpo32.exe 102 PID 4664 wrote to memory of 3980 4664 Pdngpo32.exe 102 PID 3980 wrote to memory of 4540 3980 Pcdqhecd.exe 104 PID 3980 wrote to memory of 4540 3980 Pcdqhecd.exe 104 PID 3980 wrote to memory of 4540 3980 Pcdqhecd.exe 104 PID 4540 wrote to memory of 3148 4540 Pomncfge.exe 105 PID 4540 wrote to memory of 3148 4540 Pomncfge.exe 105 PID 4540 wrote to memory of 3148 4540 Pomncfge.exe 105 PID 3148 wrote to memory of 1800 3148 Qbngeadf.exe 106 PID 3148 wrote to memory of 1800 3148 Qbngeadf.exe 106 PID 3148 wrote to memory of 1800 3148 Qbngeadf.exe 106 PID 1800 wrote to memory of 1652 1800 Ammnhilb.exe 107 PID 1800 wrote to memory of 1652 1800 Ammnhilb.exe 107 PID 1800 wrote to memory of 1652 1800 Ammnhilb.exe 107 PID 1652 wrote to memory of 3092 1652 Cpifeb32.exe 108 PID 1652 wrote to memory of 3092 1652 Cpifeb32.exe 108 PID 1652 wrote to memory of 3092 1652 Cpifeb32.exe 108 PID 3092 wrote to memory of 3180 3092 Ciiaogon.exe 109 PID 3092 wrote to memory of 3180 3092 Ciiaogon.exe 109 PID 3092 wrote to memory of 3180 3092 Ciiaogon.exe 109 PID 3180 wrote to memory of 4280 3180 Dllffa32.exe 110 PID 3180 wrote to memory of 4280 3180 Dllffa32.exe 110 PID 3180 wrote to memory of 4280 3180 Dllffa32.exe 110 PID 4280 wrote to memory of 2004 4280 Dlncla32.exe 111 PID 4280 wrote to memory of 2004 4280 Dlncla32.exe 111 PID 4280 wrote to memory of 2004 4280 Dlncla32.exe 111 PID 2004 wrote to memory of 2304 2004 Dpllbp32.exe 112 PID 2004 wrote to memory of 2304 2004 Dpllbp32.exe 112 PID 2004 wrote to memory of 2304 2004 Dpllbp32.exe 112 PID 2304 wrote to memory of 3188 2304 Emioab32.exe 113 PID 2304 wrote to memory of 3188 2304 Emioab32.exe 113 PID 2304 wrote to memory of 3188 2304 Emioab32.exe 113 PID 3188 wrote to memory of 4692 3188 Ecidpiad.exe 114 PID 3188 wrote to memory of 4692 3188 Ecidpiad.exe 114 PID 3188 wrote to memory of 4692 3188 Ecidpiad.exe 114 PID 4692 wrote to memory of 3740 4692 Fdjnolfd.exe 115 PID 4692 wrote to memory of 3740 4692 Fdjnolfd.exe 115 PID 4692 wrote to memory of 3740 4692 Fdjnolfd.exe 115 PID 3740 wrote to memory of 2748 3740 Gqmnpk32.exe 116 PID 3740 wrote to memory of 2748 3740 Gqmnpk32.exe 116 PID 3740 wrote to memory of 2748 3740 Gqmnpk32.exe 116 PID 2748 wrote to memory of 2156 2748 Gmdoel32.exe 117 PID 2748 wrote to memory of 2156 2748 Gmdoel32.exe 117 PID 2748 wrote to memory of 2156 2748 Gmdoel32.exe 117 PID 2156 wrote to memory of 1752 2156 Gnckooob.exe 118 PID 2156 wrote to memory of 1752 2156 Gnckooob.exe 118 PID 2156 wrote to memory of 1752 2156 Gnckooob.exe 118 PID 1752 wrote to memory of 5016 1752 Hfamia32.exe 119 PID 1752 wrote to memory of 5016 1752 Hfamia32.exe 119 PID 1752 wrote to memory of 5016 1752 Hfamia32.exe 119 PID 5016 wrote to memory of 4712 5016 Hqimlihn.exe 120 PID 5016 wrote to memory of 4712 5016 Hqimlihn.exe 120 PID 5016 wrote to memory of 4712 5016 Hqimlihn.exe 120 PID 4712 wrote to memory of 2280 4712 Hfhbipdb.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe"C:\Users\Admin\AppData\Local\Temp\76c217baa183594dead8206aa36f30d8cc19a3da9f3f97f3ff9e94032e199f13.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe23⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe24⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe25⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe26⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe28⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe29⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe30⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe31⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe32⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe33⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe35⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe36⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe37⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe38⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe39⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe40⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe41⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe42⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5136 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe45⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe46⤵
- Executes dropped EXE
PID:5276 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe47⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe49⤵
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe52⤵
- Executes dropped EXE
PID:5616 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5660 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe54⤵
- Executes dropped EXE
PID:5720 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe56⤵
- Executes dropped EXE
PID:5800 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe57⤵
- Executes dropped EXE
PID:5848 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe58⤵
- Executes dropped EXE
PID:5888 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe59⤵
- Executes dropped EXE
PID:5928 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe61⤵
- Executes dropped EXE
PID:6076 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe62⤵
- Executes dropped EXE
PID:6112 -
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe63⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe64⤵
- Executes dropped EXE
PID:5200 -
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe65⤵
- Executes dropped EXE
PID:5308 -
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe66⤵PID:4092
-
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe67⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe68⤵PID:5396
-
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe69⤵PID:5500
-
C:\Windows\SysWOW64\Npighq32.exeC:\Windows\system32\Npighq32.exe70⤵PID:5556
-
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe71⤵PID:5636
-
C:\Windows\SysWOW64\Omkdcccb.exeC:\Windows\system32\Omkdcccb.exe72⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe73⤵PID:5744
-
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe74⤵PID:5820
-
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe75⤵
- Drops file in System32 directory
PID:5904 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe78⤵
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe79⤵PID:4984
-
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe80⤵PID:5312
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe81⤵PID:5360
-
C:\Windows\SysWOW64\Jaodkk32.exeC:\Windows\system32\Jaodkk32.exe82⤵PID:1868
-
C:\Windows\SysWOW64\Khimhefk.exeC:\Windows\system32\Khimhefk.exe83⤵PID:5572
-
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe84⤵PID:624
-
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe85⤵PID:5776
-
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe86⤵PID:5912
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe87⤵PID:3548
-
C:\Windows\SysWOW64\Lbdgmh32.exeC:\Windows\system32\Lbdgmh32.exe88⤵PID:2148
-
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe89⤵PID:3308
-
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe90⤵PID:3556
-
C:\Windows\SysWOW64\Mkfnlmkl.exeC:\Windows\system32\Mkfnlmkl.exe91⤵PID:6128
-
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe92⤵PID:5076
-
C:\Windows\SysWOW64\Neeifa32.exeC:\Windows\system32\Neeifa32.exe93⤵PID:1948
-
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe94⤵PID:2900
-
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Pemhmn32.exeC:\Windows\system32\Pemhmn32.exe96⤵PID:3144
-
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe97⤵PID:2304
-
C:\Windows\SysWOW64\Aploae32.exeC:\Windows\system32\Aploae32.exe98⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Aekdolkj.exeC:\Windows\system32\Aekdolkj.exe99⤵PID:3740
-
C:\Windows\SysWOW64\Bnnklg32.exeC:\Windows\system32\Bnnklg32.exe100⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Cjlbag32.exeC:\Windows\system32\Cjlbag32.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Cgpcklpd.exeC:\Windows\system32\Cgpcklpd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe103⤵PID:5428
-
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe104⤵
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe106⤵PID:2668
-
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe107⤵PID:5872
-
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe108⤵PID:5956
-
C:\Windows\SysWOW64\Jognokdi.exeC:\Windows\system32\Jognokdi.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Jknocljn.exeC:\Windows\system32\Jknocljn.exe110⤵PID:2848
-
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe111⤵PID:4516
-
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe112⤵PID:6096
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe113⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Kgnbol32.exeC:\Windows\system32\Kgnbol32.exe114⤵PID:4560
-
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe115⤵PID:532
-
C:\Windows\SysWOW64\Khbhdn32.exeC:\Windows\system32\Khbhdn32.exe116⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe117⤵PID:4520
-
C:\Windows\SysWOW64\Lkenkhec.exeC:\Windows\system32\Lkenkhec.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe119⤵PID:3864
-
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe120⤵PID:3112
-
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe121⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-