Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 22:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe
-
Size
192KB
-
MD5
3be0d49a64b8f918f02f950d887c1592
-
SHA1
4138e29161930a7e767483b379f284a6bdcc8029
-
SHA256
b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d
-
SHA512
0a8666f86f908d68d9462bba03d60fa1d19009ed46f3d2e21c3e07b9ef0cfe20bf89c86599884876ac4046e0761b7c9c8294e29e30f0dfe472e751c025f3a929
-
SSDEEP
3072:eyMXgZawueGuigyYq4YJH681+jq2832dp5Xp+7+10K0k7SS6S+psBB6sS:e7v5FuBTsa81+jq4peBK02SjSM0zS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjapmdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihicplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqdoboli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdokkfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnckpmql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heapdjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppfmigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaqdegaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkdhpjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaedkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhkjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 444 Dllmfd32.exe 1996 Daifnk32.exe 2932 Dhcnke32.exe 748 Dpjflb32.exe 832 Dakbckbe.exe 2940 Ehekqe32.exe 4100 Epmcab32.exe 1268 Ebnoikqb.exe 4248 Ehhgfdho.exe 2656 Ecmlcmhe.exe 2628 Ebploj32.exe 1940 Ehjdldfl.exe 4092 Ebbidj32.exe 656 Ejjqeg32.exe 2140 Eqciba32.exe 2496 Ecbenm32.exe 4472 Ejlmkgkl.exe 2288 Eqfeha32.exe 2360 Ecdbdl32.exe 3616 Fjnjqfij.exe 616 Fqhbmqqg.exe 3988 Fcgoilpj.exe 4012 Fjqgff32.exe 4644 Fomonm32.exe 448 Fcikolnh.exe 1164 Ffggkgmk.exe 4388 Fopldmcl.exe 2792 Ffjdqg32.exe 3940 Fobiilai.exe 1776 Fflaff32.exe 4600 Fijmbb32.exe 2260 Gbcakg32.exe 3032 Gjjjle32.exe 1036 Gogbdl32.exe 4300 Gcbnejem.exe 2528 Gfqjafdq.exe 5076 Giofnacd.exe 4608 Gqfooodg.exe 4968 Goiojk32.exe 4596 Gbgkfg32.exe 4756 Giacca32.exe 1596 Gqikdn32.exe 5036 Gcggpj32.exe 1920 Gfedle32.exe 5064 Gjapmdid.exe 2616 Gmoliohh.exe 3904 Gpnhekgl.exe 4480 Gbldaffp.exe 4792 Gfhqbe32.exe 4888 Gifmnpnl.exe 3068 Gameonno.exe 1952 Hclakimb.exe 1184 Hfjmgdlf.exe 3216 Hihicplj.exe 4364 Hapaemll.exe 3700 Hpbaqj32.exe 1904 Hfljmdjc.exe 1292 Hikfip32.exe 4112 Habnjm32.exe 1828 Hcqjfh32.exe 4524 Hfofbd32.exe 2172 Hadkpm32.exe 2336 Hccglh32.exe 4204 Hfachc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijcahd32.exe Ihbdplfi.exe File created C:\Windows\SysWOW64\Iggaah32.exe Idieem32.exe File opened for modification C:\Windows\SysWOW64\Naaqofgj.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Process not Found File created C:\Windows\SysWOW64\Bhmbqm32.exe Process not Found File created C:\Windows\SysWOW64\Lkfbjdpq.dll Njcpee32.exe File created C:\Windows\SysWOW64\Dbaemi32.exe Dlgmpogj.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pdifoehl.exe File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Ijhkffjm.dll Ckcgkldl.exe File created C:\Windows\SysWOW64\Gebgohck.dll Leihbeib.exe File created C:\Windows\SysWOW64\Iadenp32.dll Nolgijpk.exe File created C:\Windows\SysWOW64\Lbekag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Process not Found File created C:\Windows\SysWOW64\Ifhiib32.exe Icjmmg32.exe File created C:\Windows\SysWOW64\Hninbj32.exe Hhlejcpm.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Process not Found File created C:\Windows\SysWOW64\Ddjmba32.exe Process not Found File created C:\Windows\SysWOW64\Cdimqm32.exe Process not Found File created C:\Windows\SysWOW64\Ldohebqh.exe Lnepih32.exe File created C:\Windows\SysWOW64\Mamjbp32.dll Process not Found File created C:\Windows\SysWOW64\Lglfodah.dll Mimpolee.exe File created C:\Windows\SysWOW64\Fimgpahk.dll Process not Found File created C:\Windows\SysWOW64\Bdmpcdfm.exe Bejogg32.exe File created C:\Windows\SysWOW64\Acpcoaap.dll Ojoign32.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Process not Found File created C:\Windows\SysWOW64\Kihgqfld.dll Process not Found File created C:\Windows\SysWOW64\Omopjcjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocnabm32.exe Process not Found File created C:\Windows\SysWOW64\Defbnajo.dll Fhjfhl32.exe File created C:\Windows\SysWOW64\Mpnaemnl.dll Hcdmga32.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Foclgq32.exe Process not Found File created C:\Windows\SysWOW64\Pjhbgb32.exe Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Anadoi32.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Process not Found File created C:\Windows\SysWOW64\Mgdkaadn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgclpkac.exe Process not Found File created C:\Windows\SysWOW64\Paedlhhc.dll Process not Found File created C:\Windows\SysWOW64\Qlimed32.exe Process not Found File created C:\Windows\SysWOW64\Anlkecaj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Ifleoe32.exe Ikfabm32.exe File opened for modification C:\Windows\SysWOW64\Pdfehh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kflide32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfffjqdf.exe Jdhine32.exe File created C:\Windows\SysWOW64\Oqgkhnjf.exe Onholckc.exe File created C:\Windows\SysWOW64\Hopnfa32.dll Process not Found File created C:\Windows\SysWOW64\Pghaae32.dll Process not Found File created C:\Windows\SysWOW64\Mdkgabfn.dll Process not Found File created C:\Windows\SysWOW64\Jlobem32.dll Process not Found File created C:\Windows\SysWOW64\Ghnllm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Pbpjhp32.exe Pndohaqe.exe File created C:\Windows\SysWOW64\Gpmenm32.dll Process not Found File created C:\Windows\SysWOW64\Bmbiamhi.exe Bjcmebie.exe File created C:\Windows\SysWOW64\Olaqbelh.dll Process not Found File created C:\Windows\SysWOW64\Jcebldil.dll Nimbkc32.exe File created C:\Windows\SysWOW64\Lddgmbpb.exe Process not Found File created C:\Windows\SysWOW64\Jbnffffp.dll Process not Found File created C:\Windows\SysWOW64\Hgnilk32.dll Cippgm32.exe File created C:\Windows\SysWOW64\Pikcfnkf.dll Ghhhcomg.exe File created C:\Windows\SysWOW64\Nhpbfpka.exe Nimbkc32.exe File created C:\Windows\SysWOW64\Pcepkfld.exe Pojcjh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6044 4848 Process not Found 2001 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofeei32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmlbfod.dll" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhpla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgjllic.dll" Poaqemao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll" Qgcbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbpqqmm.dll" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlijfneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdnigno.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojjqlpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll" Nebdoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccqkigkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjalckog.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmljl32.dll" Adapgfqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceaehfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll" Mmlpoqpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opcqnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oadfkdgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfofbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfmmcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll" Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbiamhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnnbqnjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 524 wrote to memory of 444 524 b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe 89 PID 524 wrote to memory of 444 524 b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe 89 PID 524 wrote to memory of 444 524 b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe 89 PID 444 wrote to memory of 1996 444 Dllmfd32.exe 90 PID 444 wrote to memory of 1996 444 Dllmfd32.exe 90 PID 444 wrote to memory of 1996 444 Dllmfd32.exe 90 PID 1996 wrote to memory of 2932 1996 Daifnk32.exe 91 PID 1996 wrote to memory of 2932 1996 Daifnk32.exe 91 PID 1996 wrote to memory of 2932 1996 Daifnk32.exe 91 PID 2932 wrote to memory of 748 2932 Dhcnke32.exe 92 PID 2932 wrote to memory of 748 2932 Dhcnke32.exe 92 PID 2932 wrote to memory of 748 2932 Dhcnke32.exe 92 PID 748 wrote to memory of 832 748 Dpjflb32.exe 93 PID 748 wrote to memory of 832 748 Dpjflb32.exe 93 PID 748 wrote to memory of 832 748 Dpjflb32.exe 93 PID 832 wrote to memory of 2940 832 Dakbckbe.exe 94 PID 832 wrote to memory of 2940 832 Dakbckbe.exe 94 PID 832 wrote to memory of 2940 832 Dakbckbe.exe 94 PID 2940 wrote to memory of 4100 2940 Ehekqe32.exe 95 PID 2940 wrote to memory of 4100 2940 Ehekqe32.exe 95 PID 2940 wrote to memory of 4100 2940 Ehekqe32.exe 95 PID 4100 wrote to memory of 1268 4100 Epmcab32.exe 96 PID 4100 wrote to memory of 1268 4100 Epmcab32.exe 96 PID 4100 wrote to memory of 1268 4100 Epmcab32.exe 96 PID 1268 wrote to memory of 4248 1268 Ebnoikqb.exe 97 PID 1268 wrote to memory of 4248 1268 Ebnoikqb.exe 97 PID 1268 wrote to memory of 4248 1268 Ebnoikqb.exe 97 PID 4248 wrote to memory of 2656 4248 Ehhgfdho.exe 98 PID 4248 wrote to memory of 2656 4248 Ehhgfdho.exe 98 PID 4248 wrote to memory of 2656 4248 Ehhgfdho.exe 98 PID 2656 wrote to memory of 2628 2656 Ecmlcmhe.exe 99 PID 2656 wrote to memory of 2628 2656 Ecmlcmhe.exe 99 PID 2656 wrote to memory of 2628 2656 Ecmlcmhe.exe 99 PID 2628 wrote to memory of 1940 2628 Ebploj32.exe 100 PID 2628 wrote to memory of 1940 2628 Ebploj32.exe 100 PID 2628 wrote to memory of 1940 2628 Ebploj32.exe 100 PID 1940 wrote to memory of 4092 1940 Ehjdldfl.exe 101 PID 1940 wrote to memory of 4092 1940 Ehjdldfl.exe 101 PID 1940 wrote to memory of 4092 1940 Ehjdldfl.exe 101 PID 4092 wrote to memory of 656 4092 Ebbidj32.exe 102 PID 4092 wrote to memory of 656 4092 Ebbidj32.exe 102 PID 4092 wrote to memory of 656 4092 Ebbidj32.exe 102 PID 656 wrote to memory of 2140 656 Ejjqeg32.exe 103 PID 656 wrote to memory of 2140 656 Ejjqeg32.exe 103 PID 656 wrote to memory of 2140 656 Ejjqeg32.exe 103 PID 2140 wrote to memory of 2496 2140 Eqciba32.exe 104 PID 2140 wrote to memory of 2496 2140 Eqciba32.exe 104 PID 2140 wrote to memory of 2496 2140 Eqciba32.exe 104 PID 2496 wrote to memory of 4472 2496 Ecbenm32.exe 105 PID 2496 wrote to memory of 4472 2496 Ecbenm32.exe 105 PID 2496 wrote to memory of 4472 2496 Ecbenm32.exe 105 PID 4472 wrote to memory of 2288 4472 Ejlmkgkl.exe 106 PID 4472 wrote to memory of 2288 4472 Ejlmkgkl.exe 106 PID 4472 wrote to memory of 2288 4472 Ejlmkgkl.exe 106 PID 2288 wrote to memory of 2360 2288 Eqfeha32.exe 107 PID 2288 wrote to memory of 2360 2288 Eqfeha32.exe 107 PID 2288 wrote to memory of 2360 2288 Eqfeha32.exe 107 PID 2360 wrote to memory of 3616 2360 Ecdbdl32.exe 108 PID 2360 wrote to memory of 3616 2360 Ecdbdl32.exe 108 PID 2360 wrote to memory of 3616 2360 Ecdbdl32.exe 108 PID 3616 wrote to memory of 616 3616 Fjnjqfij.exe 109 PID 3616 wrote to memory of 616 3616 Fjnjqfij.exe 109 PID 3616 wrote to memory of 616 3616 Fjnjqfij.exe 109 PID 616 wrote to memory of 3988 616 Fqhbmqqg.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe"C:\Users\Admin\AppData\Local\Temp\b1d50bd0b21c1482c8cda9f9c8b5a9163e8588e9a3cefc91972c71fef82c9c9d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe23⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe24⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe25⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe26⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe27⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe28⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe29⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe30⤵PID:4284
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe31⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe32⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe33⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe34⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe36⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe37⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe39⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe40⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe42⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe43⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe44⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe45⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe46⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe48⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe49⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe50⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe51⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe52⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe54⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe55⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe57⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe58⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe59⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe60⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe61⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe64⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe65⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe66⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe67⤵PID:3504
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe68⤵PID:4636
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe69⤵PID:3900
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5048 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe71⤵PID:3604
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe72⤵PID:5052
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe73⤵PID:1448
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe75⤵PID:2712
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe76⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe77⤵PID:3392
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe78⤵PID:1352
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe79⤵PID:4816
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe80⤵PID:4844
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe82⤵PID:3948
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe83⤵PID:5128
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe84⤵PID:5168
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe85⤵PID:5216
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe86⤵PID:5252
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe87⤵PID:5308
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe88⤵PID:5352
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe89⤵PID:5388
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe90⤵PID:5436
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe91⤵PID:5480
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe93⤵PID:5568
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe94⤵PID:5604
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe95⤵PID:5644
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe96⤵PID:5684
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe97⤵PID:5732
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe98⤵PID:5780
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe99⤵
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe100⤵PID:5860
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe101⤵PID:5904
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe102⤵PID:5948
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe103⤵PID:5996
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe104⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe105⤵PID:6088
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe106⤵PID:6124
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe107⤵PID:2304
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe108⤵PID:5192
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe110⤵PID:5324
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe111⤵PID:5420
-
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe112⤵PID:5492
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe113⤵PID:5552
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe114⤵PID:5628
-
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe115⤵PID:5672
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe116⤵PID:5764
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe117⤵PID:5844
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe118⤵PID:5884
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe119⤵PID:5976
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe120⤵PID:6040
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-