Analysis
-
max time kernel
138s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe
-
Size
208KB
-
MD5
d0ed677bf696630766cf5a45ba866148
-
SHA1
0155cba981db326cf3cf99e7d9651a034043e04c
-
SHA256
3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8
-
SHA512
44fd4d76e474bae898b0a0493bd707dd30d1c22fe14b7d350f79a7d7738444c7a423407120bbf32d3d6e1817a9ca60a58665107a6d7b998a220bd63c388da0cd
-
SSDEEP
3072:nZNeku+wUMnAUAKaj6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnRePS:beXblnNAKaj6MB8MhjwszeXmr8SeNpgg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpnhfhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfanhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehekqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baojaoke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiibkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldanqkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cakjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogljjiei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomhdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmfmbhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiffen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmficqpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmagine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjqmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coojfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofpgqji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhmnlcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkljak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakdpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokdeeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhfhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldegj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpklpkio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaedkdp.exe -
Executes dropped EXE 64 IoCs
pid Process 2392 Obikbgbb.exe 3140 Oiccoa32.exe 1984 Piepdahl.exe 4464 Pnbimhfd.exe 1552 Pelaib32.exe 3164 Plfiflen.exe 4804 Peonoaln.exe 1956 Phmjkmka.exe 4192 Pbbnhfjh.exe 4896 Phpfqmio.exe 4348 Pniomgpl.exe 4900 Phbcfl32.exe 1548 Qpikgj32.exe 2400 Qefdpq32.exe 2952 Qlpllkmc.exe 2488 Qnnhhflf.exe 1724 Qehqepcc.exe 4424 Ablaodbm.exe 1572 Aldegj32.exe 4456 Aocace32.exe 4088 Aihfanhg.exe 696 Aackeqeb.exe 3244 Ahncbk32.exe 8 Abcgoc32.exe 1236 Aimoln32.exe 1568 Apggihko.exe 4956 Ahblmjhj.exe 1004 Bpidngil.exe 1176 Befmfngc.exe 4364 Bbjmpb32.exe 1124 Bhgehi32.exe 3236 Bpnnig32.exe 3796 Baojaoke.exe 4576 Bhibni32.exe 1052 Bockjc32.exe 816 Bemcgmak.exe 4672 Bhlocipo.exe 1892 Boegpc32.exe 3784 Badcln32.exe 2972 Bikkml32.exe 844 Cohdebfi.exe 4480 Cafpanem.exe 2332 Cimhckeo.exe 5112 Cojqkbdf.exe 3536 Cedihl32.exe 64 Chbedh32.exe 4372 Commqb32.exe 5052 Cakjmm32.exe 3120 Cibank32.exe 2968 Cpljkdig.exe 4868 Coojfa32.exe 1032 Camfbm32.exe 2840 Cidncj32.exe 2012 Coagla32.exe 4024 Cekohk32.exe 1648 Dlegeemh.exe 3552 Doccaall.exe 3672 Dabpnlkp.exe 3252 Dofpgqji.exe 1508 Dadlclim.exe 4172 Dpemacql.exe 932 Dcdimopp.exe 432 Djnaji32.exe 2436 Dllmfd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pbddcoei.exe Pkjlge32.exe File created C:\Windows\SysWOW64\Cehkhecb.exe Cbjoljdo.exe File created C:\Windows\SysWOW64\Ifhiib32.exe Icjmmg32.exe File created C:\Windows\SysWOW64\Kjmidh32.dll Oqdoboli.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Higchddh.dll Dahode32.exe File opened for modification C:\Windows\SysWOW64\Ehgqln32.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Doqpak32.exe Clbceo32.exe File created C:\Windows\SysWOW64\Nnbnoffm.dll Jblpek32.exe File created C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File opened for modification C:\Windows\SysWOW64\Jeaikh32.exe Ibcmom32.exe File created C:\Windows\SysWOW64\Gleeed32.dll Ncnadk32.exe File opened for modification C:\Windows\SysWOW64\Aacckjaf.exe Alfkbc32.exe File created C:\Windows\SysWOW64\Lifoip32.dll Cafpanem.exe File created C:\Windows\SysWOW64\Cefoce32.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Bbgkjl32.dll Lcdegnep.exe File created C:\Windows\SysWOW64\Deblhkch.dll Nbmelbid.exe File created C:\Windows\SysWOW64\Aegikj32.exe Qnnanphk.exe File created C:\Windows\SysWOW64\Adcmmeog.exe Abbpem32.exe File created C:\Windows\SysWOW64\Oneklm32.exe Ojjolnaq.exe File created C:\Windows\SysWOW64\Mohcka32.dll Ahncbk32.exe File created C:\Windows\SysWOW64\Gbcakg32.exe Fqaeco32.exe File created C:\Windows\SysWOW64\Eeopdi32.dll Ijfboafl.exe File created C:\Windows\SysWOW64\Mmnldp32.exe Megdccmb.exe File opened for modification C:\Windows\SysWOW64\Iiffen32.exe Ifhiib32.exe File created C:\Windows\SysWOW64\Kmgdgjek.exe Kilhgk32.exe File opened for modification C:\Windows\SysWOW64\Dlgmpogj.exe Dhkapp32.exe File opened for modification C:\Windows\SysWOW64\Lmiciaaj.exe Lingibiq.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Ekbpea32.dll Qnnhhflf.exe File opened for modification C:\Windows\SysWOW64\Gameonno.exe Gifmnpnl.exe File created C:\Windows\SysWOW64\Gjdlbifk.dll Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Gbcakg32.exe Fqaeco32.exe File created C:\Windows\SysWOW64\Clpgpp32.exe Chdkoa32.exe File created C:\Windows\SysWOW64\Ohbkfake.dll Oncofm32.exe File created C:\Windows\SysWOW64\Ojigmkeg.dll Djpnohej.exe File opened for modification C:\Windows\SysWOW64\Hbbdholl.exe Hodgkc32.exe File opened for modification C:\Windows\SysWOW64\Ficgacna.exe Fbioei32.exe File opened for modification C:\Windows\SysWOW64\Flnlhk32.exe Fhcpgmjf.exe File opened for modification C:\Windows\SysWOW64\Ahblmjhj.exe Apggihko.exe File created C:\Windows\SysWOW64\Bppheeep.dll Eqfeha32.exe File created C:\Windows\SysWOW64\Ngmgne32.exe Ndokbi32.exe File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Afmhck32.exe File created C:\Windows\SysWOW64\Cahfmgoo.exe Cojjqlpk.exe File created C:\Windows\SysWOW64\Kjiccacq.dll Mmbfpp32.exe File opened for modification C:\Windows\SysWOW64\Bjdkjo32.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Jfenmm32.dll Mmpijp32.exe File opened for modification C:\Windows\SysWOW64\Jplmmfmi.exe Jjpeepnb.exe File created C:\Windows\SysWOW64\Hmfkoh32.exe Heocnk32.exe File opened for modification C:\Windows\SysWOW64\Kplpjn32.exe Kibgmdcn.exe File opened for modification C:\Windows\SysWOW64\Iannfk32.exe Iiffen32.exe File created C:\Windows\SysWOW64\Kbmebabl.dll Iiffen32.exe File opened for modification C:\Windows\SysWOW64\Cimhckeo.exe Cafpanem.exe File created C:\Windows\SysWOW64\Ipqnahgf.exe Iannfk32.exe File created C:\Windows\SysWOW64\Eohipl32.dll Nloiakho.exe File created C:\Windows\SysWOW64\Pelaib32.exe Pnbimhfd.exe File created C:\Windows\SysWOW64\Camjdd32.dll Obidhaog.exe File created C:\Windows\SysWOW64\Nbdgmn32.dll Bemcgmak.exe File created C:\Windows\SysWOW64\Dlgmpogj.exe Dhkapp32.exe File created C:\Windows\SysWOW64\Oncofm32.exe Ogifjcdp.exe File created C:\Windows\SysWOW64\Pfjcgn32.exe Pclgkb32.exe File opened for modification C:\Windows\SysWOW64\Oiccoa32.exe Obikbgbb.exe File created C:\Windows\SysWOW64\Kohgjl32.dll Phpfqmio.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mcnhmm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14524 1300 WerFault.exe 760 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmqcaaj.dll" Bikkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll" Haggelfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqklmpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qceiaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbimhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdhga32.dll" Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncianepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbocea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgagbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjqeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiffen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdqgmmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpfco32.dll" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll" Lmppcbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qehqepcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll" Dfdbojmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll" Odapnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepgjaeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Commqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjapmdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll" Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll" Npjebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camfbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlijfneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll" Kpbmco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll" Hjjbcbqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kibgmdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdggmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjdcc32.dll" Boegpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldomc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" Dddojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfmb32.dll" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcppfaka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihfanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdmpqcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3804 wrote to memory of 2392 3804 3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe 91 PID 3804 wrote to memory of 2392 3804 3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe 91 PID 3804 wrote to memory of 2392 3804 3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe 91 PID 2392 wrote to memory of 3140 2392 Obikbgbb.exe 92 PID 2392 wrote to memory of 3140 2392 Obikbgbb.exe 92 PID 2392 wrote to memory of 3140 2392 Obikbgbb.exe 92 PID 3140 wrote to memory of 1984 3140 Oiccoa32.exe 93 PID 3140 wrote to memory of 1984 3140 Oiccoa32.exe 93 PID 3140 wrote to memory of 1984 3140 Oiccoa32.exe 93 PID 1984 wrote to memory of 4464 1984 Piepdahl.exe 94 PID 1984 wrote to memory of 4464 1984 Piepdahl.exe 94 PID 1984 wrote to memory of 4464 1984 Piepdahl.exe 94 PID 4464 wrote to memory of 1552 4464 Pnbimhfd.exe 95 PID 4464 wrote to memory of 1552 4464 Pnbimhfd.exe 95 PID 4464 wrote to memory of 1552 4464 Pnbimhfd.exe 95 PID 1552 wrote to memory of 3164 1552 Pelaib32.exe 96 PID 1552 wrote to memory of 3164 1552 Pelaib32.exe 96 PID 1552 wrote to memory of 3164 1552 Pelaib32.exe 96 PID 3164 wrote to memory of 4804 3164 Plfiflen.exe 97 PID 3164 wrote to memory of 4804 3164 Plfiflen.exe 97 PID 3164 wrote to memory of 4804 3164 Plfiflen.exe 97 PID 4804 wrote to memory of 1956 4804 Peonoaln.exe 98 PID 4804 wrote to memory of 1956 4804 Peonoaln.exe 98 PID 4804 wrote to memory of 1956 4804 Peonoaln.exe 98 PID 1956 wrote to memory of 4192 1956 Phmjkmka.exe 99 PID 1956 wrote to memory of 4192 1956 Phmjkmka.exe 99 PID 1956 wrote to memory of 4192 1956 Phmjkmka.exe 99 PID 4192 wrote to memory of 4896 4192 Pbbnhfjh.exe 100 PID 4192 wrote to memory of 4896 4192 Pbbnhfjh.exe 100 PID 4192 wrote to memory of 4896 4192 Pbbnhfjh.exe 100 PID 4896 wrote to memory of 4348 4896 Phpfqmio.exe 101 PID 4896 wrote to memory of 4348 4896 Phpfqmio.exe 101 PID 4896 wrote to memory of 4348 4896 Phpfqmio.exe 101 PID 4348 wrote to memory of 4900 4348 Pniomgpl.exe 102 PID 4348 wrote to memory of 4900 4348 Pniomgpl.exe 102 PID 4348 wrote to memory of 4900 4348 Pniomgpl.exe 102 PID 4900 wrote to memory of 1548 4900 Phbcfl32.exe 103 PID 4900 wrote to memory of 1548 4900 Phbcfl32.exe 103 PID 4900 wrote to memory of 1548 4900 Phbcfl32.exe 103 PID 1548 wrote to memory of 2400 1548 Qpikgj32.exe 104 PID 1548 wrote to memory of 2400 1548 Qpikgj32.exe 104 PID 1548 wrote to memory of 2400 1548 Qpikgj32.exe 104 PID 2400 wrote to memory of 2952 2400 Qefdpq32.exe 105 PID 2400 wrote to memory of 2952 2400 Qefdpq32.exe 105 PID 2400 wrote to memory of 2952 2400 Qefdpq32.exe 105 PID 2952 wrote to memory of 2488 2952 Qlpllkmc.exe 106 PID 2952 wrote to memory of 2488 2952 Qlpllkmc.exe 106 PID 2952 wrote to memory of 2488 2952 Qlpllkmc.exe 106 PID 2488 wrote to memory of 1724 2488 Qnnhhflf.exe 107 PID 2488 wrote to memory of 1724 2488 Qnnhhflf.exe 107 PID 2488 wrote to memory of 1724 2488 Qnnhhflf.exe 107 PID 1724 wrote to memory of 4424 1724 Qehqepcc.exe 109 PID 1724 wrote to memory of 4424 1724 Qehqepcc.exe 109 PID 1724 wrote to memory of 4424 1724 Qehqepcc.exe 109 PID 4424 wrote to memory of 1572 4424 Ablaodbm.exe 110 PID 4424 wrote to memory of 1572 4424 Ablaodbm.exe 110 PID 4424 wrote to memory of 1572 4424 Ablaodbm.exe 110 PID 1572 wrote to memory of 4456 1572 Aldegj32.exe 111 PID 1572 wrote to memory of 4456 1572 Aldegj32.exe 111 PID 1572 wrote to memory of 4456 1572 Aldegj32.exe 111 PID 4456 wrote to memory of 4088 4456 Aocace32.exe 112 PID 4456 wrote to memory of 4088 4456 Aocace32.exe 112 PID 4456 wrote to memory of 4088 4456 Aocace32.exe 112 PID 4088 wrote to memory of 696 4088 Aihfanhg.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe"C:\Users\Admin\AppData\Local\Temp\3859eabd30acad93764e295d278472aed57070fecf234f16fe04e306df8e08e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Oiccoa32.exeC:\Windows\system32\Oiccoa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Piepdahl.exeC:\Windows\system32\Piepdahl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Pnbimhfd.exeC:\Windows\system32\Pnbimhfd.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Pelaib32.exeC:\Windows\system32\Pelaib32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Pniomgpl.exeC:\Windows\system32\Pniomgpl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Phbcfl32.exeC:\Windows\system32\Phbcfl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe23⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe25⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe26⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe28⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe29⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe30⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe31⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe32⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe33⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe35⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe36⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe38⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe40⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe42⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe44⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe45⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe46⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe47⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe50⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe51⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe55⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe56⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe57⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe58⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe59⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe61⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe62⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe63⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe64⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe65⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe66⤵PID:2504
-
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe67⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe68⤵
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe69⤵PID:2508
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe70⤵PID:332
-
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe73⤵PID:5176
-
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe74⤵PID:5216
-
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe75⤵PID:5256
-
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe76⤵PID:5292
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe77⤵PID:5336
-
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe78⤵PID:5372
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe79⤵PID:5412
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe80⤵PID:5456
-
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe81⤵PID:5500
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe82⤵PID:5540
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe83⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe84⤵PID:5628
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe85⤵PID:5676
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe86⤵PID:5716
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe87⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe88⤵PID:5804
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe90⤵PID:5888
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe91⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe92⤵PID:5976
-
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe93⤵PID:6020
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe94⤵PID:6068
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe95⤵PID:6108
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe96⤵PID:944
-
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe97⤵PID:5192
-
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe98⤵PID:5264
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe99⤵PID:5332
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe100⤵PID:5424
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe101⤵PID:5492
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe102⤵PID:5572
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe103⤵PID:5644
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe105⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe106⤵PID:5876
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe108⤵PID:6028
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe109⤵PID:6100
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe110⤵PID:6124
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe111⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe112⤵PID:5368
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe113⤵PID:5440
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe115⤵PID:5736
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe116⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe117⤵PID:5952
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe118⤵PID:6080
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe119⤵PID:5184
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe121⤵
- Drops file in System32 directory
PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-