Analysis
-
max time kernel
90s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 23:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe
-
Size
45KB
-
MD5
3a4c4aeab3e2dbb1d954dde2c64a35ac
-
SHA1
c4216454a7cb0da0c73e264ce3ac37ab6056daf8
-
SHA256
c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88
-
SHA512
a5559335ac96d71649852fd2ff26920ed084a36ee1c96c37d285658b7a4dea3a13c032611454f821ea708b07ba636e00bacee6db7cdb52d82b9f89be5e7b7629
-
SSDEEP
768:Y2/Eyy49cOdaivbapWuJBvDWBz0GaqbZlIlwIaRtVVSu6O/i+KmyOa2CeqGSu6Wq:YMy4Xdaijap76BzPZb8lwPHSu6Wi+Km6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagdol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icplcpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdegandp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamhodmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplfcpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbjlfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likjcbkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdkoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmeobkq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmchi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgmcnhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlcnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfembo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcoakfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnchp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kboljk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odednmpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqpimpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe -
Executes dropped EXE 64 IoCs
pid Process 4492 Lphfpbdi.exe 4960 Lgbnmm32.exe 676 Mjqjih32.exe 2752 Mahbje32.exe 4796 Mciobn32.exe 2412 Mkpgck32.exe 3928 Mnocof32.exe 856 Mcklgm32.exe 3856 Mkbchk32.exe 4732 Mnapdf32.exe 3092 Mpolqa32.exe 2504 Mcnhmm32.exe 3116 Mkepnjng.exe 452 Mncmjfmk.exe 4596 Mpaifalo.exe 1324 Mcpebmkb.exe 1428 Mkgmcjld.exe 2828 Mnfipekh.exe 4548 Mdpalp32.exe 4592 Mcbahlip.exe 3348 Nkjjij32.exe 1836 Nqfbaq32.exe 2500 Nnjbke32.exe 2308 Ncgkcl32.exe 4264 Nbhkac32.exe 4744 Ndghmo32.exe 1212 Ngedij32.exe 328 Nbkhfc32.exe 3756 Ndidbn32.exe 4376 Nbmelbid.exe 3888 Ncnadk32.exe 920 Ojhiqefo.exe 4676 Oboaabga.exe 2296 Ogljjiei.exe 3432 Onfbfc32.exe 4276 Oqdoboli.exe 3412 Occkojkm.exe 3328 Ojmcld32.exe 4828 Obdkma32.exe 2884 Ocegdjij.exe 4748 Ojopad32.exe 4488 Obfhba32.exe 4940 Odednmpm.exe 2740 Okolkg32.exe 4332 Oqkdcn32.exe 2032 Pgemphmn.exe 4088 Pnpemb32.exe 3984 Pqnaim32.exe 2448 Pghieg32.exe 4772 Pjffbc32.exe 1376 Pbmncp32.exe 4908 Peljol32.exe 4524 Pgjfkg32.exe 3380 Pabkdmpi.exe 1932 Pcagphom.exe 3820 Pkhoae32.exe 3640 Pnfkma32.exe 2096 Peqcjkfp.exe 1676 Pkjlge32.exe 4380 Pjmlbbdg.exe 4204 Pagdol32.exe 1904 Qcepkg32.exe 3320 Qjpiha32.exe 3472 Qjbena32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hipegc32.dll Pjffbc32.exe File created C:\Windows\SysWOW64\Cnnobj32.dll Acocaf32.exe File created C:\Windows\SysWOW64\Chghdqbf.exe Cehkhecb.exe File opened for modification C:\Windows\SysWOW64\Jeklag32.exe Jblpek32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Gfniiokn.dll Pcagphom.exe File opened for modification C:\Windows\SysWOW64\Hodgkc32.exe Hmfkoh32.exe File created C:\Windows\SysWOW64\Hhmkaf32.dll Mpjlklok.exe File created C:\Windows\SysWOW64\Mgimcebb.exe Mcmabg32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Odegmceb.dll Mnapdf32.exe File opened for modification C:\Windows\SysWOW64\Foabofnn.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Olfdahne.dll Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Camphf32.exe Conclk32.exe File created C:\Windows\SysWOW64\Mplhql32.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Gmdlbjng.dll Ajhddjfn.exe File created C:\Windows\SysWOW64\Mdmnlj32.exe Mpablkhc.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Occkojkm.exe Oqdoboli.exe File created C:\Windows\SysWOW64\Pagdol32.exe Pjmlbbdg.exe File created C:\Windows\SysWOW64\Bjbndobo.exe Blpnib32.exe File created C:\Windows\SysWOW64\Mcgdgamg.dll Cajcbgml.exe File created C:\Windows\SysWOW64\Mpjlklok.exe Mlopkm32.exe File created C:\Windows\SysWOW64\Jfaklh32.dll Kemhff32.exe File created C:\Windows\SysWOW64\Bkjlibkf.dll Mlhbal32.exe File created C:\Windows\SysWOW64\Agjhgngj.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Qjpiha32.exe Qcepkg32.exe File opened for modification C:\Windows\SysWOW64\Anbkio32.exe Acmflf32.exe File created C:\Windows\SysWOW64\Hkkhqd32.exe Himldi32.exe File opened for modification C:\Windows\SysWOW64\Jpijnqkp.exe Jioaqfcc.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Belebq32.exe File created C:\Windows\SysWOW64\Cjpckf32.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Codhke32.dll Mkgmcjld.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Eofbch32.exe Ekjfcipa.exe File opened for modification C:\Windows\SysWOW64\Ligqhc32.exe Lekehdgp.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cfbkeh32.exe File created C:\Windows\SysWOW64\Echknh32.exe Ekacmjgl.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lingibiq.exe File created C:\Windows\SysWOW64\Mmbfpp32.exe Mgimcebb.exe File created C:\Windows\SysWOW64\Lgbnmm32.exe Lphfpbdi.exe File opened for modification C:\Windows\SysWOW64\Pgemphmn.exe Oqkdcn32.exe File opened for modification C:\Windows\SysWOW64\Abemjmgg.exe Ajneip32.exe File created C:\Windows\SysWOW64\Bahmfj32.exe Abemjmgg.exe File created C:\Windows\SysWOW64\Mpbbmhgf.dll Behbag32.exe File created C:\Windows\SysWOW64\Mlcadgkl.dll Docmgjhp.exe File opened for modification C:\Windows\SysWOW64\Kpjcdn32.exe Kipkhdeq.exe File created C:\Windows\SysWOW64\Qihfjd32.dll Bmbplc32.exe File opened for modification C:\Windows\SysWOW64\Pkjlge32.exe Peqcjkfp.exe File created C:\Windows\SysWOW64\Llgjjnlj.exe Lmdina32.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Mecaoggc.dll Lphfpbdi.exe File created C:\Windows\SysWOW64\Knfoif32.dll Ojgbfocc.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Ajneip32.exe Adcmmeog.exe File created C:\Windows\SysWOW64\Lhclbphg.dll Fbnafb32.exe File created C:\Windows\SysWOW64\Fqqlehck.dll Helfik32.exe File opened for modification C:\Windows\SysWOW64\Iiaephpc.exe Hfcicmqp.exe File opened for modification C:\Windows\SysWOW64\Ajfhnjhq.exe Agglboim.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cmgjgcgo.exe File created C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10792 10628 WerFault.exe 522 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll" Nilcjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpjp32.dll" Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhondp32.dll" Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll" Fllpbldb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peqcjkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acjjfggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffdjk32.dll" Blmacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filmeaek.dll" Qbimoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfibe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebooppnl.dll" Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjpiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boepel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" Pnakhkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpijnqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jeklag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll" Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll" Ickchq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll" Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfhgi32.dll" Pabkdmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohibf32.dll" Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnccmbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jglkll32.dll" Odednmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bjagjhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acocaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iicbehnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llemdo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4980 wrote to memory of 4492 4980 c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe 85 PID 4980 wrote to memory of 4492 4980 c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe 85 PID 4980 wrote to memory of 4492 4980 c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe 85 PID 4492 wrote to memory of 4960 4492 Lphfpbdi.exe 86 PID 4492 wrote to memory of 4960 4492 Lphfpbdi.exe 86 PID 4492 wrote to memory of 4960 4492 Lphfpbdi.exe 86 PID 4960 wrote to memory of 676 4960 Lgbnmm32.exe 87 PID 4960 wrote to memory of 676 4960 Lgbnmm32.exe 87 PID 4960 wrote to memory of 676 4960 Lgbnmm32.exe 87 PID 676 wrote to memory of 2752 676 Mjqjih32.exe 88 PID 676 wrote to memory of 2752 676 Mjqjih32.exe 88 PID 676 wrote to memory of 2752 676 Mjqjih32.exe 88 PID 2752 wrote to memory of 4796 2752 Mahbje32.exe 89 PID 2752 wrote to memory of 4796 2752 Mahbje32.exe 89 PID 2752 wrote to memory of 4796 2752 Mahbje32.exe 89 PID 4796 wrote to memory of 2412 4796 Mciobn32.exe 90 PID 4796 wrote to memory of 2412 4796 Mciobn32.exe 90 PID 4796 wrote to memory of 2412 4796 Mciobn32.exe 90 PID 2412 wrote to memory of 3928 2412 Mkpgck32.exe 91 PID 2412 wrote to memory of 3928 2412 Mkpgck32.exe 91 PID 2412 wrote to memory of 3928 2412 Mkpgck32.exe 91 PID 3928 wrote to memory of 856 3928 Mnocof32.exe 92 PID 3928 wrote to memory of 856 3928 Mnocof32.exe 92 PID 3928 wrote to memory of 856 3928 Mnocof32.exe 92 PID 856 wrote to memory of 3856 856 Mcklgm32.exe 93 PID 856 wrote to memory of 3856 856 Mcklgm32.exe 93 PID 856 wrote to memory of 3856 856 Mcklgm32.exe 93 PID 3856 wrote to memory of 4732 3856 Mkbchk32.exe 94 PID 3856 wrote to memory of 4732 3856 Mkbchk32.exe 94 PID 3856 wrote to memory of 4732 3856 Mkbchk32.exe 94 PID 4732 wrote to memory of 3092 4732 Mnapdf32.exe 95 PID 4732 wrote to memory of 3092 4732 Mnapdf32.exe 95 PID 4732 wrote to memory of 3092 4732 Mnapdf32.exe 95 PID 3092 wrote to memory of 2504 3092 Mpolqa32.exe 96 PID 3092 wrote to memory of 2504 3092 Mpolqa32.exe 96 PID 3092 wrote to memory of 2504 3092 Mpolqa32.exe 96 PID 2504 wrote to memory of 3116 2504 Mcnhmm32.exe 97 PID 2504 wrote to memory of 3116 2504 Mcnhmm32.exe 97 PID 2504 wrote to memory of 3116 2504 Mcnhmm32.exe 97 PID 3116 wrote to memory of 452 3116 Mkepnjng.exe 98 PID 3116 wrote to memory of 452 3116 Mkepnjng.exe 98 PID 3116 wrote to memory of 452 3116 Mkepnjng.exe 98 PID 452 wrote to memory of 4596 452 Mncmjfmk.exe 99 PID 452 wrote to memory of 4596 452 Mncmjfmk.exe 99 PID 452 wrote to memory of 4596 452 Mncmjfmk.exe 99 PID 4596 wrote to memory of 1324 4596 Mpaifalo.exe 100 PID 4596 wrote to memory of 1324 4596 Mpaifalo.exe 100 PID 4596 wrote to memory of 1324 4596 Mpaifalo.exe 100 PID 1324 wrote to memory of 1428 1324 Mcpebmkb.exe 101 PID 1324 wrote to memory of 1428 1324 Mcpebmkb.exe 101 PID 1324 wrote to memory of 1428 1324 Mcpebmkb.exe 101 PID 1428 wrote to memory of 2828 1428 Mkgmcjld.exe 102 PID 1428 wrote to memory of 2828 1428 Mkgmcjld.exe 102 PID 1428 wrote to memory of 2828 1428 Mkgmcjld.exe 102 PID 2828 wrote to memory of 4548 2828 Mnfipekh.exe 103 PID 2828 wrote to memory of 4548 2828 Mnfipekh.exe 103 PID 2828 wrote to memory of 4548 2828 Mnfipekh.exe 103 PID 4548 wrote to memory of 4592 4548 Mdpalp32.exe 104 PID 4548 wrote to memory of 4592 4548 Mdpalp32.exe 104 PID 4548 wrote to memory of 4592 4548 Mdpalp32.exe 104 PID 4592 wrote to memory of 3348 4592 Mcbahlip.exe 105 PID 4592 wrote to memory of 3348 4592 Mcbahlip.exe 105 PID 4592 wrote to memory of 3348 4592 Mcbahlip.exe 105 PID 3348 wrote to memory of 1836 3348 Nkjjij32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe"C:\Users\Admin\AppData\Local\Temp\c4af60a36cde08f68fdff0fda778405de663db3d3e23097163d90df7aa637b88.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe23⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe24⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe25⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe27⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe28⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe30⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe31⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe32⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe33⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe34⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe35⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe36⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe38⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe40⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe41⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe43⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe45⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe47⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe48⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe49⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe52⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe53⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe54⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe57⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe58⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe60⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe65⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe66⤵
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe67⤵
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe68⤵PID:1508
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe69⤵PID:208
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe71⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe72⤵PID:4700
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe73⤵PID:4364
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe76⤵PID:3560
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe77⤵PID:4148
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe78⤵PID:4144
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe79⤵
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe80⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe81⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe82⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe83⤵PID:464
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe84⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe85⤵
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe86⤵PID:544
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe87⤵PID:4448
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe88⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe89⤵PID:4584
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe90⤵PID:4340
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe92⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe93⤵PID:3152
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe94⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe95⤵PID:3180
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe96⤵PID:1136
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe97⤵PID:3664
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe98⤵
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe99⤵PID:4600
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe100⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe101⤵PID:2572
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe102⤵
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe103⤵PID:1984
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe104⤵PID:1524
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe106⤵
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe107⤵PID:2136
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe108⤵PID:608
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe109⤵PID:1760
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe110⤵PID:5164
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe112⤵PID:5252
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe113⤵PID:5300
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe114⤵PID:5348
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe115⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe116⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe118⤵PID:5524
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe119⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe120⤵PID:5608
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe121⤵
- Drops file in System32 directory
PID:5652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-