Analysis
-
max time kernel
124s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe
-
Size
400KB
-
MD5
c8cabf429b46b8aed74f418fe44c4e10
-
SHA1
734479a439618d233fe22ba85b6a0a523796e98a
-
SHA256
572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e
-
SHA512
5de498288168869bdf0df87e7242014608b973de1cf4d14d9b142cca1a1039582fa51ba27722dd5b8fd068d938d0d0115e545cd89641bb0e5251916a3c1d12e2
-
SSDEEP
6144:9rBvldZV4U/vlf0DrBqvl8ZV4U/vlfl+9DvlEZV4U/vlf0DrBqvl8ZV1:9rBvF6IveDVqvQ6IvYvc6IveDVqvQ/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klgqmfpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olaeqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimioo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqopqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifodmak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkcfmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggonfbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhgaipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoapo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niifnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhglhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkeonggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgfoioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmncgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcbfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgalidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebagdddp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiamd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edakimoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobbdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihcln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opgloh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonbqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqbjgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkpdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdlif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfqoici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjjqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdbpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkigp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgpjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnaalghe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmgbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfkednq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffcgoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glebbpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbgmpcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdhcqcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcmjqej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belemd32.exe -
Executes dropped EXE 64 IoCs
pid Process 404 Bblcfo32.exe 1548 Bpgjpb32.exe 1860 Cbhbbn32.exe 1228 Cleqfb32.exe 736 Dinjjf32.exe 3068 Eennefib.exe 1096 Egmjpi32.exe 1528 Edakimoo.exe 3756 Ffnglc32.exe 1156 Fcddkggf.exe 1376 Gloejmld.exe 3464 Hfnpca32.exe 1048 Hjcojo32.exe 4512 Idkpmgjo.exe 4120 Infqklol.exe 3412 Iebfmfdg.exe 2436 Jjdgal32.exe 2516 Jjhalkjc.exe 2984 Jmijnfgd.exe 4464 Kdjhkp32.exe 2440 Kmbmdeoj.exe 4964 Ljkghi32.exe 3348 Mobbdf32.exe 1160 Nolekd32.exe 1760 Nonbqd32.exe 1128 Nhkpdi32.exe 3196 Ogcike32.exe 3568 Ohdbkh32.exe 4164 Pgllad32.exe 4992 Pdeffgff.exe 4812 Qffoejkg.exe 3256 Qhghge32.exe 4584 Akjnnpcf.exe 2044 Belemd32.exe 3404 Bgmnooom.exe 3292 Cehdib32.exe 4304 Dngobghg.exe 3140 Dolinf32.exe 4784 Eihcln32.exe 2276 Ebagdddp.exe 3540 Ebcdjc32.exe 3564 Ehpmbj32.exe 2776 Fhgccijm.exe 3392 Fpqgjf32.exe 3956 Ghqeihbb.exe 4864 Gcfjfqah.exe 2108 Hgkimn32.exe 4524 Hladlc32.exe 3020 Ijedehgm.exe 2648 Iqdfmajd.exe 5148 Jflnafno.exe 5188 Kjopbd32.exe 5232 Kgcqlh32.exe 5280 Kpnepk32.exe 5324 Ljffccjh.exe 5368 Lgjglg32.exe 5416 Lmiljn32.exe 5464 Mjiloqjb.exe 5512 Nffceq32.exe 5556 Nhfoocaa.exe 5600 Oknnanhj.exe 5640 Odfcjc32.exe 5688 Oickbjmb.exe 5728 Okbhlm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbfgmnia.dll Haaocp32.exe File created C:\Windows\SysWOW64\Daneme32.exe Dmpmfg32.exe File created C:\Windows\SysWOW64\Nlglpkpi.exe Ngjcgdba.exe File created C:\Windows\SysWOW64\Jdahga32.dll Ciefpn32.exe File created C:\Windows\SysWOW64\Gcfjfqah.exe Ghqeihbb.exe File created C:\Windows\SysWOW64\Giagjn32.dll Hdfapjbl.exe File created C:\Windows\SysWOW64\Jfedkmem.dll Eflocepa.exe File created C:\Windows\SysWOW64\Mdfopf32.exe Mnlfclip.exe File created C:\Windows\SysWOW64\Cabfagee.exe Celelf32.exe File opened for modification C:\Windows\SysWOW64\Phodlm32.exe Pmgcidqm.exe File created C:\Windows\SysWOW64\Eenflbll.exe Endnohdp.exe File opened for modification C:\Windows\SysWOW64\Idmafc32.exe Iffcgoka.exe File opened for modification C:\Windows\SysWOW64\Phkmoc32.exe Pnbifmla.exe File created C:\Windows\SysWOW64\Jkhmgp32.dll Nljopa32.exe File opened for modification C:\Windows\SysWOW64\Dhkjooqb.exe Daqbbe32.exe File opened for modification C:\Windows\SysWOW64\Fnjhccnd.exe Fnhlndqg.exe File created C:\Windows\SysWOW64\Hjcojo32.exe Hfnpca32.exe File created C:\Windows\SysWOW64\Hbkgfa32.dll Okcmingd.exe File opened for modification C:\Windows\SysWOW64\Heohinog.exe Hoepmd32.exe File created C:\Windows\SysWOW64\Pooicd32.dll Jmkdeaee.exe File created C:\Windows\SysWOW64\Hbnjfefo.exe Hoonjjgk.exe File created C:\Windows\SysWOW64\Gicagcpi.dll Ngjcgdba.exe File created C:\Windows\SysWOW64\Hdfapjbl.exe Hoiihcde.exe File opened for modification C:\Windows\SysWOW64\Jmqekg32.exe Jggmnmmo.exe File opened for modification C:\Windows\SysWOW64\Kpeibdfp.exe Kikafjoc.exe File created C:\Windows\SysWOW64\Pohfblha.dll Jkfakb32.exe File created C:\Windows\SysWOW64\Mehcnlie.exe Mhdbdgjl.exe File created C:\Windows\SysWOW64\Colbef32.dll Ffnglc32.exe File created C:\Windows\SysWOW64\Oknnanhj.exe Nhfoocaa.exe File created C:\Windows\SysWOW64\Oikallbg.dll Qgopplkq.exe File created C:\Windows\SysWOW64\Memhpe32.dll Elbmebbj.exe File opened for modification C:\Windows\SysWOW64\Femndhgh.exe Eleikb32.exe File created C:\Windows\SysWOW64\Fjaendej.dll Jijhom32.exe File created C:\Windows\SysWOW64\Kkooep32.exe Kdeghfhj.exe File created C:\Windows\SysWOW64\Mqnfon32.exe Mddidm32.exe File opened for modification C:\Windows\SysWOW64\Jijhom32.exe Jbqpbbfi.exe File created C:\Windows\SysWOW64\Lhdqhp32.exe Lbghpinc.exe File created C:\Windows\SysWOW64\Eodclj32.exe Eflocepa.exe File opened for modification C:\Windows\SysWOW64\Jfalhgni.exe Jaddpppa.exe File created C:\Windows\SysWOW64\Eajehd32.exe Egdqkk32.exe File created C:\Windows\SysWOW64\Eekcho32.dll Jhocgqjj.exe File created C:\Windows\SysWOW64\Oibocbah.dll Pncggqbg.exe File opened for modification C:\Windows\SysWOW64\Cclhbcho.exe Bfhhho32.exe File created C:\Windows\SysWOW64\Nbljaf32.exe Mhgfdmle.exe File created C:\Windows\SysWOW64\Ooaghe32.exe Ogfccchd.exe File created C:\Windows\SysWOW64\Cioafomd.dll Ogcike32.exe File opened for modification C:\Windows\SysWOW64\Fnacfp32.exe Emhdeoel.exe File created C:\Windows\SysWOW64\Jbqpbbfi.exe Iihkjm32.exe File opened for modification C:\Windows\SysWOW64\Kfjhdobb.exe Kppphe32.exe File created C:\Windows\SysWOW64\Meknhh32.exe Mnpice32.exe File opened for modification C:\Windows\SysWOW64\Ekdolcbm.exe Ealkcm32.exe File created C:\Windows\SysWOW64\Gkckcj32.dll Odooqo32.exe File created C:\Windows\SysWOW64\Hoengj32.dll Fajgfiag.exe File opened for modification C:\Windows\SysWOW64\Hoiihcde.exe Hhpaki32.exe File opened for modification C:\Windows\SysWOW64\Ilpfgg32.exe Iajbinaf.exe File created C:\Windows\SysWOW64\Ccjfjk32.dll Jpmdabfb.exe File opened for modification C:\Windows\SysWOW64\Hggonfbm.exe Hffbfn32.exe File created C:\Windows\SysWOW64\Kjadjm32.dll Jeqbjgoo.exe File created C:\Windows\SysWOW64\Hpqkcc32.dll Pgllad32.exe File created C:\Windows\SysWOW64\Maihacfm.dll Aochga32.exe File opened for modification C:\Windows\SysWOW64\Qnlkllcf.exe Qhbcpb32.exe File created C:\Windows\SysWOW64\Iceecb32.dll Lkdgqbag.exe File created C:\Windows\SysWOW64\Blamdnfl.dll Aalndaml.exe File opened for modification C:\Windows\SysWOW64\Dmphjfab.exe Fongpm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6176 9980 WerFault.exe 887 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcclkf.dll" Endnohdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamofk32.dll" Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimckcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onceji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmpmfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeffgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlicne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgohi32.dll" Hgcfcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifodifq.dll" Ikqqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpioak.dll" Mphoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphneijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldapflj.dll" Bfpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplimpdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcicipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahajbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colhnc32.dll" Gafmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbjg32.dll" Ogfccchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopmaddf.dll" Icdhojka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmcch32.dll" Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjgobkn.dll" Mdfopf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andqnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhablf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjlmn32.dll" Jqbbicel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjffngap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoengj32.dll" Fajgfiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggbk32.dll" Ikpjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmipnlq.dll" Bpodmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmqgd32.dll" Edakimoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhbko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgagfdd.dll" Kpfonnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejaklmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nekgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnin32.dll" Dflmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldblon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akchlk32.dll" Okloomoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcdhclm.dll" Aloekjod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fapdomgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdegg32.dll" Lnmkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmijnfgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maojmg32.dll" Ofgmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgaboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpbdj32.dll" Qcbfjqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfnpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbhncfq.dll" Dnghhqdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdfopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdnlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakcie32.dll" Ebejem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpocegg.dll" Hpgkeodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbaobmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahnopdg.dll" Bjmnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjmdeij.dll" Naejcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhpaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmcfeke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1084 wrote to memory of 404 1084 572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe 101 PID 1084 wrote to memory of 404 1084 572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe 101 PID 1084 wrote to memory of 404 1084 572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe 101 PID 404 wrote to memory of 1548 404 Bblcfo32.exe 102 PID 404 wrote to memory of 1548 404 Bblcfo32.exe 102 PID 404 wrote to memory of 1548 404 Bblcfo32.exe 102 PID 1548 wrote to memory of 1860 1548 Bpgjpb32.exe 103 PID 1548 wrote to memory of 1860 1548 Bpgjpb32.exe 103 PID 1548 wrote to memory of 1860 1548 Bpgjpb32.exe 103 PID 1860 wrote to memory of 1228 1860 Cbhbbn32.exe 104 PID 1860 wrote to memory of 1228 1860 Cbhbbn32.exe 104 PID 1860 wrote to memory of 1228 1860 Cbhbbn32.exe 104 PID 1228 wrote to memory of 736 1228 Cleqfb32.exe 105 PID 1228 wrote to memory of 736 1228 Cleqfb32.exe 105 PID 1228 wrote to memory of 736 1228 Cleqfb32.exe 105 PID 736 wrote to memory of 3068 736 Dinjjf32.exe 106 PID 736 wrote to memory of 3068 736 Dinjjf32.exe 106 PID 736 wrote to memory of 3068 736 Dinjjf32.exe 106 PID 3068 wrote to memory of 1096 3068 Eennefib.exe 107 PID 3068 wrote to memory of 1096 3068 Eennefib.exe 107 PID 3068 wrote to memory of 1096 3068 Eennefib.exe 107 PID 1096 wrote to memory of 1528 1096 Egmjpi32.exe 108 PID 1096 wrote to memory of 1528 1096 Egmjpi32.exe 108 PID 1096 wrote to memory of 1528 1096 Egmjpi32.exe 108 PID 1528 wrote to memory of 3756 1528 Edakimoo.exe 109 PID 1528 wrote to memory of 3756 1528 Edakimoo.exe 109 PID 1528 wrote to memory of 3756 1528 Edakimoo.exe 109 PID 3756 wrote to memory of 1156 3756 Ffnglc32.exe 110 PID 3756 wrote to memory of 1156 3756 Ffnglc32.exe 110 PID 3756 wrote to memory of 1156 3756 Ffnglc32.exe 110 PID 1156 wrote to memory of 1376 1156 Fcddkggf.exe 111 PID 1156 wrote to memory of 1376 1156 Fcddkggf.exe 111 PID 1156 wrote to memory of 1376 1156 Fcddkggf.exe 111 PID 1376 wrote to memory of 3464 1376 Gloejmld.exe 112 PID 1376 wrote to memory of 3464 1376 Gloejmld.exe 112 PID 1376 wrote to memory of 3464 1376 Gloejmld.exe 112 PID 3464 wrote to memory of 1048 3464 Hfnpca32.exe 113 PID 3464 wrote to memory of 1048 3464 Hfnpca32.exe 113 PID 3464 wrote to memory of 1048 3464 Hfnpca32.exe 113 PID 1048 wrote to memory of 4512 1048 Hjcojo32.exe 114 PID 1048 wrote to memory of 4512 1048 Hjcojo32.exe 114 PID 1048 wrote to memory of 4512 1048 Hjcojo32.exe 114 PID 4512 wrote to memory of 4120 4512 Idkpmgjo.exe 115 PID 4512 wrote to memory of 4120 4512 Idkpmgjo.exe 115 PID 4512 wrote to memory of 4120 4512 Idkpmgjo.exe 115 PID 4120 wrote to memory of 3412 4120 Infqklol.exe 116 PID 4120 wrote to memory of 3412 4120 Infqklol.exe 116 PID 4120 wrote to memory of 3412 4120 Infqklol.exe 116 PID 3412 wrote to memory of 2436 3412 Iebfmfdg.exe 117 PID 3412 wrote to memory of 2436 3412 Iebfmfdg.exe 117 PID 3412 wrote to memory of 2436 3412 Iebfmfdg.exe 117 PID 2436 wrote to memory of 2516 2436 Jjdgal32.exe 118 PID 2436 wrote to memory of 2516 2436 Jjdgal32.exe 118 PID 2436 wrote to memory of 2516 2436 Jjdgal32.exe 118 PID 2516 wrote to memory of 2984 2516 Jjhalkjc.exe 119 PID 2516 wrote to memory of 2984 2516 Jjhalkjc.exe 119 PID 2516 wrote to memory of 2984 2516 Jjhalkjc.exe 119 PID 2984 wrote to memory of 4464 2984 Jmijnfgd.exe 120 PID 2984 wrote to memory of 4464 2984 Jmijnfgd.exe 120 PID 2984 wrote to memory of 4464 2984 Jmijnfgd.exe 120 PID 4464 wrote to memory of 2440 4464 Kdjhkp32.exe 121 PID 4464 wrote to memory of 2440 4464 Kdjhkp32.exe 121 PID 4464 wrote to memory of 2440 4464 Kdjhkp32.exe 121 PID 2440 wrote to memory of 4964 2440 Kmbmdeoj.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe"C:\Users\Admin\AppData\Local\Temp\572ae8eb906e60654d9480cdc1fefb5bbfe5322dce1f8d3e13f8eb7217e9305e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe23⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe25⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe29⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe32⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe33⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe34⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe36⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe37⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe39⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe42⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe43⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe44⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe45⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe47⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Hgkimn32.exeC:\Windows\system32\Hgkimn32.exe48⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe49⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe50⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Iqdfmajd.exeC:\Windows\system32\Iqdfmajd.exe51⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe52⤵
- Executes dropped EXE
PID:5148 -
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe53⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe54⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Kpnepk32.exeC:\Windows\system32\Kpnepk32.exe55⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe56⤵
- Executes dropped EXE
PID:5324 -
C:\Windows\SysWOW64\Lgjglg32.exeC:\Windows\system32\Lgjglg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe58⤵
- Executes dropped EXE
PID:5416 -
C:\Windows\SysWOW64\Mjiloqjb.exeC:\Windows\system32\Mjiloqjb.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe60⤵
- Executes dropped EXE
PID:5512 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe62⤵
- Executes dropped EXE
PID:5600 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe63⤵
- Executes dropped EXE
PID:5640 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe64⤵
- Executes dropped EXE
PID:5688 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe65⤵
- Executes dropped EXE
PID:5728 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe66⤵PID:5772
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe67⤵PID:5808
-
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe68⤵PID:5864
-
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe69⤵PID:5904
-
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe70⤵PID:5948
-
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe71⤵PID:5988
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe73⤵PID:6080
-
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe74⤵PID:6120
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe75⤵
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe76⤵PID:4672
-
C:\Windows\SysWOW64\Enbhdojn.exeC:\Windows\system32\Enbhdojn.exe77⤵PID:5276
-
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe78⤵PID:5364
-
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe79⤵PID:3500
-
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe80⤵PID:5452
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe81⤵
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe82⤵PID:5580
-
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe84⤵PID:5668
-
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe85⤵
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe86⤵PID:6140
-
C:\Windows\SysWOW64\Eclmlpfl.exeC:\Windows\system32\Eclmlpfl.exe87⤵PID:5216
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe88⤵PID:5392
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Eenflbll.exeC:\Windows\system32\Eenflbll.exe90⤵PID:5504
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe91⤵PID:5616
-
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe92⤵PID:852
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe93⤵PID:892
-
C:\Windows\SysWOW64\Ghdaokfe.exeC:\Windows\system32\Ghdaokfe.exe94⤵PID:5956
-
C:\Windows\SysWOW64\Galfhpmf.exeC:\Windows\system32\Galfhpmf.exe95⤵PID:5088
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe96⤵PID:1764
-
C:\Windows\SysWOW64\Haaocp32.exeC:\Windows\system32\Haaocp32.exe97⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe99⤵PID:5380
-
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe100⤵PID:5500
-
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe102⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Hdfapjbl.exeC:\Windows\system32\Hdfapjbl.exe103⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe104⤵
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Iajbinaf.exeC:\Windows\system32\Iajbinaf.exe105⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe106⤵PID:5244
-
C:\Windows\SysWOW64\Ioqohb32.exeC:\Windows\system32\Ioqohb32.exe107⤵PID:6040
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe108⤵PID:2748
-
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe109⤵PID:5196
-
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe110⤵PID:5472
-
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe111⤵PID:5536
-
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe112⤵PID:1880
-
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe113⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe114⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe115⤵PID:5156
-
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe116⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe117⤵PID:2336
-
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe118⤵PID:5760
-
C:\Windows\SysWOW64\Ldccid32.exeC:\Windows\system32\Ldccid32.exe119⤵PID:5816
-
C:\Windows\SysWOW64\Mkohln32.exeC:\Windows\system32\Mkohln32.exe120⤵PID:5676
-
C:\Windows\SysWOW64\Mfdlif32.exeC:\Windows\system32\Mfdlif32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-