Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe
-
Size
229KB
-
MD5
2454fc4ba923a82a0f80eed8c1c44dff
-
SHA1
7643b499a81a876c4ae6b5d6bf45bf1eefe6222b
-
SHA256
e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8
-
SHA512
a167cccd84ae04ded7c8311259adca84c21d0624e91bbceb97690a11a4363d37dd614edb8f274d9511349cef37b0f25aae04feaa7a3552b9b97810545f229204
-
SSDEEP
6144:DcrcHRJ215ZDZPffZx271+HZ/pvkym/89bYEwPhCKvav:DrH+15jPfy7AIfFfvav
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foghnabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpfjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqdmihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfodbqfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejoomhmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nloiakho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncianepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnhdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadqlkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbbhkjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehokgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlkngo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alelqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdlpneli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caienjfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Immapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1776 Hihbijhn.exe 4208 Hobkfd32.exe 3496 Hbpgbo32.exe 2732 Heocnk32.exe 4072 Hmfkoh32.exe 1592 Hcpclbfa.exe 1212 Hmhhehlb.exe 4480 Hofdacke.exe 2216 Hbeqmoji.exe 1360 Hecmijim.exe 1932 Hmjdjgjo.exe 3140 Hoiafcic.exe 2652 Hbgmcnhf.exe 1096 Iefioj32.exe 4784 Immapg32.exe 1220 Icgjmapi.exe 3840 Ikbnacmd.exe 3948 Ibnccmbo.exe 3444 Iemppiab.exe 5068 Ipbdmaah.exe 1472 Jimekgff.exe 5096 Jedeph32.exe 4760 Jlnnmb32.exe 4068 Jbhfjljd.exe 1724 Jefbfgig.exe 4392 Jmmjgejj.exe 4360 Jplfcpin.exe 1528 Jbjcolha.exe 3240 Jfeopj32.exe 4232 Jehokgge.exe 3372 Jidklf32.exe 3664 Jblpek32.exe 1012 Jfhlejnh.exe 3908 Jifhaenk.exe 2136 Jlednamo.exe 4372 Jcllonma.exe 2852 Kboljk32.exe 1916 Kfjhkjle.exe 5080 Kiidgeki.exe 3056 Kmdqgd32.exe 4104 Kdnidn32.exe 4004 Kbaipkbi.exe 1980 Kepelfam.exe 1464 Kmfmmcbo.exe 1960 Klimip32.exe 4308 Kbceejpf.exe 2432 Kfoafi32.exe 2332 Kimnbd32.exe 440 Kmijbcpl.exe 3332 Klljnp32.exe 2464 Kpgfooop.exe 228 Kbfbkj32.exe 4840 Kfankifm.exe 4632 Kmkfhc32.exe 2112 Klngdpdd.exe 3080 Kbhoqj32.exe 2404 Kfckahdj.exe 3020 Kmncnb32.exe 3916 Klqcioba.exe 4872 Kplpjn32.exe 2684 Lffhfh32.exe 1180 Leihbeib.exe 816 Liddbc32.exe 3684 Llcpoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfigpm32.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Egljbmnm.dll Dbnmke32.exe File opened for modification C:\Windows\SysWOW64\Mjbogmdb.exe Miaboe32.exe File created C:\Windows\SysWOW64\Hkeaqi32.exe Hgiepjga.exe File created C:\Windows\SysWOW64\Kkmioc32.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Copdgb32.dll Plpjoe32.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Process not Found File created C:\Windows\SysWOW64\Nncccnol.exe Process not Found File created C:\Windows\SysWOW64\Ejfenk32.dll Pdfjifjo.exe File created C:\Windows\SysWOW64\Bdffhl32.dll Cjhfpa32.exe File created C:\Windows\SysWOW64\Hemqgjog.dll Kcpahpmd.exe File created C:\Windows\SysWOW64\Algpao32.dll Jnnpdg32.exe File created C:\Windows\SysWOW64\Djfjpgfm.dll Eiildjag.exe File created C:\Windows\SysWOW64\Mdgmickl.dll Pajeam32.exe File opened for modification C:\Windows\SysWOW64\Efjbcakl.exe Emanjldl.exe File opened for modification C:\Windows\SysWOW64\Imnocf32.exe Iibccgep.exe File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe Pncgmkmj.exe File created C:\Windows\SysWOW64\Hnjjdmoc.dll Iakiia32.exe File created C:\Windows\SysWOW64\Dfdjmlhn.dll Odocigqg.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Ldipha32.exe File created C:\Windows\SysWOW64\Hlglidlo.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Lejomj32.dll Gjdaodja.exe File created C:\Windows\SysWOW64\Ekojppef.dll Hacbhb32.exe File opened for modification C:\Windows\SysWOW64\Ohcegi32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Badanigc.exe File created C:\Windows\SysWOW64\Leihbeib.exe Lffhfh32.exe File created C:\Windows\SysWOW64\Mjaabq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Ageolo32.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Glgcbf32.exe File created C:\Windows\SysWOW64\Knqepc32.exe Process not Found File created C:\Windows\SysWOW64\Pmannhhj.exe Pjcbbmif.exe File created C:\Windows\SysWOW64\Fealin32.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Bhpofl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfqmpl32.exe Cmhigf32.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Cdlqqcnl.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kfjhkjle.exe Kboljk32.exe File created C:\Windows\SysWOW64\Kjkpoq32.exe Kijchhbo.exe File created C:\Windows\SysWOW64\Nlkngo32.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Lopmii32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncqlkemc.exe Process not Found File created C:\Windows\SysWOW64\Eipinkib.exe Dhomfc32.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Knhakh32.exe File created C:\Windows\SysWOW64\Gpihol32.dll Fipbdikp.exe File created C:\Windows\SysWOW64\Deimfpda.dll Ldanqkki.exe File created C:\Windows\SysWOW64\Lhdqnj32.exe Kfcdfbqo.exe File created C:\Windows\SysWOW64\Moqkim32.dll Hhknpmma.exe File opened for modification C:\Windows\SysWOW64\Iakiia32.exe Ijcahd32.exe File created C:\Windows\SysWOW64\Fcehifmk.dll Jqlefl32.exe File created C:\Windows\SysWOW64\Iblhpckf.dll Process not Found File created C:\Windows\SysWOW64\Choehhlk.dll Hecmijim.exe File created C:\Windows\SysWOW64\Kiidgeki.exe Kfjhkjle.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pfjcgn32.exe File opened for modification C:\Windows\SysWOW64\Mehjol32.exe Moobbb32.exe File created C:\Windows\SysWOW64\Hiacfqch.dll Jlkipgpe.exe File created C:\Windows\SysWOW64\Danihi32.dll Aogiap32.exe File created C:\Windows\SysWOW64\Cfpffeaj.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Hddeok32.dll Ndfqbhia.exe File created C:\Windows\SysWOW64\Kollmhpg.dll Emlenj32.exe File created C:\Windows\SysWOW64\Qeocld32.dll Bqmeal32.exe File created C:\Windows\SysWOW64\Mapmipen.dll Jnmijq32.exe File created C:\Windows\SysWOW64\Mqimikfj.exe Process not Found File created C:\Windows\SysWOW64\Jongga32.dll Gmojkj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 18260 9484 Process not Found 1310 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcobmi32.dll" Fkcboack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaobqhf.dll" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbndlfi.dll" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeeipc.dll" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpecpgjp.dll" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdnjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll" Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qikgco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhdqnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdblhj32.dll" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbbhnma.dll" Jlfpdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coohhlpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkiaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njefqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljclki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Mehjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Empoiimf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haoimcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djelgied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Ageolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igfclkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqmkae32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 264 wrote to memory of 1776 264 e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe 89 PID 264 wrote to memory of 1776 264 e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe 89 PID 264 wrote to memory of 1776 264 e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe 89 PID 1776 wrote to memory of 4208 1776 Hihbijhn.exe 90 PID 1776 wrote to memory of 4208 1776 Hihbijhn.exe 90 PID 1776 wrote to memory of 4208 1776 Hihbijhn.exe 90 PID 4208 wrote to memory of 3496 4208 Hobkfd32.exe 91 PID 4208 wrote to memory of 3496 4208 Hobkfd32.exe 91 PID 4208 wrote to memory of 3496 4208 Hobkfd32.exe 91 PID 3496 wrote to memory of 2732 3496 Hbpgbo32.exe 92 PID 3496 wrote to memory of 2732 3496 Hbpgbo32.exe 92 PID 3496 wrote to memory of 2732 3496 Hbpgbo32.exe 92 PID 2732 wrote to memory of 4072 2732 Heocnk32.exe 93 PID 2732 wrote to memory of 4072 2732 Heocnk32.exe 93 PID 2732 wrote to memory of 4072 2732 Heocnk32.exe 93 PID 4072 wrote to memory of 1592 4072 Hmfkoh32.exe 94 PID 4072 wrote to memory of 1592 4072 Hmfkoh32.exe 94 PID 4072 wrote to memory of 1592 4072 Hmfkoh32.exe 94 PID 1592 wrote to memory of 1212 1592 Hcpclbfa.exe 95 PID 1592 wrote to memory of 1212 1592 Hcpclbfa.exe 95 PID 1592 wrote to memory of 1212 1592 Hcpclbfa.exe 95 PID 1212 wrote to memory of 4480 1212 Hmhhehlb.exe 96 PID 1212 wrote to memory of 4480 1212 Hmhhehlb.exe 96 PID 1212 wrote to memory of 4480 1212 Hmhhehlb.exe 96 PID 4480 wrote to memory of 2216 4480 Hofdacke.exe 97 PID 4480 wrote to memory of 2216 4480 Hofdacke.exe 97 PID 4480 wrote to memory of 2216 4480 Hofdacke.exe 97 PID 2216 wrote to memory of 1360 2216 Hbeqmoji.exe 98 PID 2216 wrote to memory of 1360 2216 Hbeqmoji.exe 98 PID 2216 wrote to memory of 1360 2216 Hbeqmoji.exe 98 PID 1360 wrote to memory of 1932 1360 Hecmijim.exe 99 PID 1360 wrote to memory of 1932 1360 Hecmijim.exe 99 PID 1360 wrote to memory of 1932 1360 Hecmijim.exe 99 PID 1932 wrote to memory of 3140 1932 Hmjdjgjo.exe 100 PID 1932 wrote to memory of 3140 1932 Hmjdjgjo.exe 100 PID 1932 wrote to memory of 3140 1932 Hmjdjgjo.exe 100 PID 3140 wrote to memory of 2652 3140 Hoiafcic.exe 101 PID 3140 wrote to memory of 2652 3140 Hoiafcic.exe 101 PID 3140 wrote to memory of 2652 3140 Hoiafcic.exe 101 PID 2652 wrote to memory of 1096 2652 Hbgmcnhf.exe 102 PID 2652 wrote to memory of 1096 2652 Hbgmcnhf.exe 102 PID 2652 wrote to memory of 1096 2652 Hbgmcnhf.exe 102 PID 1096 wrote to memory of 4784 1096 Iefioj32.exe 103 PID 1096 wrote to memory of 4784 1096 Iefioj32.exe 103 PID 1096 wrote to memory of 4784 1096 Iefioj32.exe 103 PID 4784 wrote to memory of 1220 4784 Immapg32.exe 104 PID 4784 wrote to memory of 1220 4784 Immapg32.exe 104 PID 4784 wrote to memory of 1220 4784 Immapg32.exe 104 PID 1220 wrote to memory of 3840 1220 Icgjmapi.exe 105 PID 1220 wrote to memory of 3840 1220 Icgjmapi.exe 105 PID 1220 wrote to memory of 3840 1220 Icgjmapi.exe 105 PID 3840 wrote to memory of 3948 3840 Ikbnacmd.exe 106 PID 3840 wrote to memory of 3948 3840 Ikbnacmd.exe 106 PID 3840 wrote to memory of 3948 3840 Ikbnacmd.exe 106 PID 3948 wrote to memory of 3444 3948 Ibnccmbo.exe 107 PID 3948 wrote to memory of 3444 3948 Ibnccmbo.exe 107 PID 3948 wrote to memory of 3444 3948 Ibnccmbo.exe 107 PID 3444 wrote to memory of 5068 3444 Iemppiab.exe 108 PID 3444 wrote to memory of 5068 3444 Iemppiab.exe 108 PID 3444 wrote to memory of 5068 3444 Iemppiab.exe 108 PID 5068 wrote to memory of 1472 5068 Ipbdmaah.exe 109 PID 5068 wrote to memory of 1472 5068 Ipbdmaah.exe 109 PID 5068 wrote to memory of 1472 5068 Ipbdmaah.exe 109 PID 1472 wrote to memory of 5096 1472 Jimekgff.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe"C:\Users\Admin\AppData\Local\Temp\e2814c3c540d5a742e31e91e0dcbc31ec43ec4e56514461a6def9acde13250e8.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe23⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe24⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe25⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe26⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe28⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe29⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe30⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe32⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe33⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe34⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe35⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe36⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe37⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe40⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe41⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe42⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe43⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe45⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe46⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe47⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe48⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe49⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe50⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe51⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe52⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe53⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe54⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe55⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe56⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe57⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe58⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe59⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe60⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe61⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe63⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe64⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe65⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe66⤵PID:2984
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe67⤵PID:912
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe68⤵PID:2260
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe69⤵PID:1048
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe70⤵PID:4612
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe71⤵PID:1772
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe72⤵PID:5132
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe73⤵PID:5168
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe74⤵PID:5208
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe75⤵PID:5252
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe76⤵PID:5292
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe77⤵PID:5332
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe78⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe79⤵PID:5424
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe80⤵PID:5460
-
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe81⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe82⤵PID:5544
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe83⤵PID:5588
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe84⤵PID:5624
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe85⤵PID:5668
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe86⤵PID:5704
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe87⤵PID:5748
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe88⤵PID:5784
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe89⤵PID:5828
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe90⤵PID:5864
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe92⤵PID:5948
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe93⤵PID:5992
-
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe94⤵PID:6040
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe95⤵PID:6080
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe96⤵PID:6124
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe97⤵PID:2188
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe98⤵PID:5216
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe99⤵PID:5284
-
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe100⤵PID:5348
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe101⤵PID:5404
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe103⤵PID:5556
-
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe104⤵PID:5636
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe105⤵PID:5660
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe106⤵PID:5728
-
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe107⤵PID:5796
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe108⤵PID:5860
-
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5936 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe110⤵PID:5976
-
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe111⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe112⤵PID:5128
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe113⤵PID:1904
-
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe114⤵PID:5328
-
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe116⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe118⤵PID:5744
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe119⤵PID:5856
-
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe120⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe121⤵PID:6032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-