Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe
-
Size
80KB
-
MD5
009c799cd63111cb3126a88cfecaad01
-
SHA1
88bd62fcd96698bfa70ff83772abc2ccdf7dea58
-
SHA256
1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176
-
SHA512
76bdf6b88be6c97c9042f831f2eba900bcdd1d589e49756ea334a402bb743f214240cae477fe2b703597492dab0ae6651332c31113098a5d69ed124a16eaf74f
-
SSDEEP
1536:vCnSRstxS7O33ew09iy/t2L2J9VqDlzVxyh+CbxMa:au8xS75wm7+2J9IDlRxyhTb7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkalnjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolckne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefbdjgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebimmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlogfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegqldqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgahikm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migcpneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgkgijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbijgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielfgmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojfin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acppddig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niihlkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmhpfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpomem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndejcemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcbidcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloajfml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeolckne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfodmdni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqhik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcmkgmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agcdnjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpkok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhlikpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akenij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgdmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqikob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqdkkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npognfpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nooikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bliajd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnabladg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjfgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agqhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnopjfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqilaplo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haaaaeim.exe -
Executes dropped EXE 64 IoCs
pid Process 2628 Pjmjdm32.exe 3572 Ppahmb32.exe 4148 Afpjel32.exe 220 Apmhiq32.exe 3276 Bpdnjple.exe 876 Boihcf32.exe 2968 Cponen32.exe 2384 Caageq32.exe 4244 Dojqjdbl.exe 1244 Damfao32.exe 4440 Doccpcja.exe 3140 Edeeci32.exe 4752 Enpfan32.exe 832 Ekcgkb32.exe 4704 Fdnhih32.exe 4356 Fkjmlaac.exe 4068 Fajbjh32.exe 4904 Gicgpelg.exe 3776 Ggkqgaol.exe 3812 Gijmad32.exe 4432 Gpdennml.exe 4320 Giljfddl.exe 3596 Hnlodjpa.exe 2564 Hpkknmgd.exe 3724 Hlblcn32.exe 1748 Haodle32.exe 2140 Haaaaeim.exe 2688 Iogopi32.exe 1092 Ibegfglj.exe 1084 Ilnlom32.exe 3104 Ilphdlqh.exe 5008 Jidinqpb.exe 3148 Jblmgf32.exe 5068 Jldbpl32.exe 4056 Jemfhacc.exe 3136 Joekag32.exe 4292 Jlikkkhn.exe 916 Jafdcbge.exe 1892 Jpgdai32.exe 964 Klndfj32.exe 2332 Klpakj32.exe 404 Kcjjhdjb.exe 2348 Kabcopmg.exe 3580 Lepleocn.exe 1884 Lafmjp32.exe 4692 Lpgmhg32.exe 3696 Lhcali32.exe 2180 Loofnccf.exe 3548 Lhgkgijg.exe 1476 Mapppn32.exe 212 Modpib32.exe 2196 Mpeiie32.exe 3940 Mbgeqmjp.exe 4120 Mjpjgj32.exe 3800 Njbgmjgl.exe 3872 Nckkfp32.exe 996 Noblkqca.exe 4824 Njgqhicg.exe 4888 Ncpeaoih.exe 4628 Nimmifgo.exe 1712 Nbebbk32.exe 4424 Ojnfihmo.exe 4548 Ocgkan32.exe 3988 Oiccje32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iqfcbahb.exe Ijlkfg32.exe File created C:\Windows\SysWOW64\Odaiodbp.exe Omgabj32.exe File created C:\Windows\SysWOW64\Ajmgof32.exe Adpogp32.exe File created C:\Windows\SysWOW64\Dijppjfd.exe Dabhomea.exe File opened for modification C:\Windows\SysWOW64\Cbnbhfde.exe Cldjkl32.exe File created C:\Windows\SysWOW64\Oklifdmi.exe Onhhmpoo.exe File created C:\Windows\SysWOW64\Alcolgqi.dll Ehkcgkdj.exe File created C:\Windows\SysWOW64\Kcjael32.dll Qgehml32.exe File created C:\Windows\SysWOW64\Foolmeif.dll Dpjfgf32.exe File created C:\Windows\SysWOW64\Midbjmkg.dll Cbhbbn32.exe File created C:\Windows\SysWOW64\Icminm32.exe Hlogfd32.exe File created C:\Windows\SysWOW64\Bmbnnn32.exe Abmjqe32.exe File created C:\Windows\SysWOW64\Nejgbn32.exe Ngifef32.exe File created C:\Windows\SysWOW64\Fgmeobin.dll Iqfcbahb.exe File created C:\Windows\SysWOW64\Nmbhgjoi.exe Npognfpo.exe File created C:\Windows\SysWOW64\Nlgbon32.exe Nfnjbdep.exe File created C:\Windows\SysWOW64\Holhmcgf.dll Gkhbbi32.exe File opened for modification C:\Windows\SysWOW64\Bboplo32.exe Bmagch32.exe File created C:\Windows\SysWOW64\Jmlbab32.dll Lechkaga.exe File created C:\Windows\SysWOW64\Affgmbdd.dll Phfhfa32.exe File created C:\Windows\SysWOW64\Kconbh32.dll Kiodha32.exe File created C:\Windows\SysWOW64\Eneilj32.dll Okkalnjm.exe File created C:\Windows\SysWOW64\Lhgkgijg.exe Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Fdbkja32.exe Fbdnne32.exe File opened for modification C:\Windows\SysWOW64\Apgqie32.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Mnjellfo.dll Bbalaoda.exe File created C:\Windows\SysWOW64\Eegqldqg.exe Ecidpiad.exe File created C:\Windows\SysWOW64\Popdldep.dll Qfilkj32.exe File opened for modification C:\Windows\SysWOW64\Fcneeo32.exe Fggdpnkf.exe File created C:\Windows\SysWOW64\Ggiipk32.dll Cmdmpe32.exe File created C:\Windows\SysWOW64\Nffopp32.dll Dbhlikpf.exe File created C:\Windows\SysWOW64\Efopjbjg.exe Elilmi32.exe File created C:\Windows\SysWOW64\Cancekeo.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Abohmm32.dll Nocbfjmc.exe File opened for modification C:\Windows\SysWOW64\Hjnndime.exe Gipbck32.exe File opened for modification C:\Windows\SysWOW64\Ijlkfg32.exe Icbbimih.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jldbpl32.exe File created C:\Windows\SysWOW64\Kcpcgc32.dll Dickplko.exe File opened for modification C:\Windows\SysWOW64\Iloajfml.exe Iajmmm32.exe File created C:\Windows\SysWOW64\Ammnhilb.exe Abgjkpll.exe File opened for modification C:\Windows\SysWOW64\Jhhodg32.exe Jejbhk32.exe File opened for modification C:\Windows\SysWOW64\Lfmnbjcg.exe Kaqejcep.exe File opened for modification C:\Windows\SysWOW64\Nkgoke32.exe Nejgbn32.exe File created C:\Windows\SysWOW64\Ankgpk32.exe Ainnhdbp.exe File created C:\Windows\SysWOW64\Hlogfd32.exe Hfeoijbi.exe File created C:\Windows\SysWOW64\Ipimhnjc.dll Qpbnhl32.exe File created C:\Windows\SysWOW64\Klpjad32.exe Kefbdjgm.exe File created C:\Windows\SysWOW64\Mmdlflki.exe Mfkcibdl.exe File created C:\Windows\SysWOW64\Ioaegj32.dll Mdodbf32.exe File opened for modification C:\Windows\SysWOW64\Dijppjfd.exe Dabhomea.exe File created C:\Windows\SysWOW64\Iloajfml.exe Iajmmm32.exe File created C:\Windows\SysWOW64\Balfdi32.dll Jejbhk32.exe File created C:\Windows\SysWOW64\Mgeengon.dll Ijhhenhf.exe File created C:\Windows\SysWOW64\Bihancje.exe Bbniai32.exe File opened for modification C:\Windows\SysWOW64\Didjqoae.exe Dbjade32.exe File opened for modification C:\Windows\SysWOW64\Efampahd.exe Epgdch32.exe File created C:\Windows\SysWOW64\Fncnpk32.dll Keceoj32.exe File opened for modification C:\Windows\SysWOW64\Fplnogmb.exe Fibfbm32.exe File created C:\Windows\SysWOW64\Ghlbcolh.dll Ppamjcpj.exe File created C:\Windows\SysWOW64\Bipohh32.dll Hddilh32.exe File created C:\Windows\SysWOW64\Ploloqjj.dll Ngnppfgb.exe File created C:\Windows\SysWOW64\Ainnhdbp.exe Abdfkj32.exe File opened for modification C:\Windows\SysWOW64\Fempbm32.exe Fpqgjf32.exe File opened for modification C:\Windows\SysWOW64\Pkinmlnm.exe Pjjaci32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12396 5720 WerFault.exe 719 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkadoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfodmdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll" 1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcffnbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll" Ekqckmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Jemfhacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgeengon.dll" Ijhhenhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjicg32.dll" Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoladdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimhmkgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecoaijio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpaikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgkkij32.dll" Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncpkjoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll" Koimbpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnijof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djipbbne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efampahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihngboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bggnijof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll" Gbhhieao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mociol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggnnqmk.dll" Fidbgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnbdofa.dll" Dabhomea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Ckidcpjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gllajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndejcemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll" Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flhoinbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmbbodp.dll" Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhqndlf.dll" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehkefih.dll" Kcehejic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplnogmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflpkpjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbjade32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbgfhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqbpahpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcjmclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcll32.dll" Djipbbne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haodle32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2628 2076 1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe 92 PID 2076 wrote to memory of 2628 2076 1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe 92 PID 2076 wrote to memory of 2628 2076 1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe 92 PID 2628 wrote to memory of 3572 2628 Pjmjdm32.exe 93 PID 2628 wrote to memory of 3572 2628 Pjmjdm32.exe 93 PID 2628 wrote to memory of 3572 2628 Pjmjdm32.exe 93 PID 3572 wrote to memory of 4148 3572 Ppahmb32.exe 94 PID 3572 wrote to memory of 4148 3572 Ppahmb32.exe 94 PID 3572 wrote to memory of 4148 3572 Ppahmb32.exe 94 PID 4148 wrote to memory of 220 4148 Afpjel32.exe 96 PID 4148 wrote to memory of 220 4148 Afpjel32.exe 96 PID 4148 wrote to memory of 220 4148 Afpjel32.exe 96 PID 220 wrote to memory of 3276 220 Apmhiq32.exe 97 PID 220 wrote to memory of 3276 220 Apmhiq32.exe 97 PID 220 wrote to memory of 3276 220 Apmhiq32.exe 97 PID 3276 wrote to memory of 876 3276 Bpdnjple.exe 98 PID 3276 wrote to memory of 876 3276 Bpdnjple.exe 98 PID 3276 wrote to memory of 876 3276 Bpdnjple.exe 98 PID 876 wrote to memory of 2968 876 Boihcf32.exe 99 PID 876 wrote to memory of 2968 876 Boihcf32.exe 99 PID 876 wrote to memory of 2968 876 Boihcf32.exe 99 PID 2968 wrote to memory of 2384 2968 Cponen32.exe 100 PID 2968 wrote to memory of 2384 2968 Cponen32.exe 100 PID 2968 wrote to memory of 2384 2968 Cponen32.exe 100 PID 2384 wrote to memory of 4244 2384 Caageq32.exe 101 PID 2384 wrote to memory of 4244 2384 Caageq32.exe 101 PID 2384 wrote to memory of 4244 2384 Caageq32.exe 101 PID 4244 wrote to memory of 1244 4244 Dojqjdbl.exe 102 PID 4244 wrote to memory of 1244 4244 Dojqjdbl.exe 102 PID 4244 wrote to memory of 1244 4244 Dojqjdbl.exe 102 PID 1244 wrote to memory of 4440 1244 Damfao32.exe 103 PID 1244 wrote to memory of 4440 1244 Damfao32.exe 103 PID 1244 wrote to memory of 4440 1244 Damfao32.exe 103 PID 4440 wrote to memory of 3140 4440 Doccpcja.exe 104 PID 4440 wrote to memory of 3140 4440 Doccpcja.exe 104 PID 4440 wrote to memory of 3140 4440 Doccpcja.exe 104 PID 3140 wrote to memory of 4752 3140 Edeeci32.exe 105 PID 3140 wrote to memory of 4752 3140 Edeeci32.exe 105 PID 3140 wrote to memory of 4752 3140 Edeeci32.exe 105 PID 4752 wrote to memory of 832 4752 Enpfan32.exe 106 PID 4752 wrote to memory of 832 4752 Enpfan32.exe 106 PID 4752 wrote to memory of 832 4752 Enpfan32.exe 106 PID 832 wrote to memory of 4704 832 Ekcgkb32.exe 107 PID 832 wrote to memory of 4704 832 Ekcgkb32.exe 107 PID 832 wrote to memory of 4704 832 Ekcgkb32.exe 107 PID 4704 wrote to memory of 4356 4704 Fdnhih32.exe 108 PID 4704 wrote to memory of 4356 4704 Fdnhih32.exe 108 PID 4704 wrote to memory of 4356 4704 Fdnhih32.exe 108 PID 4356 wrote to memory of 4068 4356 Fkjmlaac.exe 109 PID 4356 wrote to memory of 4068 4356 Fkjmlaac.exe 109 PID 4356 wrote to memory of 4068 4356 Fkjmlaac.exe 109 PID 4068 wrote to memory of 4904 4068 Fajbjh32.exe 110 PID 4068 wrote to memory of 4904 4068 Fajbjh32.exe 110 PID 4068 wrote to memory of 4904 4068 Fajbjh32.exe 110 PID 4904 wrote to memory of 3776 4904 Gicgpelg.exe 112 PID 4904 wrote to memory of 3776 4904 Gicgpelg.exe 112 PID 4904 wrote to memory of 3776 4904 Gicgpelg.exe 112 PID 3776 wrote to memory of 3812 3776 Ggkqgaol.exe 113 PID 3776 wrote to memory of 3812 3776 Ggkqgaol.exe 113 PID 3776 wrote to memory of 3812 3776 Ggkqgaol.exe 113 PID 3812 wrote to memory of 4432 3812 Gijmad32.exe 114 PID 3812 wrote to memory of 4432 3812 Gijmad32.exe 114 PID 3812 wrote to memory of 4432 3812 Gijmad32.exe 114 PID 4432 wrote to memory of 4320 4432 Gpdennml.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe"C:\Users\Admin\AppData\Local\Temp\1a275f81d429555fe3c0329a7dd5bedab66f86f8b627a25f5109e70d61cb7176.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe23⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe24⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe25⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe26⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe29⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe30⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe31⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe33⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe34⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4056 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe37⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe38⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe39⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe40⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe41⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe45⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe46⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe47⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe48⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe51⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe53⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe54⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe55⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe56⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe57⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe58⤵PID:4552
-
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe59⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe60⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe61⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe62⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe63⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe65⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe66⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe67⤵PID:4800
-
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe68⤵PID:4344
-
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe69⤵PID:5160
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe70⤵PID:5200
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe71⤵PID:5240
-
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe72⤵PID:5280
-
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe74⤵PID:5360
-
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe75⤵PID:5400
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe76⤵PID:5440
-
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe77⤵PID:5480
-
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe78⤵PID:5520
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe79⤵PID:5564
-
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe80⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe81⤵PID:5644
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe82⤵PID:5680
-
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe83⤵PID:5728
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe84⤵PID:5776
-
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe85⤵PID:5820
-
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe86⤵PID:5864
-
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe87⤵PID:5908
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe88⤵PID:5952
-
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe90⤵
- Drops file in System32 directory
PID:6092 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe91⤵PID:6136
-
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe92⤵PID:5168
-
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe93⤵PID:5248
-
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe94⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe96⤵PID:3044
-
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe97⤵PID:5544
-
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe99⤵PID:5652
-
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe100⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe101⤵PID:5836
-
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe102⤵PID:5900
-
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe103⤵PID:5892
-
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe104⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe105⤵PID:5156
-
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe106⤵
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe108⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe109⤵PID:5512
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe110⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe111⤵PID:5816
-
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe112⤵PID:5940
-
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe113⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe115⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe116⤵PID:5672
-
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe117⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe118⤵PID:4860
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe119⤵PID:752
-
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe120⤵PID:5916
-
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe121⤵PID:5352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-