Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10e66f6576db0a24673d321324f339c7.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
10e66f6576db0a24673d321324f339c7.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
10e66f6576db0a24673d321324f339c7.exe
-
Size
128KB
-
MD5
10e66f6576db0a24673d321324f339c7
-
SHA1
9bd2da99fa52b632165d7e5465ebcb51d3a65c1c
-
SHA256
d46f03432740f41ede58a56b8c5b2e562248d82791c57c6c580642c7257c91de
-
SHA512
b96e5b8c56044be6412df5d7e97a6d8f76ec32575448eafa958808ceadc349d097503b76dfe2ba7a42d19394d52c302e30d6935cdba90902db96a049ec717256
-
SSDEEP
1536:U9AxnDnhBkvKTCywEPqDi1KjOEQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xu:Uy1DnAyZ39qObKG7UDd0pCrQIFdFtLQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggnhlml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgeibicb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjkag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oookbega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafogggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadlnoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgehml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfchkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnggnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkopgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggfghap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohebek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qofjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkdjkep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lboeknkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikpjml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkmaalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhpogij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljglnmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldccid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbngn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngmhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngikpjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhbie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlqmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enoddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpqafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjbjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapancai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjafha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngmhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhfjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlicp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjcplhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibaeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjengld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfaddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbhiial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkmngfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfonin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibclmkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhphebj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmmnnpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigoeagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicopoo.exe -
Executes dropped EXE 64 IoCs
pid Process 5116 Epeohn32.exe 2888 Glmhdm32.exe 2880 Gfgjbb32.exe 3544 Hdicggla.exe 1564 Inagpm32.exe 1372 Ijjekn32.exe 3520 Kagbdenk.exe 3276 Lmqiec32.exe 3208 Ndfanlpi.exe 3096 Ogjpld32.exe 408 Pfkpiled.exe 1480 Pgcbbc32.exe 3392 Qdllffpo.exe 4352 Aohfdnil.exe 4152 Bghddp32.exe 4052 Becknc32.exe 3312 Ciaddaaj.exe 832 Cejaobel.exe 1292 Dlicflic.exe 1900 Dojlhg32.exe 468 Doqbifpl.exe 1924 Fhefmjlp.exe 4620 Foakpc32.exe 2432 Ginenk32.exe 4716 Ghgljg32.exe 3984 Hfgloiqf.exe 5104 Imfmgcdn.exe 3292 Ifqoehhl.exe 3300 Jjcqffkm.exe 4000 Qgehml32.exe 820 Qpmmfbfl.exe 1636 Agiahlkf.exe 1596 Ahpdcn32.exe 3092 Bndblcdq.exe 4756 Cnhlgc32.exe 4408 Cnmebblf.exe 4160 Cbknhqbl.exe 1744 Ckfofe32.exe 4372 Eieplhlf.exe 856 Eelpqi32.exe 1916 Fhdocc32.exe 1500 Fbjcplhj.exe 1416 Fkgejncb.exe 2208 Gbecljnl.exe 4684 Hikkdc32.exe 5032 Iibaeb32.exe 2084 Icjengld.exe 2944 Iofpnhmc.exe 4336 Jfdafa32.exe 1892 Jchaoe32.exe 2548 Jkhpogij.exe 1980 Kofheeoq.exe 1128 Kkofofbb.exe 3100 Kjqfmn32.exe 3992 Ljglnmdi.exe 4460 Mjcljk32.exe 1432 Mlgegcng.exe 4364 Nifele32.exe 436 Omigmc32.exe 2168 Omkdcccb.exe 2892 Oibdhd32.exe 1068 Pdalkk32.exe 4432 Akipic32.exe 4964 Bqdechnf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkfela32.dll Ddklnh32.exe File opened for modification C:\Windows\SysWOW64\Fljcfa32.exe Doqpkq32.exe File created C:\Windows\SysWOW64\Fdbdkn32.exe Egdqkk32.exe File opened for modification C:\Windows\SysWOW64\Cadllq32.exe Cjjcof32.exe File opened for modification C:\Windows\SysWOW64\Hplbbipm.exe Hiajeoip.exe File opened for modification C:\Windows\SysWOW64\Qdllffpo.exe Pgcbbc32.exe File opened for modification C:\Windows\SysWOW64\Hkdbik32.exe Hejjmage.exe File created C:\Windows\SysWOW64\Mebkbi32.exe Mljficpd.exe File opened for modification C:\Windows\SysWOW64\Fdbdkn32.exe Egdqkk32.exe File created C:\Windows\SysWOW64\Bfpdcc32.exe Qocfjlan.exe File opened for modification C:\Windows\SysWOW64\Ljcldo32.exe Ldgclgcl.exe File created C:\Windows\SysWOW64\Eijbge32.exe Dndnjllg.exe File created C:\Windows\SysWOW64\Hbhbie32.exe Hpiemj32.exe File opened for modification C:\Windows\SysWOW64\Emgnje32.exe Enoddi32.exe File created C:\Windows\SysWOW64\Cdjnpj32.dll Ffbgog32.exe File created C:\Windows\SysWOW64\Kjkpio32.dll Ngbpbjoe.exe File created C:\Windows\SysWOW64\Odbblp32.dll Jecoog32.exe File opened for modification C:\Windows\SysWOW64\Npgalidl.exe Npbhqj32.exe File created C:\Windows\SysWOW64\Bndblcdq.exe Ahpdcn32.exe File opened for modification C:\Windows\SysWOW64\Fihnhc32.exe Fbnflihq.exe File opened for modification C:\Windows\SysWOW64\Imfill32.exe Igmqpbab.exe File created C:\Windows\SysWOW64\Jihmfcil.dll Ohggah32.exe File opened for modification C:\Windows\SysWOW64\Dflmep32.exe Dcnqid32.exe File opened for modification C:\Windows\SysWOW64\Lppjnpem.exe Kkioojpp.exe File created C:\Windows\SysWOW64\Dkcfca32.dll Mhenpk32.exe File created C:\Windows\SysWOW64\Kofkjpof.dll Qofjjb32.exe File created C:\Windows\SysWOW64\Knabne32.exe Jnklnfpq.exe File created C:\Windows\SysWOW64\Noljjg32.dll Nhpbpepo.exe File created C:\Windows\SysWOW64\Epgpajdp.exe Ccfcpm32.exe File created C:\Windows\SysWOW64\Lmcejbbd.exe Jnoopm32.exe File created C:\Windows\SysWOW64\Cmfcfb32.exe Cjhfjg32.exe File created C:\Windows\SysWOW64\Cpihmmdo.exe Cipppc32.exe File opened for modification C:\Windows\SysWOW64\Dcnqid32.exe Dihllkal.exe File opened for modification C:\Windows\SysWOW64\Gmggpekm.exe Gbabblkg.exe File opened for modification C:\Windows\SysWOW64\Kgefae32.exe Kjafha32.exe File created C:\Windows\SysWOW64\Dndnjllg.exe Dbkpokhf.exe File created C:\Windows\SysWOW64\Gmggac32.exe Fnmqegle.exe File created C:\Windows\SysWOW64\Ifmlhcfo.dll Mqdcga32.exe File opened for modification C:\Windows\SysWOW64\Enkdjkep.exe Eiokbd32.exe File opened for modification C:\Windows\SysWOW64\Efgono32.exe Dllmoj32.exe File opened for modification C:\Windows\SysWOW64\Hejjmage.exe Goabhl32.exe File opened for modification C:\Windows\SysWOW64\Fbhplnca.exe Fdccka32.exe File created C:\Windows\SysWOW64\Mknfldgn.dll Npnjcm32.exe File opened for modification C:\Windows\SysWOW64\Qlmopqdc.exe Oeekbhif.exe File created C:\Windows\SysWOW64\Onbmmkpn.dll Dofpqfof.exe File opened for modification C:\Windows\SysWOW64\Kdophj32.exe Kbocng32.exe File opened for modification C:\Windows\SysWOW64\Lpnlicne.exe Lbjlpo32.exe File created C:\Windows\SysWOW64\Pnondecb.dll Ojjoedfn.exe File created C:\Windows\SysWOW64\Dnjgnq32.dll Ognpoheh.exe File opened for modification C:\Windows\SysWOW64\Qocfjlan.exe Peaokh32.exe File created C:\Windows\SysWOW64\Fomahhkk.dll Plmmbkdf.exe File created C:\Windows\SysWOW64\Jqhdfhck.dll Qpmmfbfl.exe File created C:\Windows\SysWOW64\Jqllaedc.dll Ipjocgdm.exe File created C:\Windows\SysWOW64\Omeocm32.dll Imkbglei.exe File created C:\Windows\SysWOW64\Akipic32.exe Pdalkk32.exe File opened for modification C:\Windows\SysWOW64\Nfpled32.exe Npfchkop.exe File opened for modification C:\Windows\SysWOW64\Didnmp32.exe Cpljdjnd.exe File opened for modification C:\Windows\SysWOW64\Ddklnh32.exe Donceaac.exe File created C:\Windows\SysWOW64\Dendcmjg.dll Donceaac.exe File created C:\Windows\SysWOW64\Mjkdhaje.dll Cejaobel.exe File created C:\Windows\SysWOW64\Fqpldehd.dll Mhpeelnd.exe File opened for modification C:\Windows\SysWOW64\Qnihlf32.exe Pcagjndj.exe File opened for modification C:\Windows\SysWOW64\Bpkllo32.exe Bjodch32.exe File created C:\Windows\SysWOW64\Hlefgphj.exe Hdjbcnjo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7816 5488 WerFault.exe 588 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmmbkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpcajflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldccid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Milinkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnhcfa32.dll" Mqhmbqlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfanlpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obafim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljhbm32.dll" Igmqpbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhpeelnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajem32.dll" Pfmdgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incpdodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llnado32.dll" Fbhplnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npnjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmbbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpilcnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojjoebf.dll" Lpilcnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgnihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhigbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfppl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohggah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfkpiled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgackke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbgipl.dll" Kengqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giefjdnj.dll" Naejcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbjfeil.dll" Jcoapami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadllq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakfem32.dll" Pcagjndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjoedfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmggpekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fligjnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoebjc32.dll" Mndcnafd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhlhi32.dll" Agcbqecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdee32.dll" Hnmnpano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnifbmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhkgb32.dll" Dckdddcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Hbchnfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjonepq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Donceaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqgjoenq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpdodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndifai32.dll" Oabiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfljgkdm.dll" Fnoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgdnn32.dll" Ojommdfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjcplhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajhfkfo.dll" Lbjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjehflie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbngfbai.dll" Iafogggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pffghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdalkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcffalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaifin32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3996 wrote to memory of 5116 3996 10e66f6576db0a24673d321324f339c7.exe 95 PID 3996 wrote to memory of 5116 3996 10e66f6576db0a24673d321324f339c7.exe 95 PID 3996 wrote to memory of 5116 3996 10e66f6576db0a24673d321324f339c7.exe 95 PID 5116 wrote to memory of 2888 5116 Epeohn32.exe 96 PID 5116 wrote to memory of 2888 5116 Epeohn32.exe 96 PID 5116 wrote to memory of 2888 5116 Epeohn32.exe 96 PID 2888 wrote to memory of 2880 2888 Glmhdm32.exe 97 PID 2888 wrote to memory of 2880 2888 Glmhdm32.exe 97 PID 2888 wrote to memory of 2880 2888 Glmhdm32.exe 97 PID 2880 wrote to memory of 3544 2880 Gfgjbb32.exe 98 PID 2880 wrote to memory of 3544 2880 Gfgjbb32.exe 98 PID 2880 wrote to memory of 3544 2880 Gfgjbb32.exe 98 PID 3544 wrote to memory of 1564 3544 Hdicggla.exe 99 PID 3544 wrote to memory of 1564 3544 Hdicggla.exe 99 PID 3544 wrote to memory of 1564 3544 Hdicggla.exe 99 PID 1564 wrote to memory of 1372 1564 Inagpm32.exe 100 PID 1564 wrote to memory of 1372 1564 Inagpm32.exe 100 PID 1564 wrote to memory of 1372 1564 Inagpm32.exe 100 PID 1372 wrote to memory of 3520 1372 Ijjekn32.exe 102 PID 1372 wrote to memory of 3520 1372 Ijjekn32.exe 102 PID 1372 wrote to memory of 3520 1372 Ijjekn32.exe 102 PID 3520 wrote to memory of 3276 3520 Kagbdenk.exe 103 PID 3520 wrote to memory of 3276 3520 Kagbdenk.exe 103 PID 3520 wrote to memory of 3276 3520 Kagbdenk.exe 103 PID 3276 wrote to memory of 3208 3276 Lmqiec32.exe 105 PID 3276 wrote to memory of 3208 3276 Lmqiec32.exe 105 PID 3276 wrote to memory of 3208 3276 Lmqiec32.exe 105 PID 3208 wrote to memory of 3096 3208 Ndfanlpi.exe 106 PID 3208 wrote to memory of 3096 3208 Ndfanlpi.exe 106 PID 3208 wrote to memory of 3096 3208 Ndfanlpi.exe 106 PID 3096 wrote to memory of 408 3096 Ogjpld32.exe 107 PID 3096 wrote to memory of 408 3096 Ogjpld32.exe 107 PID 3096 wrote to memory of 408 3096 Ogjpld32.exe 107 PID 408 wrote to memory of 1480 408 Pfkpiled.exe 108 PID 408 wrote to memory of 1480 408 Pfkpiled.exe 108 PID 408 wrote to memory of 1480 408 Pfkpiled.exe 108 PID 1480 wrote to memory of 3392 1480 Pgcbbc32.exe 109 PID 1480 wrote to memory of 3392 1480 Pgcbbc32.exe 109 PID 1480 wrote to memory of 3392 1480 Pgcbbc32.exe 109 PID 3392 wrote to memory of 4352 3392 Qdllffpo.exe 110 PID 3392 wrote to memory of 4352 3392 Qdllffpo.exe 110 PID 3392 wrote to memory of 4352 3392 Qdllffpo.exe 110 PID 4352 wrote to memory of 4152 4352 Aohfdnil.exe 111 PID 4352 wrote to memory of 4152 4352 Aohfdnil.exe 111 PID 4352 wrote to memory of 4152 4352 Aohfdnil.exe 111 PID 4152 wrote to memory of 4052 4152 Bghddp32.exe 112 PID 4152 wrote to memory of 4052 4152 Bghddp32.exe 112 PID 4152 wrote to memory of 4052 4152 Bghddp32.exe 112 PID 4052 wrote to memory of 3312 4052 Becknc32.exe 113 PID 4052 wrote to memory of 3312 4052 Becknc32.exe 113 PID 4052 wrote to memory of 3312 4052 Becknc32.exe 113 PID 3312 wrote to memory of 832 3312 Ciaddaaj.exe 114 PID 3312 wrote to memory of 832 3312 Ciaddaaj.exe 114 PID 3312 wrote to memory of 832 3312 Ciaddaaj.exe 114 PID 832 wrote to memory of 1292 832 Cejaobel.exe 115 PID 832 wrote to memory of 1292 832 Cejaobel.exe 115 PID 832 wrote to memory of 1292 832 Cejaobel.exe 115 PID 1292 wrote to memory of 1900 1292 Dlicflic.exe 116 PID 1292 wrote to memory of 1900 1292 Dlicflic.exe 116 PID 1292 wrote to memory of 1900 1292 Dlicflic.exe 116 PID 1900 wrote to memory of 468 1900 Dojlhg32.exe 117 PID 1900 wrote to memory of 468 1900 Dojlhg32.exe 117 PID 1900 wrote to memory of 468 1900 Dojlhg32.exe 117 PID 468 wrote to memory of 1924 468 Doqbifpl.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e66f6576db0a24673d321324f339c7.exe"C:\Users\Admin\AppData\Local\Temp\10e66f6576db0a24673d321324f339c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe23⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe24⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe25⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe26⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe27⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Imfmgcdn.exeC:\Windows\system32\Imfmgcdn.exe28⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe29⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Jjcqffkm.exeC:\Windows\system32\Jjcqffkm.exe30⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe31⤵PID:2044
-
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe34⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe38⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe39⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe40⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe41⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe42⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe43⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe45⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe46⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe47⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe50⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe51⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe52⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe54⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe55⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe56⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ljglnmdi.exeC:\Windows\system32\Ljglnmdi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe58⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Nifele32.exeC:\Windows\system32\Nifele32.exe60⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe61⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Omkdcccb.exeC:\Windows\system32\Omkdcccb.exe62⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe63⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe65⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe66⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe67⤵PID:488
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe68⤵PID:1172
-
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe69⤵PID:3980
-
C:\Windows\SysWOW64\Djmbbk32.exeC:\Windows\system32\Djmbbk32.exe70⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Dqgjoenq.exeC:\Windows\system32\Dqgjoenq.exe71⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Eegpkcbd.exeC:\Windows\system32\Eegpkcbd.exe72⤵PID:4568
-
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe74⤵PID:4932
-
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe75⤵PID:4760
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe76⤵
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe77⤵PID:4148
-
C:\Windows\SysWOW64\Ghmkol32.exeC:\Windows\system32\Ghmkol32.exe78⤵PID:5156
-
C:\Windows\SysWOW64\Glkdejcd.exeC:\Windows\system32\Glkdejcd.exe79⤵PID:5196
-
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe80⤵PID:5232
-
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe81⤵PID:5280
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe83⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe84⤵PID:5412
-
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe85⤵PID:5456
-
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe86⤵PID:5504
-
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe87⤵
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Lmcejbbd.exeC:\Windows\system32\Lmcejbbd.exe88⤵PID:5600
-
C:\Windows\SysWOW64\Ldccid32.exeC:\Windows\system32\Ldccid32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Mbnjcg32.exeC:\Windows\system32\Mbnjcg32.exe91⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe94⤵PID:5868
-
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe95⤵PID:5912
-
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe96⤵PID:5948
-
C:\Windows\SysWOW64\Pfmdgq32.exeC:\Windows\system32\Pfmdgq32.exe97⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Qednnm32.exeC:\Windows\system32\Qednnm32.exe98⤵PID:6044
-
C:\Windows\SysWOW64\Agmmnnpj.exeC:\Windows\system32\Agmmnnpj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Bmlofhca.exeC:\Windows\system32\Bmlofhca.exe100⤵PID:1356
-
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe101⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Ccfcpm32.exeC:\Windows\system32\Ccfcpm32.exe102⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Epgpajdp.exeC:\Windows\system32\Epgpajdp.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe104⤵PID:4112
-
C:\Windows\SysWOW64\Imbhiial.exeC:\Windows\system32\Imbhiial.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5468 -
C:\Windows\SysWOW64\Ihhmgaqb.exeC:\Windows\system32\Ihhmgaqb.exe106⤵PID:5540
-
C:\Windows\SysWOW64\Jhfihp32.exeC:\Windows\system32\Jhfihp32.exe107⤵PID:5532
-
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe108⤵PID:2072
-
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe109⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Lppjnpem.exeC:\Windows\system32\Lppjnpem.exe110⤵PID:5676
-
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Lkldlgok.exeC:\Windows\system32\Lkldlgok.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Mnmmmbll.exeC:\Windows\system32\Mnmmmbll.exe114⤵PID:5848
-
C:\Windows\SysWOW64\Mhenpk32.exeC:\Windows\system32\Mhenpk32.exe115⤵
- Drops file in System32 directory
PID:5940 -
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe116⤵PID:3208
-
C:\Windows\SysWOW64\Mgjkag32.exeC:\Windows\system32\Mgjkag32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe118⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe119⤵PID:5024
-
C:\Windows\SysWOW64\Nocphd32.exeC:\Windows\system32\Nocphd32.exe120⤵PID:5152
-
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe121⤵PID:1192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-