Analysis
-
max time kernel
159s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2f2d4c0b2021c06bfd3f65939fb384f.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a2f2d4c0b2021c06bfd3f65939fb384f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
a2f2d4c0b2021c06bfd3f65939fb384f.exe
-
Size
128KB
-
MD5
a2f2d4c0b2021c06bfd3f65939fb384f
-
SHA1
b262dbc65c41dc626276cabb3508a41f73ff8e00
-
SHA256
60bc4700a9a2099f14cef180e8908b7b9e317341fbc8347a86d7c99af8d723da
-
SHA512
eb936d1b5c529f0fe55c2756f5e79814f31e1e368478a579bee7ee99226fa399ccc903dbc0456f03a369ffb6b4e5b0a0e7a8b4dde601218da5991829c66d9be7
-
SSDEEP
3072:li3Qk9PZoNbF8CCL+D3juGG2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:li3xrHR4BhHmNEcYj9nhV8NCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfjee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnhfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fboellof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiikpnmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkchmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddifaqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcoblfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijolhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcocn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdphgmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojqchnpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linojbdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlagndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnoac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbehbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hocqkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ininloda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccipelcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaomij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjinp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njaakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qanhkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihdqkaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libggiik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdqcglqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklkepal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkfkng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmabnnhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpoheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanhkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbecfqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpikao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmmgceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepkkefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himche32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heochp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhofffjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolojhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjmhaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkeho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgnobpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfieagka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfcfajg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmbgnabc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqocgl.exe -
Executes dropped EXE 64 IoCs
pid Process 2036 Hnnljj32.exe 3832 Iojkeh32.exe 4952 Iiopca32.exe 2272 Ihdldn32.exe 628 Jpnakk32.exe 4756 Jlgoek32.exe 2344 Kedlip32.exe 2124 Kakmna32.exe 4364 Kiikpnmj.exe 1528 Lcclncbh.exe 3512 Lhenai32.exe 1956 Mokfja32.exe 3092 Nckkfp32.exe 4456 Nbbeml32.exe 4336 Ofegni32.exe 1932 Ojhiogdd.exe 4476 Pmphaaln.exe 3928 Ajjokd32.exe 732 Bigbmpco.exe 2928 Bfmolc32.exe 1920 Bbhildae.exe 2848 Ccppmc32.exe 4084 Cmedjl32.exe 1844 Dphiaffa.exe 4988 Dgdncplk.exe 3152 Djgdkk32.exe 2488 Eqmlccdi.exe 2108 Fqphic32.exe 5028 Fnffhgon.exe 3960 Fnhbmgmk.exe 1036 Fnjocf32.exe 3356 Gnfooe32.exe 4068 Hnmeodjc.exe 744 Icachjbb.exe 4252 Ibbcfa32.exe 4032 Ieeimlep.exe 4488 Jjdokb32.exe 4944 Jhhodg32.exe 3288 Jaqcnl32.exe 4896 Kkpnga32.exe 1856 Kbjbnnfg.exe 3528 Khfkfedn.exe 3548 Klddlckd.exe 4720 Ldbefe32.exe 3796 Lknjhokg.exe 1480 Lhgdmb32.exe 4764 Mcabej32.exe 3828 Nfpghccm.exe 4280 Oohkai32.exe 1388 Ookhfigk.exe 4776 Pbddobla.exe 4344 Pmmeak32.exe 4308 Pkabbgol.exe 4872 Qifbll32.exe 1832 Qkfkng32.exe 4440 Aijlgkjq.exe 1908 Abcppq32.exe 4784 Apgqie32.exe 1564 Aioebj32.exe 820 Abgjkpll.exe 4104 Abjfqpji.exe 2204 Bblcfo32.exe 3948 Bmagch32.exe 64 Bcpika32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Emnbmoef.exe Emkeho32.exe File created C:\Windows\SysWOW64\Jdahga32.dll Cfgjcb32.exe File created C:\Windows\SysWOW64\Hkbldhic.dll Kedcml32.exe File created C:\Windows\SysWOW64\Mqeibk32.exe Mcolcgmh.exe File created C:\Windows\SysWOW64\Nppakcok.dll Hjqkel32.exe File created C:\Windows\SysWOW64\Jglkkiea.exe Jqbbno32.exe File created C:\Windows\SysWOW64\Bepeph32.exe Bnfmcn32.exe File created C:\Windows\SysWOW64\Oeqckmec.dll Qocfjlan.exe File opened for modification C:\Windows\SysWOW64\Knlbipjb.exe Jkligd32.exe File opened for modification C:\Windows\SysWOW64\Cbdhgaid.exe Bgodjiio.exe File created C:\Windows\SysWOW64\Ibbcfa32.exe Icachjbb.exe File opened for modification C:\Windows\SysWOW64\Nlmdml32.exe Neclpamg.exe File opened for modification C:\Windows\SysWOW64\Cdabmcdi.exe Bjagcndq.exe File created C:\Windows\SysWOW64\Pbhghdkf.dll Ibffbnjh.exe File opened for modification C:\Windows\SysWOW64\Nifcnpch.exe Noaoagca.exe File created C:\Windows\SysWOW64\Cgndikgd.exe Cmipkb32.exe File opened for modification C:\Windows\SysWOW64\Neqoidmo.exe Nnfgmjfb.exe File opened for modification C:\Windows\SysWOW64\Gcggec32.exe Gbfkmk32.exe File opened for modification C:\Windows\SysWOW64\Bblcfo32.exe Abjfqpji.exe File created C:\Windows\SysWOW64\Hihimfag.exe Gcbnopkj.exe File opened for modification C:\Windows\SysWOW64\Bjpjoa32.exe Bmliem32.exe File opened for modification C:\Windows\SysWOW64\Pddhlnfg.exe Pkkdci32.exe File created C:\Windows\SysWOW64\Ehfljn32.dll Jdajabdc.exe File created C:\Windows\SysWOW64\Lalnfooo.exe Llofnh32.exe File created C:\Windows\SysWOW64\Gknkkmmj.exe Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Anbkbe32.exe Ahhbfkbf.exe File created C:\Windows\SysWOW64\Eqmlccdi.exe Djgdkk32.exe File created C:\Windows\SysWOW64\Naoplkpo.dll Mdibplaf.exe File opened for modification C:\Windows\SysWOW64\Mjdkeaij.exe Mckbhg32.exe File created C:\Windows\SysWOW64\Ikfbpdlg.dll Dphiaffa.exe File created C:\Windows\SysWOW64\Aegghi32.dll Gjmffn32.exe File created C:\Windows\SysWOW64\Mgidgakk.exe Mcklac32.exe File created C:\Windows\SysWOW64\Hcofbifb.exe Gooqfkan.exe File opened for modification C:\Windows\SysWOW64\Glompi32.exe Gmnmbbgp.exe File opened for modification C:\Windows\SysWOW64\Kfcdaehf.exe Kpilekqj.exe File opened for modification C:\Windows\SysWOW64\Dpjompqc.exe Cfcoblfb.exe File created C:\Windows\SysWOW64\Hpkmajcn.dll Imgbdh32.exe File created C:\Windows\SysWOW64\Pjbofkpn.dll Ebcdjc32.exe File created C:\Windows\SysWOW64\Hcgmmogb.dll Eblpqono.exe File opened for modification C:\Windows\SysWOW64\Pfnccg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aecbge32.exe Aofjoo32.exe File opened for modification C:\Windows\SysWOW64\Ccipelcf.exe Bodano32.exe File opened for modification C:\Windows\SysWOW64\Mmfjfp32.exe Mflbjejb.exe File created C:\Windows\SysWOW64\Mikjmhaq.exe Ldoadabi.exe File opened for modification C:\Windows\SysWOW64\Cmiffhkj.exe Cdabmcdi.exe File created C:\Windows\SysWOW64\Olcklj32.exe Ocjgcd32.exe File created C:\Windows\SysWOW64\Anplji32.dll Dfcqjg32.exe File created C:\Windows\SysWOW64\Nljgfn32.exe Neqoidmo.exe File created C:\Windows\SysWOW64\Hlipfh32.exe Hdokok32.exe File created C:\Windows\SysWOW64\Bgjkdehg.dll Ofqnlplf.exe File opened for modification C:\Windows\SysWOW64\Klddlckd.exe Khfkfedn.exe File created C:\Windows\SysWOW64\Bbbkbbkg.exe Bglgdi32.exe File created C:\Windows\SysWOW64\Nqfbkf32.exe Nkijbooo.exe File created C:\Windows\SysWOW64\Ckpghq32.dll Jfpocjfa.exe File created C:\Windows\SysWOW64\Qmbepfoh.exe Qblacnob.exe File created C:\Windows\SysWOW64\Pbapom32.exe Philfgdh.exe File opened for modification C:\Windows\SysWOW64\Lkflpe32.exe Lbnggpfj.exe File opened for modification C:\Windows\SysWOW64\Oediim32.exe Moiheebb.exe File created C:\Windows\SysWOW64\Beniogkl.dll Mnhkklbb.exe File opened for modification C:\Windows\SysWOW64\Cmbgnabc.exe Cgioah32.exe File opened for modification C:\Windows\SysWOW64\Mcklac32.exe Majoikof.exe File opened for modification C:\Windows\SysWOW64\Glenpb32.exe Ffmelmbc.exe File created C:\Windows\SysWOW64\Kagnlmbq.dll Kpiqpo32.exe File created C:\Windows\SysWOW64\Epfflj32.exe Ekimdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicjjkaq.dll" Alelkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqklhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgoocfkf.dll" Pcbkgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfjin32.dll" Qqamieno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbqimad.dll" Abonimmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcimnfna.dll" Hlipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmohcqm.dll" Bmbngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihobg32.dll" Gcggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknjhokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjqjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfaqafjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mndapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll" Lhgdmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifaepolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmkhcj.dll" Pnlcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqhjb32.dll" Mdckpqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkligd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andghd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioopfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kimgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll" Hnmeodjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghadjkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcikmdne.dll" Amfqikko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fceihh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flqigq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqeecp32.dll" Nojagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhhchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiffjfe.dll" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henajkcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqmlccdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofqnlplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbpjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majoikof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eblpqono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbhqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gginjc32.dll" Hjbhph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimbfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcogice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqhlpbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoeleelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegghi32.dll" Gjmffn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnjocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfgkihn.dll" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbeoidd.dll" Ildpbfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojgjhicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfkbpjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioakpf32.dll" Nhmejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmedbiid.dll" Imdgljil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khonkogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daajam32.dll" Glnnofhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnaalghe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikoli32.dll" Hihimfag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2036 2064 a2f2d4c0b2021c06bfd3f65939fb384f.exe 94 PID 2064 wrote to memory of 2036 2064 a2f2d4c0b2021c06bfd3f65939fb384f.exe 94 PID 2064 wrote to memory of 2036 2064 a2f2d4c0b2021c06bfd3f65939fb384f.exe 94 PID 2036 wrote to memory of 3832 2036 Hnnljj32.exe 95 PID 2036 wrote to memory of 3832 2036 Hnnljj32.exe 95 PID 2036 wrote to memory of 3832 2036 Hnnljj32.exe 95 PID 3832 wrote to memory of 4952 3832 Iojkeh32.exe 96 PID 3832 wrote to memory of 4952 3832 Iojkeh32.exe 96 PID 3832 wrote to memory of 4952 3832 Iojkeh32.exe 96 PID 4952 wrote to memory of 2272 4952 Iiopca32.exe 97 PID 4952 wrote to memory of 2272 4952 Iiopca32.exe 97 PID 4952 wrote to memory of 2272 4952 Iiopca32.exe 97 PID 2272 wrote to memory of 628 2272 Ihdldn32.exe 98 PID 2272 wrote to memory of 628 2272 Ihdldn32.exe 98 PID 2272 wrote to memory of 628 2272 Ihdldn32.exe 98 PID 628 wrote to memory of 4756 628 Jpnakk32.exe 100 PID 628 wrote to memory of 4756 628 Jpnakk32.exe 100 PID 628 wrote to memory of 4756 628 Jpnakk32.exe 100 PID 4756 wrote to memory of 2344 4756 Jlgoek32.exe 101 PID 4756 wrote to memory of 2344 4756 Jlgoek32.exe 101 PID 4756 wrote to memory of 2344 4756 Jlgoek32.exe 101 PID 2344 wrote to memory of 2124 2344 Kedlip32.exe 102 PID 2344 wrote to memory of 2124 2344 Kedlip32.exe 102 PID 2344 wrote to memory of 2124 2344 Kedlip32.exe 102 PID 2124 wrote to memory of 4364 2124 Kakmna32.exe 103 PID 2124 wrote to memory of 4364 2124 Kakmna32.exe 103 PID 2124 wrote to memory of 4364 2124 Kakmna32.exe 103 PID 4364 wrote to memory of 1528 4364 Kiikpnmj.exe 104 PID 4364 wrote to memory of 1528 4364 Kiikpnmj.exe 104 PID 4364 wrote to memory of 1528 4364 Kiikpnmj.exe 104 PID 1528 wrote to memory of 3512 1528 Lcclncbh.exe 105 PID 1528 wrote to memory of 3512 1528 Lcclncbh.exe 105 PID 1528 wrote to memory of 3512 1528 Lcclncbh.exe 105 PID 3512 wrote to memory of 1956 3512 Lhenai32.exe 106 PID 3512 wrote to memory of 1956 3512 Lhenai32.exe 106 PID 3512 wrote to memory of 1956 3512 Lhenai32.exe 106 PID 1956 wrote to memory of 3092 1956 Mokfja32.exe 107 PID 1956 wrote to memory of 3092 1956 Mokfja32.exe 107 PID 1956 wrote to memory of 3092 1956 Mokfja32.exe 107 PID 3092 wrote to memory of 4456 3092 Nckkfp32.exe 108 PID 3092 wrote to memory of 4456 3092 Nckkfp32.exe 108 PID 3092 wrote to memory of 4456 3092 Nckkfp32.exe 108 PID 4456 wrote to memory of 4336 4456 Nbbeml32.exe 109 PID 4456 wrote to memory of 4336 4456 Nbbeml32.exe 109 PID 4456 wrote to memory of 4336 4456 Nbbeml32.exe 109 PID 4336 wrote to memory of 1932 4336 Ofegni32.exe 110 PID 4336 wrote to memory of 1932 4336 Ofegni32.exe 110 PID 4336 wrote to memory of 1932 4336 Ofegni32.exe 110 PID 1932 wrote to memory of 4476 1932 Ojhiogdd.exe 111 PID 1932 wrote to memory of 4476 1932 Ojhiogdd.exe 111 PID 1932 wrote to memory of 4476 1932 Ojhiogdd.exe 111 PID 4476 wrote to memory of 3928 4476 Pmphaaln.exe 112 PID 4476 wrote to memory of 3928 4476 Pmphaaln.exe 112 PID 4476 wrote to memory of 3928 4476 Pmphaaln.exe 112 PID 3928 wrote to memory of 732 3928 Ajjokd32.exe 113 PID 3928 wrote to memory of 732 3928 Ajjokd32.exe 113 PID 3928 wrote to memory of 732 3928 Ajjokd32.exe 113 PID 732 wrote to memory of 2928 732 Bigbmpco.exe 114 PID 732 wrote to memory of 2928 732 Bigbmpco.exe 114 PID 732 wrote to memory of 2928 732 Bigbmpco.exe 114 PID 2928 wrote to memory of 1920 2928 Bfmolc32.exe 115 PID 2928 wrote to memory of 1920 2928 Bfmolc32.exe 115 PID 2928 wrote to memory of 1920 2928 Bfmolc32.exe 115 PID 1920 wrote to memory of 2848 1920 Bbhildae.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f2d4c0b2021c06bfd3f65939fb384f.exe"C:\Users\Admin\AppData\Local\Temp\a2f2d4c0b2021c06bfd3f65939fb384f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe23⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe24⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe26⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe29⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe30⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe31⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe33⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe36⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe37⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe38⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe39⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe40⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe41⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe42⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe44⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe45⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe48⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe49⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe50⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe51⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe53⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe54⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe55⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe57⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe58⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe59⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe60⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe61⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4104 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe64⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe65⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe67⤵PID:3584
-
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe68⤵PID:5184
-
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe70⤵PID:5292
-
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe71⤵PID:5332
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe72⤵PID:5368
-
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe73⤵PID:5412
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe74⤵PID:5448
-
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe75⤵PID:5500
-
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe76⤵PID:5544
-
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe77⤵PID:5580
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe78⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe79⤵PID:5664
-
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe80⤵PID:5704
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe81⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe83⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe84⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe85⤵PID:5924
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe86⤵PID:5980
-
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe87⤵PID:6020
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe88⤵PID:6068
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe89⤵PID:6108
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe90⤵PID:2404
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe91⤵PID:5272
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe92⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe93⤵PID:5420
-
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe94⤵PID:5488
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe95⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe96⤵PID:4036
-
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe97⤵PID:5700
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe98⤵PID:5764
-
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe99⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe100⤵PID:5812
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe101⤵PID:5912
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe102⤵PID:6004
-
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe103⤵PID:6052
-
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe104⤵PID:3452
-
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe105⤵PID:5220
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe106⤵PID:3776
-
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe107⤵PID:5392
-
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe109⤵PID:5672
-
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe110⤵PID:5740
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe111⤵PID:4048
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe112⤵PID:5868
-
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe113⤵PID:6012
-
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe114⤵PID:6120
-
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe115⤵PID:3640
-
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe116⤵PID:5484
-
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe117⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe118⤵PID:5788
-
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe119⤵PID:5864
-
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe120⤵PID:6036
-
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe121⤵PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-