Analysis
-
max time kernel
163s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 19:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1246d37e10384d6e1a38fb101fb9996a.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1246d37e10384d6e1a38fb101fb9996a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1246d37e10384d6e1a38fb101fb9996a.exe
-
Size
63KB
-
MD5
1246d37e10384d6e1a38fb101fb9996a
-
SHA1
574757079f9474a802026ae64458ae54dde9978f
-
SHA256
1b3afef768b8c38abe3e4d1b318b588f05351f3cb0828fb81d5e28da4e950b92
-
SHA512
c9eff16c3e4c9130856595cadd552517671eab3597e951e76815ee97f947e4f9faf5db8e70a0f93a8e1f94ce6c9eeedd15376b3f95174bad94a37c0ddca7ffcc
-
SSDEEP
1536:M8XSPS3YKTsmrNL1kGgwmOT+xOH1juIZo:MJS3YKom7kGK3OH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lagekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcaiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobicbgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiofeigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolmpcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnnokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaalkamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 1246d37e10384d6e1a38fb101fb9996a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaianaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbhhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagahnob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocamcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimckcoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjbnjfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqnlplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifdqhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnkbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafpjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lagekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcccol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfikaqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdgfen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqpomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knofif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhmjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhialhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baepjpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafkpfni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qocfjlan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfabgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heochp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqpcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Canocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehkpmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbocng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpocblpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfbnbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galfhpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mndcnafd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicndaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljked32.exe -
Executes dropped EXE 64 IoCs
pid Process 3572 Ailabddb.exe 1496 Bnbmqjjo.exe 4284 Bkhjpn32.exe 2956 Cgagjo32.exe 5028 Deagoa32.exe 3796 Donecfao.exe 4292 Eifffoob.exe 1368 Fhefmjlp.exe 3768 Fpnkdfko.exe 3972 Fpcdof32.exe 4600 Gchflq32.exe 5048 Cnhlgc32.exe 3584 Cgaqphgl.exe 4068 Canocm32.exe 1824 Cgjcfgoa.exe 652 Diafqi32.exe 4336 Ehhpge32.exe 2244 Elfhmc32.exe 3372 Fbggkl32.exe 4092 Fhiinbdo.exe 4048 Gehice32.exe 2576 Hhbdko32.exe 1668 Ilgcblnp.exe 3828 Ihndgmdd.exe 4976 Jfikaqme.exe 4412 Kfejmobh.exe 1776 Lijlii32.exe 5084 Lcbmlbig.exe 396 Mjcljk32.exe 820 Mlgegcng.exe 3920 Mimbfg32.exe 3880 Nbmmoklg.exe 3804 Omigmc32.exe 4036 Offeahhp.exe 4716 Pdalkk32.exe 1856 Qkmqne32.exe 4020 Anqfepaj.exe 4080 Acbhhf32.exe 4636 Bknidbhi.exe 1392 Bkbcpb32.exe 4988 Cnjbbl32.exe 4448 Fejegaao.exe 3304 Galfhpmf.exe 4176 Hmcfma32.exe 2204 Hmlicp32.exe 2932 Iehkpmgl.exe 3336 Ilbclg32.exe 3924 Ilglgfjd.exe 3104 Jkqccbkf.exe 5032 Jakkplbc.exe 2880 Kleiid32.exe 988 Knhbflbp.exe 2716 Knkokl32.exe 4196 Kdipce32.exe 3524 Ldlmieaa.exe 2976 Loaafnah.exe 624 Ldqfddml.exe 4564 Lofjam32.exe 4272 Meepoc32.exe 5064 Mfdlif32.exe 1968 Mbkmngfn.exe 1780 Mijofaje.exe 4592 Npfchkop.exe 4044 Oimdbnip.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhfjgq32.dll Lijlii32.exe File opened for modification C:\Windows\SysWOW64\Nieggill.exe Nombnc32.exe File created C:\Windows\SysWOW64\Mkfela32.dll Cahffmel.exe File created C:\Windows\SysWOW64\Pknhff32.dll Hfiffd32.exe File created C:\Windows\SysWOW64\Iqhfgqob.dll Dmpmfg32.exe File created C:\Windows\SysWOW64\Ledeicdf.exe Lojmmi32.exe File created C:\Windows\SysWOW64\Kajkamff.dll Khoeok32.exe File created C:\Windows\SysWOW64\Offeahhp.exe Omigmc32.exe File created C:\Windows\SysWOW64\Hbknqeha.exe Gbgdef32.exe File created C:\Windows\SysWOW64\Hcgmmogb.dll Ecipeb32.exe File created C:\Windows\SysWOW64\Jieoac32.dll Nhmopp32.exe File created C:\Windows\SysWOW64\Edgfcd32.dll Ccmcaicm.exe File created C:\Windows\SysWOW64\Dinanb32.exe Ddaifk32.exe File created C:\Windows\SysWOW64\Nceonmdp.dll Kcdmifip.exe File created C:\Windows\SysWOW64\Lepnli32.exe Leihlj32.exe File created C:\Windows\SysWOW64\Lobogqeq.dll Jklpakam.exe File opened for modification C:\Windows\SysWOW64\Djhifnho.exe Dcnqid32.exe File opened for modification C:\Windows\SysWOW64\Lbnlbc32.exe Khoeok32.exe File created C:\Windows\SysWOW64\Iehkpmgl.exe Hmlicp32.exe File created C:\Windows\SysWOW64\Ejhkdc32.exe Bplhhc32.exe File created C:\Windows\SysWOW64\Ampkil32.exe Qjmeaafi.exe File created C:\Windows\SysWOW64\Inombh32.exe Hhiacb32.exe File created C:\Windows\SysWOW64\Mojffn32.dll Bhfmic32.exe File created C:\Windows\SysWOW64\Gebanm32.exe Fniiabfd.exe File created C:\Windows\SysWOW64\Bicjjncd.exe Bcfabgel.exe File created C:\Windows\SysWOW64\Mahheodp.dll Lebiddfi.exe File created C:\Windows\SysWOW64\Dphikllo.exe Dinanb32.exe File created C:\Windows\SysWOW64\Jnkajg32.exe Hgocapmi.exe File opened for modification C:\Windows\SysWOW64\Gbjhelnp.exe Gmfilfep.exe File created C:\Windows\SysWOW64\Llofnh32.exe Lagekp32.exe File created C:\Windows\SysWOW64\Apocll32.dll Lofklp32.exe File opened for modification C:\Windows\SysWOW64\Lqmmgb32.exe Lljked32.exe File created C:\Windows\SysWOW64\Ncgiolkk.exe Mjodff32.exe File created C:\Windows\SysWOW64\Nojbielj.dll Iijfagmj.exe File created C:\Windows\SysWOW64\Ggcceagf.exe Fcikcekm.exe File opened for modification C:\Windows\SysWOW64\Mjcljk32.exe Lcbmlbig.exe File created C:\Windows\SysWOW64\Oildaf32.dll Oimdbnip.exe File created C:\Windows\SysWOW64\Bqafpc32.exe Qhjegh32.exe File created C:\Windows\SysWOW64\Dafpjf32.exe Cglbanmo.exe File opened for modification C:\Windows\SysWOW64\Mlqjlmjp.exe Ledeicdf.exe File created C:\Windows\SysWOW64\Pigfdcoc.exe Okolppdo.exe File created C:\Windows\SysWOW64\Nekinfin.dll Abngngjd.exe File created C:\Windows\SysWOW64\Cbdebpif.dll Qlkbka32.exe File created C:\Windows\SysWOW64\Fcbehbim.exe Ejegdngb.exe File created C:\Windows\SysWOW64\Fjlmdmqj.exe Fcbehbim.exe File created C:\Windows\SysWOW64\Immaimnj.exe Heochp32.exe File opened for modification C:\Windows\SysWOW64\Cofemg32.exe Bicjjncd.exe File opened for modification C:\Windows\SysWOW64\Qaalkamf.exe Odhipp32.exe File opened for modification C:\Windows\SysWOW64\Ljibdifc.exe Kgacaopj.exe File created C:\Windows\SysWOW64\Oahkdqbd.dll Mgbnfb32.exe File opened for modification C:\Windows\SysWOW64\Niifnf32.exe Mgfqgkib.exe File opened for modification C:\Windows\SysWOW64\Opjnai32.exe Nllekk32.exe File created C:\Windows\SysWOW64\Hhiacb32.exe Hdkimdnk.exe File created C:\Windows\SysWOW64\Cjcdbb32.dll Bcfabgel.exe File created C:\Windows\SysWOW64\Hpafpn32.dll Mpocblpf.exe File opened for modification C:\Windows\SysWOW64\Dpmcfk32.exe Dknnhekd.exe File opened for modification C:\Windows\SysWOW64\Ofgdmo32.exe Oqkkdh32.exe File created C:\Windows\SysWOW64\Iqbjnc32.dll Kfejmobh.exe File created C:\Windows\SysWOW64\Nkcjajig.dll Pdalkk32.exe File created C:\Windows\SysWOW64\Eddodfhp.exe Dacebkko.exe File created C:\Windows\SysWOW64\Hldnegjg.dll Mpnnek32.exe File created C:\Windows\SysWOW64\Bcokah32.exe Akffjkme.exe File created C:\Windows\SysWOW64\Cinghhip.dll Jocepc32.exe File opened for modification C:\Windows\SysWOW64\Lhpepoel.exe Lebiddfi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegphhqg.dll" Jpcajflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojffn32.dll" Bhfmic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafkpfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigfdcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhifg32.dll" Fbggkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmkibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjnece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhgka32.dll" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnendjam.dll" Hkdbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbbgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mocihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggkfmfh.dll" Cgjcfgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogfcc32.dll" Bpggbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqolii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmhfaab.dll" Ooibee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baepjpea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnlfk32.dll" Nbkoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgone32.dll" Gmdcpoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhioabk.dll" Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcfqfpd.dll" Babccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfhigk.dll" Cofemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpocblpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofeggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaacn32.dll" Dpcppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbggkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgjjgkh.dll" Hmcfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbjophf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhnaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doqpkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agebpojb.dll" Fpbfem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlkldmjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnkamef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbaojc.dll" Jhlgpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecipeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpnkdfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knkokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlmopqdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndkgp32.dll" Dcopke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicfhp32.dll" Bqafpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calcbp32.dll" Pqknbmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflfp32.dll" Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhdoh32.dll" Pmdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnednbm.dll" Pbbgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeqagi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqbjgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keeiahmm.dll" Padeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leabincm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 3572 4452 1246d37e10384d6e1a38fb101fb9996a.exe 97 PID 4452 wrote to memory of 3572 4452 1246d37e10384d6e1a38fb101fb9996a.exe 97 PID 4452 wrote to memory of 3572 4452 1246d37e10384d6e1a38fb101fb9996a.exe 97 PID 3572 wrote to memory of 1496 3572 Ailabddb.exe 98 PID 3572 wrote to memory of 1496 3572 Ailabddb.exe 98 PID 3572 wrote to memory of 1496 3572 Ailabddb.exe 98 PID 1496 wrote to memory of 4284 1496 Bnbmqjjo.exe 99 PID 1496 wrote to memory of 4284 1496 Bnbmqjjo.exe 99 PID 1496 wrote to memory of 4284 1496 Bnbmqjjo.exe 99 PID 4284 wrote to memory of 2956 4284 Bkhjpn32.exe 100 PID 4284 wrote to memory of 2956 4284 Bkhjpn32.exe 100 PID 4284 wrote to memory of 2956 4284 Bkhjpn32.exe 100 PID 2956 wrote to memory of 5028 2956 Cgagjo32.exe 101 PID 2956 wrote to memory of 5028 2956 Cgagjo32.exe 101 PID 2956 wrote to memory of 5028 2956 Cgagjo32.exe 101 PID 5028 wrote to memory of 3796 5028 Deagoa32.exe 102 PID 5028 wrote to memory of 3796 5028 Deagoa32.exe 102 PID 5028 wrote to memory of 3796 5028 Deagoa32.exe 102 PID 3796 wrote to memory of 4292 3796 Donecfao.exe 103 PID 3796 wrote to memory of 4292 3796 Donecfao.exe 103 PID 3796 wrote to memory of 4292 3796 Donecfao.exe 103 PID 4292 wrote to memory of 1368 4292 Eifffoob.exe 104 PID 4292 wrote to memory of 1368 4292 Eifffoob.exe 104 PID 4292 wrote to memory of 1368 4292 Eifffoob.exe 104 PID 1368 wrote to memory of 3768 1368 Fhefmjlp.exe 105 PID 1368 wrote to memory of 3768 1368 Fhefmjlp.exe 105 PID 1368 wrote to memory of 3768 1368 Fhefmjlp.exe 105 PID 3768 wrote to memory of 3972 3768 Fpnkdfko.exe 107 PID 3768 wrote to memory of 3972 3768 Fpnkdfko.exe 107 PID 3768 wrote to memory of 3972 3768 Fpnkdfko.exe 107 PID 3972 wrote to memory of 4600 3972 Fpcdof32.exe 108 PID 3972 wrote to memory of 4600 3972 Fpcdof32.exe 108 PID 3972 wrote to memory of 4600 3972 Fpcdof32.exe 108 PID 4600 wrote to memory of 5048 4600 Gchflq32.exe 109 PID 4600 wrote to memory of 5048 4600 Gchflq32.exe 109 PID 4600 wrote to memory of 5048 4600 Gchflq32.exe 109 PID 5048 wrote to memory of 3584 5048 Cnhlgc32.exe 110 PID 5048 wrote to memory of 3584 5048 Cnhlgc32.exe 110 PID 5048 wrote to memory of 3584 5048 Cnhlgc32.exe 110 PID 3584 wrote to memory of 4068 3584 Cgaqphgl.exe 111 PID 3584 wrote to memory of 4068 3584 Cgaqphgl.exe 111 PID 3584 wrote to memory of 4068 3584 Cgaqphgl.exe 111 PID 4068 wrote to memory of 1824 4068 Canocm32.exe 112 PID 4068 wrote to memory of 1824 4068 Canocm32.exe 112 PID 4068 wrote to memory of 1824 4068 Canocm32.exe 112 PID 1824 wrote to memory of 652 1824 Cgjcfgoa.exe 113 PID 1824 wrote to memory of 652 1824 Cgjcfgoa.exe 113 PID 1824 wrote to memory of 652 1824 Cgjcfgoa.exe 113 PID 652 wrote to memory of 4336 652 Diafqi32.exe 114 PID 652 wrote to memory of 4336 652 Diafqi32.exe 114 PID 652 wrote to memory of 4336 652 Diafqi32.exe 114 PID 4336 wrote to memory of 2244 4336 Ehhpge32.exe 115 PID 4336 wrote to memory of 2244 4336 Ehhpge32.exe 115 PID 4336 wrote to memory of 2244 4336 Ehhpge32.exe 115 PID 2244 wrote to memory of 3372 2244 Elfhmc32.exe 116 PID 2244 wrote to memory of 3372 2244 Elfhmc32.exe 116 PID 2244 wrote to memory of 3372 2244 Elfhmc32.exe 116 PID 3372 wrote to memory of 4092 3372 Fbggkl32.exe 117 PID 3372 wrote to memory of 4092 3372 Fbggkl32.exe 117 PID 3372 wrote to memory of 4092 3372 Fbggkl32.exe 117 PID 4092 wrote to memory of 4048 4092 Fhiinbdo.exe 118 PID 4092 wrote to memory of 4048 4092 Fhiinbdo.exe 118 PID 4092 wrote to memory of 4048 4092 Fhiinbdo.exe 118 PID 4048 wrote to memory of 2576 4048 Gehice32.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\1246d37e10384d6e1a38fb101fb9996a.exe"C:\Users\Admin\AppData\Local\Temp\1246d37e10384d6e1a38fb101fb9996a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe23⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe24⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe25⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Kfejmobh.exeC:\Windows\system32\Kfejmobh.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe30⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe31⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe32⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Nbmmoklg.exeC:\Windows\system32\Nbmmoklg.exe33⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe35⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4716 -
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe37⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe38⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe39⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Bknidbhi.exeC:\Windows\system32\Bknidbhi.exe40⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Cnjbbl32.exeC:\Windows\system32\Cnjbbl32.exe42⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe43⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Galfhpmf.exeC:\Windows\system32\Galfhpmf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Hmcfma32.exeC:\Windows\system32\Hmcfma32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe48⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe49⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Jkqccbkf.exeC:\Windows\system32\Jkqccbkf.exe50⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe51⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Kleiid32.exeC:\Windows\system32\Kleiid32.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe53⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe55⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Ldlmieaa.exeC:\Windows\system32\Ldlmieaa.exe56⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe57⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ldqfddml.exeC:\Windows\system32\Ldqfddml.exe58⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe59⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe60⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Mfdlif32.exeC:\Windows\system32\Mfdlif32.exe61⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe62⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe63⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe64⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe66⤵
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Pfhklabb.exeC:\Windows\system32\Pfhklabb.exe67⤵PID:2344
-
C:\Windows\SysWOW64\Peodcmeg.exeC:\Windows\system32\Peodcmeg.exe68⤵PID:3428
-
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe69⤵PID:764
-
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe70⤵PID:2900
-
C:\Windows\SysWOW64\Bplhhc32.exeC:\Windows\system32\Bplhhc32.exe71⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5040 -
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe73⤵
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe74⤵PID:1600
-
C:\Windows\SysWOW64\Mqpcdn32.exeC:\Windows\system32\Mqpcdn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Nkhdgfen.exeC:\Windows\system32\Nkhdgfen.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3768 -
C:\Windows\SysWOW64\Nombnc32.exeC:\Windows\system32\Nombnc32.exe78⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe79⤵PID:3188
-
C:\Windows\SysWOW64\Oeqagi32.exeC:\Windows\system32\Oeqagi32.exe80⤵
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Pnnokn32.exeC:\Windows\system32\Pnnokn32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Qahkch32.exeC:\Windows\system32\Qahkch32.exe83⤵PID:5004
-
C:\Windows\SysWOW64\Qlmopqdc.exeC:\Windows\system32\Qlmopqdc.exe84⤵
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe85⤵PID:3632
-
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe86⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe87⤵PID:4852
-
C:\Windows\SysWOW64\Bifblbad.exeC:\Windows\system32\Bifblbad.exe88⤵PID:940
-
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe89⤵PID:1864
-
C:\Windows\SysWOW64\Dcopke32.exeC:\Windows\system32\Dcopke32.exe90⤵
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Ejpnin32.exeC:\Windows\system32\Ejpnin32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe92⤵
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Fjlmdmqj.exeC:\Windows\system32\Fjlmdmqj.exe94⤵PID:760
-
C:\Windows\SysWOW64\Foifmcoa.exeC:\Windows\system32\Foifmcoa.exe95⤵PID:2088
-
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe96⤵PID:1384
-
C:\Windows\SysWOW64\Fifdqhal.exeC:\Windows\system32\Fifdqhal.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Gobicbgf.exeC:\Windows\system32\Gobicbgf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Gmfilfep.exeC:\Windows\system32\Gmfilfep.exe99⤵
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Gbjhelnp.exeC:\Windows\system32\Gbjhelnp.exe100⤵PID:3948
-
C:\Windows\SysWOW64\Habndbpf.exeC:\Windows\system32\Habndbpf.exe101⤵PID:3276
-
C:\Windows\SysWOW64\Kbocng32.exeC:\Windows\system32\Kbocng32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3752 -
C:\Windows\SysWOW64\Kcdmifip.exeC:\Windows\system32\Kcdmifip.exe103⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Ldjodh32.exeC:\Windows\system32\Ldjodh32.exe104⤵PID:2576
-
C:\Windows\SysWOW64\Mgbnfb32.exeC:\Windows\system32\Mgbnfb32.exe105⤵
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Mdkhkflh.exeC:\Windows\system32\Mdkhkflh.exe106⤵PID:4604
-
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe107⤵
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Ncgkma32.exeC:\Windows\system32\Ncgkma32.exe108⤵PID:4056
-
C:\Windows\SysWOW64\Ocnampdp.exeC:\Windows\system32\Ocnampdp.exe109⤵PID:3640
-
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe110⤵PID:4388
-
C:\Windows\SysWOW64\Ocqncp32.exeC:\Windows\system32\Ocqncp32.exe111⤵PID:1776
-
C:\Windows\SysWOW64\Pbfglg32.exeC:\Windows\system32\Pbfglg32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4248 -
C:\Windows\SysWOW64\Pcojdnfm.exeC:\Windows\system32\Pcojdnfm.exe113⤵PID:1680
-
C:\Windows\SysWOW64\Aaianaoo.exeC:\Windows\system32\Aaianaoo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4596 -
C:\Windows\SysWOW64\Alfkli32.exeC:\Windows\system32\Alfkli32.exe115⤵PID:1952
-
C:\Windows\SysWOW64\Aenpeoom.exeC:\Windows\system32\Aenpeoom.exe116⤵PID:3880
-
C:\Windows\SysWOW64\Blhhaigj.exeC:\Windows\system32\Blhhaigj.exe117⤵PID:4036
-
C:\Windows\SysWOW64\Baepjpea.exeC:\Windows\system32\Baepjpea.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Bjnece32.exeC:\Windows\system32\Bjnece32.exe119⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Balfko32.exeC:\Windows\system32\Balfko32.exe120⤵PID:5276
-
C:\Windows\SysWOW64\Cddemi32.exeC:\Windows\system32\Cddemi32.exe121⤵PID:5312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-