Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
107a3bf0e5a0a1cd04de670a8ca45ecb.exe
-
Size
148KB
-
MD5
107a3bf0e5a0a1cd04de670a8ca45ecb
-
SHA1
544b794055c7f8973dfac0a90c04a11a906318be
-
SHA256
4a43564fe40c28126b56a510d952de67f63b6b18ad78100665a05ec9c4ada1f1
-
SHA512
62ce7910647d531577d4a86b2ddb525a2e2f2923aaf26be6c5d8603feb5a76503ced81b0a6837f75bdb1ce30dc6e1f2f7c0b08f8f3f9ba49a9218097e5427e58
-
SSDEEP
3072:UBVSWwlmoEhY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:U3fwfEhKOdzOdkOdezOd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbnacmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibgmdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaggimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpjkojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgdji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoolbinc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafokcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiidgeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfijcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehokgge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcqjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbnacmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagkdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmknaell.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnebeogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapedd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcpgmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehokgge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoefk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impepm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabkdmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamhodmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcdbl32.exe -
Executes dropped EXE 64 IoCs
pid Process 944 Habnjm32.exe 1996 Hcqjfh32.exe 3408 Hmioonpn.exe 3048 Hfachc32.exe 4740 Hippdo32.exe 3672 Haggelfd.exe 4228 Hcedaheh.exe 3076 Hibljoco.exe 4268 Icgqggce.exe 4452 Ijaida32.exe 1780 Impepm32.exe 1400 Ipnalhii.exe 4532 Ibmmhdhm.exe 216 Imbaemhc.exe 4660 Ipqnahgf.exe 2376 Ifjfnb32.exe 1104 Iiibkn32.exe 2248 Iapjlk32.exe 1800 Ibagcc32.exe 1980 Ijhodq32.exe 2300 Iabgaklg.exe 2652 Idacmfkj.exe 5024 Ijkljp32.exe 1088 Imihfl32.exe 3972 Jdcpcf32.exe 2504 Jjmhppqd.exe 5096 Jpjqhgol.exe 4676 Jbhmdbnp.exe 844 Jplmmfmi.exe 4296 Jbkjjblm.exe 4700 Jjbako32.exe 4932 Jaljgidl.exe 752 Jdjfcecp.exe 3148 Jigollag.exe 3748 Jangmibi.exe 4728 Jbocea32.exe 888 Jkfkfohj.exe 540 Kmegbjgn.exe 3932 Kpccnefa.exe 4040 Kbapjafe.exe 1200 Kkihknfg.exe 2716 Kilhgk32.exe 2532 Kpepcedo.exe 1956 Kdaldd32.exe 956 Kinemkko.exe 3104 Kdcijcke.exe 3680 Kgbefoji.exe 5104 Kknafn32.exe 452 Kmlnbi32.exe 1392 Kpjjod32.exe 3556 Kdffocib.exe 1272 Kgdbkohf.exe 3708 Kibnhjgj.exe 2540 Kajfig32.exe 3160 Kdhbec32.exe 3288 Kckbqpnj.exe 3488 Kgfoan32.exe 3424 Lmqgnhmp.exe 2384 Lcmofolg.exe 2876 Lgikfn32.exe 4484 Lmccchkn.exe 3152 Lpappc32.exe 4856 Lcpllo32.exe 4424 Lijdhiaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hoiafcic.exe Hmjdjgjo.exe File opened for modification C:\Windows\SysWOW64\Lenamdem.exe Ldleel32.exe File opened for modification C:\Windows\SysWOW64\Mmnldp32.exe Mibpda32.exe File opened for modification C:\Windows\SysWOW64\Ijkljp32.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Hffdjk32.dll Bjpaooda.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Ajfoiqll.exe Acmflf32.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Okloegjl.exe Ogaceh32.exe File created C:\Windows\SysWOW64\Ndhmhh32.exe Nlaegk32.exe File created C:\Windows\SysWOW64\Pqnaim32.exe Pjdilcla.exe File opened for modification C:\Windows\SysWOW64\Cdfbibnb.exe Cahfmgoo.exe File created C:\Windows\SysWOW64\Eaklidoi.exe Dlncan32.exe File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Kdaldd32.exe Kpepcedo.exe File created C:\Windows\SysWOW64\Gdqgmmjb.exe Gcojed32.exe File opened for modification C:\Windows\SysWOW64\Lpqiemge.exe Lmbmibhb.exe File created C:\Windows\SysWOW64\Ndkqipob.dll Cjinkg32.exe File opened for modification C:\Windows\SysWOW64\Idacmfkj.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Jblpek32.exe Jpnchp32.exe File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kilhgk32.exe File opened for modification C:\Windows\SysWOW64\Hmfkoh32.exe Heocnk32.exe File opened for modification C:\Windows\SysWOW64\Iehfdi32.exe Ifefimom.exe File created C:\Windows\SysWOW64\Dnqmalhn.dll Dekhneap.exe File created C:\Windows\SysWOW64\Keblci32.dll Ipknlb32.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lijdhiaa.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Ndninjfg.dll Jjmhppqd.exe File created C:\Windows\SysWOW64\Iifokh32.exe Iejcji32.exe File opened for modification C:\Windows\SysWOW64\Kplpjn32.exe Klqcioba.exe File created C:\Windows\SysWOW64\Offdjb32.dll Lmqgnhmp.exe File created C:\Windows\SysWOW64\Ocalcppo.dll Ecjhcg32.exe File created C:\Windows\SysWOW64\Pkajcp32.dll Pjhbgb32.exe File created C:\Windows\SysWOW64\Doqpak32.exe Clbceo32.exe File created C:\Windows\SysWOW64\Lbjlfi32.exe Kplpjn32.exe File created C:\Windows\SysWOW64\Daconoae.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Kdffocib.exe Kpjjod32.exe File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe Kdhbec32.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pmoahijl.exe File created C:\Windows\SysWOW64\Flqimk32.exe Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Gefncbmc.dll Lgpagm32.exe File created C:\Windows\SysWOW64\Jcoegc32.dll Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Cbcilkjg.exe Cklaknjd.exe File created C:\Windows\SysWOW64\Dekclg32.dll Gcddpdpo.exe File created C:\Windows\SysWOW64\Ifllil32.exe Icnpmp32.exe File opened for modification C:\Windows\SysWOW64\Kknafn32.exe Kgbefoji.exe File opened for modification C:\Windows\SysWOW64\Aeopki32.exe Andgoobc.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bbgipldd.exe File created C:\Windows\SysWOW64\Llmglb32.dll Opdghh32.exe File created C:\Windows\SysWOW64\Bhicommo.dll Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Qnkdhpjn.exe Qjpiha32.exe File created C:\Windows\SysWOW64\Aeopki32.exe Andgoobc.exe File opened for modification C:\Windows\SysWOW64\Ocnjidkf.exe Odkjng32.exe File created C:\Windows\SysWOW64\Iapjlk32.exe Iiibkn32.exe File created C:\Windows\SysWOW64\Oponmilc.exe Nnqbanmo.exe File opened for modification C:\Windows\SysWOW64\Eemnjbaj.exe Ecoangbg.exe File created C:\Windows\SysWOW64\Oggacefk.dll Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Lpfijcfl.exe Lnhmng32.exe File created C:\Windows\SysWOW64\Ekiapn32.dll Odgqdlnj.exe File created C:\Windows\SysWOW64\Aaiapmca.dll Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Bdfibe32.exe Bahmfj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12708 6416 WerFault.exe 662 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblabf.dll" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfckahdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll" Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" Qfcfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelcja32.dll" Ehgqln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eamhodmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angddopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnkogdb.dll" Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkjlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbiaapdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkciihgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll" Kilhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll" Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agffge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpepcedo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Acjclpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll" Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" Hofdacke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffddka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edbklofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" Kmdqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" Pdifoehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpoobg.dll" Bdfibe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 944 1972 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 86 PID 1972 wrote to memory of 944 1972 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 86 PID 1972 wrote to memory of 944 1972 107a3bf0e5a0a1cd04de670a8ca45ecb.exe 86 PID 944 wrote to memory of 1996 944 Habnjm32.exe 87 PID 944 wrote to memory of 1996 944 Habnjm32.exe 87 PID 944 wrote to memory of 1996 944 Habnjm32.exe 87 PID 1996 wrote to memory of 3408 1996 Hcqjfh32.exe 88 PID 1996 wrote to memory of 3408 1996 Hcqjfh32.exe 88 PID 1996 wrote to memory of 3408 1996 Hcqjfh32.exe 88 PID 3408 wrote to memory of 3048 3408 Hmioonpn.exe 89 PID 3408 wrote to memory of 3048 3408 Hmioonpn.exe 89 PID 3408 wrote to memory of 3048 3408 Hmioonpn.exe 89 PID 3048 wrote to memory of 4740 3048 Hfachc32.exe 90 PID 3048 wrote to memory of 4740 3048 Hfachc32.exe 90 PID 3048 wrote to memory of 4740 3048 Hfachc32.exe 90 PID 4740 wrote to memory of 3672 4740 Hippdo32.exe 91 PID 4740 wrote to memory of 3672 4740 Hippdo32.exe 91 PID 4740 wrote to memory of 3672 4740 Hippdo32.exe 91 PID 3672 wrote to memory of 4228 3672 Haggelfd.exe 92 PID 3672 wrote to memory of 4228 3672 Haggelfd.exe 92 PID 3672 wrote to memory of 4228 3672 Haggelfd.exe 92 PID 4228 wrote to memory of 3076 4228 Hcedaheh.exe 94 PID 4228 wrote to memory of 3076 4228 Hcedaheh.exe 94 PID 4228 wrote to memory of 3076 4228 Hcedaheh.exe 94 PID 3076 wrote to memory of 4268 3076 Hibljoco.exe 96 PID 3076 wrote to memory of 4268 3076 Hibljoco.exe 96 PID 3076 wrote to memory of 4268 3076 Hibljoco.exe 96 PID 4268 wrote to memory of 4452 4268 Icgqggce.exe 97 PID 4268 wrote to memory of 4452 4268 Icgqggce.exe 97 PID 4268 wrote to memory of 4452 4268 Icgqggce.exe 97 PID 4452 wrote to memory of 1780 4452 Ijaida32.exe 98 PID 4452 wrote to memory of 1780 4452 Ijaida32.exe 98 PID 4452 wrote to memory of 1780 4452 Ijaida32.exe 98 PID 1780 wrote to memory of 1400 1780 Impepm32.exe 99 PID 1780 wrote to memory of 1400 1780 Impepm32.exe 99 PID 1780 wrote to memory of 1400 1780 Impepm32.exe 99 PID 1400 wrote to memory of 4532 1400 Ipnalhii.exe 100 PID 1400 wrote to memory of 4532 1400 Ipnalhii.exe 100 PID 1400 wrote to memory of 4532 1400 Ipnalhii.exe 100 PID 4532 wrote to memory of 216 4532 Ibmmhdhm.exe 101 PID 4532 wrote to memory of 216 4532 Ibmmhdhm.exe 101 PID 4532 wrote to memory of 216 4532 Ibmmhdhm.exe 101 PID 216 wrote to memory of 4660 216 Imbaemhc.exe 103 PID 216 wrote to memory of 4660 216 Imbaemhc.exe 103 PID 216 wrote to memory of 4660 216 Imbaemhc.exe 103 PID 4660 wrote to memory of 2376 4660 Ipqnahgf.exe 104 PID 4660 wrote to memory of 2376 4660 Ipqnahgf.exe 104 PID 4660 wrote to memory of 2376 4660 Ipqnahgf.exe 104 PID 2376 wrote to memory of 1104 2376 Ifjfnb32.exe 105 PID 2376 wrote to memory of 1104 2376 Ifjfnb32.exe 105 PID 2376 wrote to memory of 1104 2376 Ifjfnb32.exe 105 PID 1104 wrote to memory of 2248 1104 Iiibkn32.exe 107 PID 1104 wrote to memory of 2248 1104 Iiibkn32.exe 107 PID 1104 wrote to memory of 2248 1104 Iiibkn32.exe 107 PID 2248 wrote to memory of 1800 2248 Iapjlk32.exe 108 PID 2248 wrote to memory of 1800 2248 Iapjlk32.exe 108 PID 2248 wrote to memory of 1800 2248 Iapjlk32.exe 108 PID 1800 wrote to memory of 1980 1800 Ibagcc32.exe 109 PID 1800 wrote to memory of 1980 1800 Ibagcc32.exe 109 PID 1800 wrote to memory of 1980 1800 Ibagcc32.exe 109 PID 1980 wrote to memory of 2300 1980 Ijhodq32.exe 110 PID 1980 wrote to memory of 2300 1980 Ijhodq32.exe 110 PID 1980 wrote to memory of 2300 1980 Ijhodq32.exe 110 PID 2300 wrote to memory of 2652 2300 Iabgaklg.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\107a3bf0e5a0a1cd04de670a8ca45ecb.exe"C:\Users\Admin\AppData\Local\Temp\107a3bf0e5a0a1cd04de670a8ca45ecb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe25⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe26⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe29⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe30⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe31⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe32⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe33⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe35⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe36⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe37⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe38⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe39⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe40⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe41⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe42⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe45⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe46⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe50⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe52⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe53⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe54⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe57⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe58⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe60⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe61⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe62⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe64⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe66⤵PID:2584
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe67⤵PID:492
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe68⤵PID:928
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe69⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5048 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe72⤵PID:5004
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe73⤵PID:1432
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe74⤵PID:2492
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe75⤵PID:4976
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe76⤵PID:4400
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe77⤵PID:3492
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe78⤵PID:3856
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe79⤵PID:1988
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe80⤵PID:1900
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe81⤵PID:1680
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe82⤵
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe83⤵PID:2072
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe84⤵PID:4196
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe85⤵PID:4504
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4696 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe87⤵PID:4244
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe88⤵PID:3252
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe89⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe90⤵PID:3884
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe91⤵PID:5160
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe92⤵PID:5208
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe93⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe94⤵PID:5284
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe95⤵PID:5336
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe96⤵PID:5376
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe97⤵PID:5432
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe98⤵PID:5484
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe99⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe101⤵PID:5636
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5680 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe103⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe104⤵PID:5768
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe105⤵
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe106⤵PID:5848
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe107⤵PID:5888
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe108⤵PID:5932
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe109⤵PID:5968
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe110⤵PID:6008
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe111⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe113⤵PID:6132
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe114⤵PID:5140
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe116⤵PID:5272
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe117⤵PID:5344
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe118⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe120⤵PID:5572
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-