Analysis
-
max time kernel
123s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 05:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1489c1eccd2c486fba37fa3bb3cc28cd.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1489c1eccd2c486fba37fa3bb3cc28cd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1489c1eccd2c486fba37fa3bb3cc28cd.exe
-
Size
192KB
-
MD5
1489c1eccd2c486fba37fa3bb3cc28cd
-
SHA1
9b36b55d10e49d6291d0e99118b40e7ed93ecd7d
-
SHA256
a122e1001419f43f9b0b63f1f09e9b06163640474263a99b13b69bc64b65f1da
-
SHA512
576e6a8878600f7f88b73b20b31c1b40123bfef814c76bf3e23f16ed59e695bd9be7f5314ebf2b9a8a2703a7a57fe271fe7b374a12a09b1166c9bbf3fd87d215
-
SSDEEP
3072:YCWCCrEpTkobfIwbdvmdjub4eRB2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsC6B:mYWozImdvmUbzR4qO+uNk54t3haeTFLp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bijncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anffje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkjlpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megldcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihagfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjfaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhnlelfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odhipp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnelha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfimmhkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oilmhhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfcompnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlcchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcbehbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afinbdon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jinloboo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aidcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqihjbod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqfpoope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcaidlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdlpmce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdpkoalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inecac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgnqafgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldgnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cagolf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfkng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofjokc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcompnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccfojn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchickeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdleap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnelha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbkjcgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fddqpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjnch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghflgedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfnnel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpppbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnndbecl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcncjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbfhiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nejpckgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhkief32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigajfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifjoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoogpcco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlnomif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljpcfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmhodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeaegdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahmqnkbp.exe -
Executes dropped EXE 64 IoCs
pid Process 2652 Icfmci32.exe 4164 Jejbhk32.exe 2468 Jjihfbno.exe 2232 Jeolckne.exe 2448 Jlkafdco.exe 748 Kefbdjgm.exe 4296 Klbgfc32.exe 1428 Kocphojh.exe 5012 Lkiamp32.exe 1796 Laffpi32.exe 548 Loopdmpk.exe 2844 Mekdffee.exe 2088 Madbagif.exe 3320 Mcfkpjng.exe 4504 Nkcmjlio.exe 4412 Nkeipk32.exe 5004 Nfnjbdep.exe 3116 Ohncdobq.exe 4676 Ocfdgg32.exe 4544 Omaeem32.exe 3884 Omcbkl32.exe 4420 Pkholi32.exe 512 Pbddobla.exe 2272 Pkmhgh32.exe 2976 Pcfmneaa.exe 3576 Pbljoafi.exe 4456 Qkdohg32.exe 3440 Qkfkng32.exe 2696 Akihcfid.exe 1444 Bldgoeog.exe 4384 Cpifeb32.exe 4112 Dbhlikpf.exe 4536 Dcmedk32.exe 3528 Ellpmolj.exe 4660 Fcmnkh32.exe 684 Flfbcndo.exe 4884 Gjnlha32.exe 4188 Gqmnpk32.exe 4948 Gflcnanp.exe 2228 Hqfqfj32.exe 1860 Ifjoop32.exe 2204 Iqpclh32.exe 4844 Ijhhenhf.exe 764 Inhmqlmj.exe 2720 Iebfmfdg.exe 840 Ijonfmbn.exe 4476 Jjhalkjc.exe 452 Jfoaam32.exe 3564 Jmijnfgd.exe 1396 Kffhakjp.exe 1628 Kallod32.exe 1196 Kejeebpl.exe 4408 Lfmnbjcg.exe 2340 Lmgfod32.exe 4432 Lechkaga.exe 2564 Malefbkc.exe 5048 Mejnlpai.exe 376 Meljappg.exe 4172 Mmhofbma.exe 876 Ndmgnkja.exe 1368 Nkgoke32.exe 4068 Oakjnnap.exe 3580 Pdpmkhjl.exe 2972 Pkjegb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iopgjjag.dll Lbenho32.exe File created C:\Windows\SysWOW64\Gnckjbfj.exe Ghgbakhb.exe File created C:\Windows\SysWOW64\Cgijnk32.exe Cmdfpbkc.exe File created C:\Windows\SysWOW64\Qlbfnk32.exe Palbpb32.exe File created C:\Windows\SysWOW64\Cebdcmhh.exe Bjmpfdhb.exe File created C:\Windows\SysWOW64\Ecnbgian.exe Enajobbf.exe File opened for modification C:\Windows\SysWOW64\Bbhqdhnm.exe Bhblfpng.exe File created C:\Windows\SysWOW64\Giofggia.exe Gbenjm32.exe File created C:\Windows\SysWOW64\Ifjfhh32.exe Iannpa32.exe File created C:\Windows\SysWOW64\Ghnibj32.exe Gkjhif32.exe File created C:\Windows\SysWOW64\Oemephgn.exe Oldagc32.exe File created C:\Windows\SysWOW64\Gdigqnmd.dll Aklddmep.exe File created C:\Windows\SysWOW64\Mbbcofpf.exe Mijofaje.exe File opened for modification C:\Windows\SysWOW64\Jcphkhad.exe Jlfpnn32.exe File created C:\Windows\SysWOW64\Moacbe32.exe Mdloelpc.exe File created C:\Windows\SysWOW64\Nijeoikf.exe Nhkief32.exe File opened for modification C:\Windows\SysWOW64\Madbagif.exe Mekdffee.exe File opened for modification C:\Windows\SysWOW64\Lkgkqh32.exe Loqjlg32.exe File created C:\Windows\SysWOW64\Foaoho32.dll Bppjhl32.exe File created C:\Windows\SysWOW64\Ncbfcp32.exe Mminfech.exe File opened for modification C:\Windows\SysWOW64\Hfajlp32.exe Hmifcjif.exe File created C:\Windows\SysWOW64\Klljhe32.exe Kfoapo32.exe File created C:\Windows\SysWOW64\Ghlahp32.dll Eeeaibid.exe File created C:\Windows\SysWOW64\Dapeapja.dll Cmipkb32.exe File created C:\Windows\SysWOW64\Dflmep32.exe Dlfhhgpp.exe File opened for modification C:\Windows\SysWOW64\Oegejc32.exe Onnmmipj.exe File opened for modification C:\Windows\SysWOW64\Pkholi32.exe Omcbkl32.exe File created C:\Windows\SysWOW64\Gfnnel32.exe Gmfilfep.exe File created C:\Windows\SysWOW64\Ghgbakhb.exe Gonnhf32.exe File created C:\Windows\SysWOW64\Ojmmch32.dll Llpmhodc.exe File created C:\Windows\SysWOW64\Llppob32.dll Qdphgmlj.exe File created C:\Windows\SysWOW64\Edeanh32.dll Mlialb32.exe File created C:\Windows\SysWOW64\Fpjjkh32.exe Fmlnomif.exe File opened for modification C:\Windows\SysWOW64\Knchio32.exe Kdkdqinj.exe File opened for modification C:\Windows\SysWOW64\Lqikfi32.exe Lklbnb32.exe File created C:\Windows\SysWOW64\Epnccc32.dll Djlkhe32.exe File opened for modification C:\Windows\SysWOW64\Fmoclg32.exe Fcfocb32.exe File opened for modification C:\Windows\SysWOW64\Ahenip32.exe Aakelfhg.exe File created C:\Windows\SysWOW64\Aqlkjbal.dll Fihecici.exe File created C:\Windows\SysWOW64\Ofpfmaai.dll Lqikfi32.exe File created C:\Windows\SysWOW64\Epbkhhel.exe Eemgkpef.exe File created C:\Windows\SysWOW64\Ckclfp32.exe Cqmgigfk.exe File created C:\Windows\SysWOW64\Mieeka32.exe Mnpami32.exe File opened for modification C:\Windows\SysWOW64\Ggfombmd.exe Gpmgph32.exe File created C:\Windows\SysWOW64\Mlnpjf32.dll Dlfhhgpp.exe File created C:\Windows\SysWOW64\Iioabi32.dll Kmhejk32.exe File created C:\Windows\SysWOW64\Mhefhf32.exe Ldgnbg32.exe File opened for modification C:\Windows\SysWOW64\Nmlafk32.exe Mhoind32.exe File opened for modification C:\Windows\SysWOW64\Mgebfhcl.exe Mnmmmbll.exe File opened for modification C:\Windows\SysWOW64\Piepnfnj.exe Pblhalfm.exe File created C:\Windows\SysWOW64\Bojhnjgf.exe Bimoecio.exe File created C:\Windows\SysWOW64\Fmbjhjdf.dll Hjeiai32.exe File created C:\Windows\SysWOW64\Qgalelin.exe Qagdia32.exe File opened for modification C:\Windows\SysWOW64\Lefkfk32.exe Lmkfah32.exe File created C:\Windows\SysWOW64\Mqkbjk32.dll Qkfkng32.exe File created C:\Windows\SysWOW64\Jeekeg32.exe Jnkchmdl.exe File created C:\Windows\SysWOW64\Ghnikdhc.dll Lknocb32.exe File created C:\Windows\SysWOW64\Pcgmiiii.exe Nebdighb.exe File created C:\Windows\SysWOW64\Mndonl32.dll Loqjlg32.exe File opened for modification C:\Windows\SysWOW64\Kipalpoj.exe Kphmbjhi.exe File opened for modification C:\Windows\SysWOW64\Ngbgmpcq.exe Nnjbdj32.exe File opened for modification C:\Windows\SysWOW64\Nhnlelfm.exe Mlpeol32.exe File created C:\Windows\SysWOW64\Kqkeoama.exe Kjambg32.exe File opened for modification C:\Windows\SysWOW64\Jqfejl32.exe Jgnqafgk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgefae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahbjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmginjki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikagpcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poodicio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnfbkpf.dll" Jgcafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkdkddn.dll" Dpnfjjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkojgh32.dll" Bqafpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dannbogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampfba32.dll" Hhiacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjneec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmch32.dll" Llpmhodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meqmmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nldhpeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmneemaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njahki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koggehff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbjhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifnco32.dll" Jecejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckhlgilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkeoeg32.dll" Icdhojka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkcmjlio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpnodjg.dll" Aelcooap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedeij32.dll" Mjneec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimceg32.dll" Epgndedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cllfcdpd.dll" Ikickgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohncdobq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Malefbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkghk32.dll" Odhipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifjoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkchoaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbkkpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icfediio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kffhakjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flpbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghfnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oooodcci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oofacdaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dclknkfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmhphqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bebbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgogdc32.dll" Pmoijcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afjemkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlkkb32.dll" Ipmbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnkgbibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnndbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccgocfc.dll" Ooalibaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlijodjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqfqfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hokgmpkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jggjpgmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmgfod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icbbimih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocafeff.dll" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbaffid.dll" Fkflbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpeblo32.dll" Qqdqilph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnkmhc.dll" Lbkkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll" Pbljoafi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifjoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkaqh32.dll" Bijncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjahchpb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2652 1840 1489c1eccd2c486fba37fa3bb3cc28cd.exe 96 PID 1840 wrote to memory of 2652 1840 1489c1eccd2c486fba37fa3bb3cc28cd.exe 96 PID 1840 wrote to memory of 2652 1840 1489c1eccd2c486fba37fa3bb3cc28cd.exe 96 PID 2652 wrote to memory of 4164 2652 Icfmci32.exe 97 PID 2652 wrote to memory of 4164 2652 Icfmci32.exe 97 PID 2652 wrote to memory of 4164 2652 Icfmci32.exe 97 PID 4164 wrote to memory of 2468 4164 Jejbhk32.exe 98 PID 4164 wrote to memory of 2468 4164 Jejbhk32.exe 98 PID 4164 wrote to memory of 2468 4164 Jejbhk32.exe 98 PID 2468 wrote to memory of 2232 2468 Jjihfbno.exe 99 PID 2468 wrote to memory of 2232 2468 Jjihfbno.exe 99 PID 2468 wrote to memory of 2232 2468 Jjihfbno.exe 99 PID 2232 wrote to memory of 2448 2232 Jeolckne.exe 100 PID 2232 wrote to memory of 2448 2232 Jeolckne.exe 100 PID 2232 wrote to memory of 2448 2232 Jeolckne.exe 100 PID 2448 wrote to memory of 748 2448 Jlkafdco.exe 101 PID 2448 wrote to memory of 748 2448 Jlkafdco.exe 101 PID 2448 wrote to memory of 748 2448 Jlkafdco.exe 101 PID 748 wrote to memory of 4296 748 Kefbdjgm.exe 102 PID 748 wrote to memory of 4296 748 Kefbdjgm.exe 102 PID 748 wrote to memory of 4296 748 Kefbdjgm.exe 102 PID 4296 wrote to memory of 1428 4296 Klbgfc32.exe 103 PID 4296 wrote to memory of 1428 4296 Klbgfc32.exe 103 PID 4296 wrote to memory of 1428 4296 Klbgfc32.exe 103 PID 1428 wrote to memory of 5012 1428 Kocphojh.exe 104 PID 1428 wrote to memory of 5012 1428 Kocphojh.exe 104 PID 1428 wrote to memory of 5012 1428 Kocphojh.exe 104 PID 5012 wrote to memory of 1796 5012 Lkiamp32.exe 105 PID 5012 wrote to memory of 1796 5012 Lkiamp32.exe 105 PID 5012 wrote to memory of 1796 5012 Lkiamp32.exe 105 PID 1796 wrote to memory of 548 1796 Laffpi32.exe 106 PID 1796 wrote to memory of 548 1796 Laffpi32.exe 106 PID 1796 wrote to memory of 548 1796 Laffpi32.exe 106 PID 548 wrote to memory of 2844 548 Loopdmpk.exe 107 PID 548 wrote to memory of 2844 548 Loopdmpk.exe 107 PID 548 wrote to memory of 2844 548 Loopdmpk.exe 107 PID 2844 wrote to memory of 2088 2844 Mekdffee.exe 108 PID 2844 wrote to memory of 2088 2844 Mekdffee.exe 108 PID 2844 wrote to memory of 2088 2844 Mekdffee.exe 108 PID 2088 wrote to memory of 3320 2088 Madbagif.exe 109 PID 2088 wrote to memory of 3320 2088 Madbagif.exe 109 PID 2088 wrote to memory of 3320 2088 Madbagif.exe 109 PID 3320 wrote to memory of 4504 3320 Mcfkpjng.exe 110 PID 3320 wrote to memory of 4504 3320 Mcfkpjng.exe 110 PID 3320 wrote to memory of 4504 3320 Mcfkpjng.exe 110 PID 4504 wrote to memory of 4412 4504 Nkcmjlio.exe 111 PID 4504 wrote to memory of 4412 4504 Nkcmjlio.exe 111 PID 4504 wrote to memory of 4412 4504 Nkcmjlio.exe 111 PID 4412 wrote to memory of 5004 4412 Nkeipk32.exe 112 PID 4412 wrote to memory of 5004 4412 Nkeipk32.exe 112 PID 4412 wrote to memory of 5004 4412 Nkeipk32.exe 112 PID 5004 wrote to memory of 3116 5004 Nfnjbdep.exe 113 PID 5004 wrote to memory of 3116 5004 Nfnjbdep.exe 113 PID 5004 wrote to memory of 3116 5004 Nfnjbdep.exe 113 PID 3116 wrote to memory of 4676 3116 Ohncdobq.exe 114 PID 3116 wrote to memory of 4676 3116 Ohncdobq.exe 114 PID 3116 wrote to memory of 4676 3116 Ohncdobq.exe 114 PID 4676 wrote to memory of 4544 4676 Ocfdgg32.exe 115 PID 4676 wrote to memory of 4544 4676 Ocfdgg32.exe 115 PID 4676 wrote to memory of 4544 4676 Ocfdgg32.exe 115 PID 4544 wrote to memory of 3884 4544 Omaeem32.exe 116 PID 4544 wrote to memory of 3884 4544 Omaeem32.exe 116 PID 4544 wrote to memory of 3884 4544 Omaeem32.exe 116 PID 3884 wrote to memory of 4420 3884 Omcbkl32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\1489c1eccd2c486fba37fa3bb3cc28cd.exe"C:\Users\Admin\AppData\Local\Temp\1489c1eccd2c486fba37fa3bb3cc28cd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe23⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe24⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe25⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe26⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe28⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe30⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe31⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe32⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe33⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe34⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe35⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe36⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe37⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe38⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe39⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe40⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe43⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe44⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe47⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe48⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe49⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe52⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe53⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe54⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe56⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe58⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe59⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe62⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe63⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe64⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe65⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe67⤵PID:3520
-
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe68⤵PID:3916
-
C:\Windows\SysWOW64\Ankgpk32.exeC:\Windows\system32\Ankgpk32.exe69⤵PID:5160
-
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe70⤵PID:5204
-
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe71⤵PID:5248
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe73⤵PID:5340
-
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe74⤵PID:5380
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe75⤵PID:5424
-
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe76⤵
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe77⤵PID:5528
-
C:\Windows\SysWOW64\Flpbnh32.exeC:\Windows\system32\Flpbnh32.exe78⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Feifgnki.exeC:\Windows\system32\Feifgnki.exe79⤵PID:5612
-
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe80⤵PID:5660
-
C:\Windows\SysWOW64\Hodqlq32.exeC:\Windows\system32\Hodqlq32.exe81⤵PID:5704
-
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe82⤵PID:5744
-
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe83⤵
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe84⤵PID:5828
-
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe85⤵PID:5872
-
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe86⤵PID:5916
-
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe87⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe88⤵PID:6020
-
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe89⤵PID:6080
-
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe90⤵PID:5148
-
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe91⤵PID:5216
-
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe92⤵PID:5272
-
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe94⤵PID:5416
-
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe95⤵PID:5480
-
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe96⤵PID:5552
-
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe97⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Ldgnbg32.exeC:\Windows\system32\Ldgnbg32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Mhefhf32.exeC:\Windows\system32\Mhefhf32.exe99⤵PID:5768
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe100⤵PID:5852
-
C:\Windows\SysWOW64\Minipm32.exeC:\Windows\system32\Minipm32.exe101⤵PID:5908
-
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe102⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe103⤵PID:5072
-
C:\Windows\SysWOW64\Npognfpo.exeC:\Windows\system32\Npognfpo.exe104⤵PID:2472
-
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe105⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe106⤵PID:5212
-
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe107⤵PID:5376
-
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe108⤵PID:5408
-
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe109⤵PID:5500
-
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe110⤵PID:5648
-
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe111⤵PID:4556
-
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe112⤵PID:5808
-
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe113⤵PID:5944
-
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe115⤵
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe116⤵PID:2872
-
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe117⤵PID:5580
-
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe118⤵PID:5836
-
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe119⤵PID:5936
-
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe120⤵PID:6056
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe121⤵PID:5596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-