Analysis
-
max time kernel
158s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 05:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21fe552f6837d7d38ec8836baa95b190.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
21fe552f6837d7d38ec8836baa95b190.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
21fe552f6837d7d38ec8836baa95b190.exe
-
Size
64KB
-
MD5
21fe552f6837d7d38ec8836baa95b190
-
SHA1
988195831660d625ce6a64eb9f62c5651c67816c
-
SHA256
d5d8befbe0b24fdb33d2aa6e75967fade87883320158a55845fd996a79ece47d
-
SHA512
472bcf917e80b9e29a68578b2b583125a8e49cb49c94f2b8727f28c07ddd34d3ca529e998dc9ae50d69439cb34c8335dfc762b43066b8700d538af41d59dc4f7
-
SSDEEP
768:ItONBCAF6eYtPJ7vmpYJTUC2N+rM2r9HNIdu/1H5scHXdnhgoEqErtE1oHEzkAu8:IiwZBJEYJTUVN+rMy9t9VV1iL+iALMH6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acaanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjemee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgdcome.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalndaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmejopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpbjoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmqnkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkjeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midmcgif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbacq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaobjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoboake.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gloejmld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajlje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngnbfid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcocn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildkpiqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjihfbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkooep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmaikcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdopkhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilfldoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enllgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beajnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnalbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adqghpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebplhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okjbimal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjgjefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogdldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjeflc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppjhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfmjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmebpbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhjabe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhhaigj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnijmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjkmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgqnccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcead32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjheejff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhdkajh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogdldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilmckml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoknhbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhqdhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqhbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbecljnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgokflpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nciahk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemagjjj.exe -
Executes dropped EXE 64 IoCs
pid Process 3804 Fdkdibjp.exe 888 Janghmia.exe 3280 Jjihfbno.exe 2792 Kajfdk32.exe 1452 Kehojiej.exe 4104 Lhmafcnf.exe 3400 Lhdggb32.exe 4836 Moefdljc.exe 2532 Nfiagd32.exe 4996 Ohcmpn32.exe 3548 Omcbkl32.exe 4404 Pofhbgmn.exe 4588 Qifbll32.exe 3544 Apgqie32.exe 4300 Afeban32.exe 1868 Cfcoblfb.exe 1264 Dpefaq32.exe 4984 Dbhlikpf.exe 1940 Dpoiho32.exe 1624 Eleimp32.exe 5084 Eilfldoi.exe 4764 Enllgbcl.exe 4504 Fgijkgeh.exe 4412 Gjnlha32.exe 3380 Gloejmld.exe 2440 Ggicbe32.exe 4888 Hgpibdam.exe 972 Hnmnengg.exe 3552 Icqmncof.exe 3332 Jjakkmpk.exe 2520 Jegohe32.exe 2964 Jfmekm32.exe 4384 Kfanflne.exe 4652 Knpmhh32.exe 4724 Kmeiie32.exe 4912 Lechkaga.exe 4120 Mmebpbod.exe 3888 Nnabladg.exe 2324 Ogqmee32.exe 1912 Pgoigcip.exe 3812 Pdeffgff.exe 2220 Qdllffpo.exe 408 Ailabddb.exe 2868 Aeglbeea.exe 1636 Bnppkj32.exe 3668 Bgmnooom.exe 1336 Cifmoa32.exe 852 Fcodfa32.exe 2596 Fiilblom.exe 2284 Gedfblql.exe 1984 Gchflq32.exe 4964 Hladlc32.exe 5048 Jopiom32.exe 1812 Kjlcmdbb.exe 4592 Miklkm32.exe 4232 Mhmmieil.exe 3264 Nkdlkope.exe 1124 Ogmiepcf.exe 4028 Onqdhh32.exe 3172 Pjoknhbe.exe 1532 Qajlje32.exe 2008 Qnamofdf.exe 4960 Aaofedkl.exe 3452 Ahinbo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jbjqkl32.exe Hhagaf32.exe File created C:\Windows\SysWOW64\Bnphag32.exe Aohbbqme.exe File opened for modification C:\Windows\SysWOW64\Dfeibf32.exe Dodjemee.exe File created C:\Windows\SysWOW64\Onapnbhi.exe Ocgbej32.exe File created C:\Windows\SysWOW64\Ghiogkfp.exe Aclpkffa.exe File created C:\Windows\SysWOW64\Ecoiapdj.exe Dcgcaq32.exe File opened for modification C:\Windows\SysWOW64\Kiikkada.exe Jdjfmjhm.exe File created C:\Windows\SysWOW64\Mjmljn32.dll Geenclkn.exe File opened for modification C:\Windows\SysWOW64\Ajhboj32.exe Pmmleg32.exe File opened for modification C:\Windows\SysWOW64\Diqnda32.exe Ddcekk32.exe File opened for modification C:\Windows\SysWOW64\Bgmnooom.exe Bnppkj32.exe File opened for modification C:\Windows\SysWOW64\Omnqhbap.exe Olndnp32.exe File opened for modification C:\Windows\SysWOW64\Anaofa32.exe Akccje32.exe File created C:\Windows\SysWOW64\Mjidpa32.exe Lhbafo32.exe File opened for modification C:\Windows\SysWOW64\Mjheejff.exe Mfjlolpp.exe File created C:\Windows\SysWOW64\Pcjaio32.exe Pbhdafdd.exe File created C:\Windows\SysWOW64\Eppkfhco.dll Kbceoped.exe File created C:\Windows\SysWOW64\Gmolbbcj.dll Beajnm32.exe File created C:\Windows\SysWOW64\Agfpoqog.exe Agdcja32.exe File opened for modification C:\Windows\SysWOW64\Oofepe32.exe Oilmckml.exe File created C:\Windows\SysWOW64\Jilbgkab.dll Aoeleelp.exe File created C:\Windows\SysWOW64\Bdjqienq.exe Bmqhlk32.exe File created C:\Windows\SysWOW64\Focgfi32.dll Gmclgghc.exe File opened for modification C:\Windows\SysWOW64\Imklncch.exe Hpnhoqmi.exe File created C:\Windows\SysWOW64\Kllibo32.dll Jjeflc32.exe File created C:\Windows\SysWOW64\Mofmhhcl.exe Mjidpa32.exe File created C:\Windows\SysWOW64\Lafomk32.dll Fdmahgnj.exe File created C:\Windows\SysWOW64\Olfolp32.exe Odkjgm32.exe File created C:\Windows\SysWOW64\Hncmfj32.exe Hhfenc32.exe File created C:\Windows\SysWOW64\Caagofme.exe Ckgnbl32.exe File created C:\Windows\SysWOW64\Hanolipa.dll Fmbdnhme.exe File opened for modification C:\Windows\SysWOW64\Cnaachha.exe Chdikajj.exe File created C:\Windows\SysWOW64\Oopneoel.dll Jbjqkl32.exe File created C:\Windows\SysWOW64\Dfcjoa32.exe Cjbfdakf.exe File opened for modification C:\Windows\SysWOW64\Bhpopb32.exe Baegchgb.exe File created C:\Windows\SysWOW64\Cjcolm32.exe Cnhell32.exe File created C:\Windows\SysWOW64\Lfnfck32.exe Kpankd32.exe File created C:\Windows\SysWOW64\Bcmqin32.exe Bnphag32.exe File opened for modification C:\Windows\SysWOW64\Dieilepc.exe Beajnm32.exe File opened for modification C:\Windows\SysWOW64\Ojcpmm32.exe Oicccj32.exe File created C:\Windows\SysWOW64\Aegghi32.dll Fkgiea32.exe File opened for modification C:\Windows\SysWOW64\Cpmajdig.exe Ckphamkp.exe File created C:\Windows\SysWOW64\Ooibee32.exe Omjfij32.exe File created C:\Windows\SysWOW64\Kehojiej.exe Kajfdk32.exe File opened for modification C:\Windows\SysWOW64\Godehbed.exe Gflapl32.exe File opened for modification C:\Windows\SysWOW64\Nconal32.exe Nlefebfg.exe File created C:\Windows\SysWOW64\Hknmgd32.exe Headon32.exe File created C:\Windows\SysWOW64\Dccioa32.dll Abpcicpi.exe File created C:\Windows\SysWOW64\Oapljmgm.exe Onapnbhi.exe File created C:\Windows\SysWOW64\Ihqimfil.dll Njlcdf32.exe File opened for modification C:\Windows\SysWOW64\Fkgiea32.exe Fdmahgnj.exe File created C:\Windows\SysWOW64\Dpoiho32.exe Dbhlikpf.exe File opened for modification C:\Windows\SysWOW64\Midoph32.exe Mbjgcnll.exe File created C:\Windows\SysWOW64\Gigkkiap.dll Aanjiqki.exe File created C:\Windows\SysWOW64\Bfbjhh32.dll Idahcm32.exe File opened for modification C:\Windows\SysWOW64\Bkkhlhlj.exe Bbcpkjkg.exe File created C:\Windows\SysWOW64\Pnflceji.dll Alcofi32.exe File created C:\Windows\SysWOW64\Qoaoflcl.dll Loeoei32.exe File created C:\Windows\SysWOW64\Cmipkb32.exe Capbaacl.exe File created C:\Windows\SysWOW64\Bpodmm32.dll Oocmcn32.exe File created C:\Windows\SysWOW64\Pflfmdog.dll Lokdgpqe.exe File opened for modification C:\Windows\SysWOW64\Jejbba32.exe Jlanikqg.exe File created C:\Windows\SysWOW64\Fqqkagjo.dll Nlknbb32.exe File created C:\Windows\SysWOW64\Aikijjon.exe Acaanp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpcgaqk.dll" Mbhafgpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbjgn32.dll" Iciaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqnbgpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmaafcml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmhb32.dll" Qolbgbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgioia32.dll" Qgopplkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkffhmka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooibee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbeild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokjbgbf.dll" Moefdljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcgcaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfdnp32.dll" Imklncch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimeelkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdmqpah.dll" Jcbibeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oilmckml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailabddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgmnooom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nidhffef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgmmogb.dll" Elbhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pffghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkikglce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll" Apgqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbambkif.dll" Paqebike.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mipchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobkle32.dll" Kaemba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfmjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpkhelp.dll" Bciebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhia32.dll" Kilpgnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagenneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbmhglqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnjip32.dll" Lckicnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcngddao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facakcce.dll" Daccdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icqmncof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaqgjme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefebfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdikajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifnkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqapd32.dll" Bbhqdhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblhfk32.dll" Eiokbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkchf32.dll" Bcmqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmlhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoioeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipapip32.dll" Nciojeem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jopiom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bciebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Janghmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beqljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingpgcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckicnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcdhclm.dll" Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfonk32.dll" Clfdcgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibngh32.dll" Mcnfhmcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 3804 4032 21fe552f6837d7d38ec8836baa95b190.exe 94 PID 4032 wrote to memory of 3804 4032 21fe552f6837d7d38ec8836baa95b190.exe 94 PID 4032 wrote to memory of 3804 4032 21fe552f6837d7d38ec8836baa95b190.exe 94 PID 3804 wrote to memory of 888 3804 Fdkdibjp.exe 95 PID 3804 wrote to memory of 888 3804 Fdkdibjp.exe 95 PID 3804 wrote to memory of 888 3804 Fdkdibjp.exe 95 PID 888 wrote to memory of 3280 888 Janghmia.exe 96 PID 888 wrote to memory of 3280 888 Janghmia.exe 96 PID 888 wrote to memory of 3280 888 Janghmia.exe 96 PID 3280 wrote to memory of 2792 3280 Jjihfbno.exe 97 PID 3280 wrote to memory of 2792 3280 Jjihfbno.exe 97 PID 3280 wrote to memory of 2792 3280 Jjihfbno.exe 97 PID 2792 wrote to memory of 1452 2792 Kajfdk32.exe 98 PID 2792 wrote to memory of 1452 2792 Kajfdk32.exe 98 PID 2792 wrote to memory of 1452 2792 Kajfdk32.exe 98 PID 1452 wrote to memory of 4104 1452 Kehojiej.exe 99 PID 1452 wrote to memory of 4104 1452 Kehojiej.exe 99 PID 1452 wrote to memory of 4104 1452 Kehojiej.exe 99 PID 4104 wrote to memory of 3400 4104 Lhmafcnf.exe 100 PID 4104 wrote to memory of 3400 4104 Lhmafcnf.exe 100 PID 4104 wrote to memory of 3400 4104 Lhmafcnf.exe 100 PID 3400 wrote to memory of 4836 3400 Lhdggb32.exe 101 PID 3400 wrote to memory of 4836 3400 Lhdggb32.exe 101 PID 3400 wrote to memory of 4836 3400 Lhdggb32.exe 101 PID 4836 wrote to memory of 2532 4836 Moefdljc.exe 102 PID 4836 wrote to memory of 2532 4836 Moefdljc.exe 102 PID 4836 wrote to memory of 2532 4836 Moefdljc.exe 102 PID 2532 wrote to memory of 4996 2532 Nfiagd32.exe 103 PID 2532 wrote to memory of 4996 2532 Nfiagd32.exe 103 PID 2532 wrote to memory of 4996 2532 Nfiagd32.exe 103 PID 4996 wrote to memory of 3548 4996 Ohcmpn32.exe 104 PID 4996 wrote to memory of 3548 4996 Ohcmpn32.exe 104 PID 4996 wrote to memory of 3548 4996 Ohcmpn32.exe 104 PID 3548 wrote to memory of 4404 3548 Omcbkl32.exe 105 PID 3548 wrote to memory of 4404 3548 Omcbkl32.exe 105 PID 3548 wrote to memory of 4404 3548 Omcbkl32.exe 105 PID 4404 wrote to memory of 4588 4404 Pofhbgmn.exe 106 PID 4404 wrote to memory of 4588 4404 Pofhbgmn.exe 106 PID 4404 wrote to memory of 4588 4404 Pofhbgmn.exe 106 PID 4588 wrote to memory of 3544 4588 Qifbll32.exe 107 PID 4588 wrote to memory of 3544 4588 Qifbll32.exe 107 PID 4588 wrote to memory of 3544 4588 Qifbll32.exe 107 PID 3544 wrote to memory of 4300 3544 Apgqie32.exe 108 PID 3544 wrote to memory of 4300 3544 Apgqie32.exe 108 PID 3544 wrote to memory of 4300 3544 Apgqie32.exe 108 PID 4300 wrote to memory of 1868 4300 Afeban32.exe 109 PID 4300 wrote to memory of 1868 4300 Afeban32.exe 109 PID 4300 wrote to memory of 1868 4300 Afeban32.exe 109 PID 1868 wrote to memory of 1264 1868 Cfcoblfb.exe 110 PID 1868 wrote to memory of 1264 1868 Cfcoblfb.exe 110 PID 1868 wrote to memory of 1264 1868 Cfcoblfb.exe 110 PID 1740 wrote to memory of 4984 1740 Dinjjf32.exe 112 PID 1740 wrote to memory of 4984 1740 Dinjjf32.exe 112 PID 1740 wrote to memory of 4984 1740 Dinjjf32.exe 112 PID 4984 wrote to memory of 1940 4984 Dbhlikpf.exe 113 PID 4984 wrote to memory of 1940 4984 Dbhlikpf.exe 113 PID 4984 wrote to memory of 1940 4984 Dbhlikpf.exe 113 PID 1940 wrote to memory of 1624 1940 Dpoiho32.exe 114 PID 1940 wrote to memory of 1624 1940 Dpoiho32.exe 114 PID 1940 wrote to memory of 1624 1940 Dpoiho32.exe 114 PID 1624 wrote to memory of 5084 1624 Eleimp32.exe 115 PID 1624 wrote to memory of 5084 1624 Eleimp32.exe 115 PID 1624 wrote to memory of 5084 1624 Eleimp32.exe 115 PID 5084 wrote to memory of 4764 5084 Eilfldoi.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\21fe552f6837d7d38ec8836baa95b190.exe"C:\Users\Admin\AppData\Local\Temp\21fe552f6837d7d38ec8836baa95b190.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe19⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe25⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe26⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe28⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe29⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe30⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe32⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe34⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe35⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe36⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe37⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe38⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe40⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe41⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe42⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe43⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe46⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe49⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe50⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe51⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gedfblql.exeC:\Windows\system32\Gedfblql.exe52⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe53⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe54⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe56⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe57⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Mhmmieil.exeC:\Windows\system32\Mhmmieil.exe58⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe59⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe60⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe61⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe65⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe66⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe67⤵PID:548
-
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe68⤵PID:1676
-
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe69⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe70⤵PID:5132
-
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe71⤵PID:5176
-
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe72⤵PID:5216
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe73⤵PID:5256
-
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe74⤵PID:5296
-
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe76⤵PID:5380
-
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe77⤵PID:5420
-
C:\Windows\SysWOW64\Hkodak32.exeC:\Windows\system32\Hkodak32.exe78⤵PID:5460
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe79⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe80⤵PID:5540
-
C:\Windows\SysWOW64\Iocchhof.exeC:\Windows\system32\Iocchhof.exe81⤵PID:5576
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe82⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe83⤵PID:5672
-
C:\Windows\SysWOW64\Jkcfch32.exeC:\Windows\system32\Jkcfch32.exe84⤵PID:5716
-
C:\Windows\SysWOW64\Jhhgmlli.exeC:\Windows\system32\Jhhgmlli.exe85⤵PID:5752
-
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe87⤵PID:5856
-
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe88⤵PID:5900
-
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe89⤵PID:5944
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe90⤵PID:5984
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe91⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Midoph32.exeC:\Windows\system32\Midoph32.exe92⤵PID:6076
-
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe93⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe95⤵PID:2228
-
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe96⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe97⤵PID:5192
-
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe98⤵PID:5284
-
C:\Windows\SysWOW64\Nidhffef.exeC:\Windows\system32\Nidhffef.exe99⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Nfjeej32.exeC:\Windows\system32\Nfjeej32.exe100⤵PID:5428
-
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe101⤵PID:5508
-
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe102⤵PID:5572
-
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe103⤵PID:5664
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe104⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe105⤵PID:1356
-
C:\Windows\SysWOW64\Pkdngf32.exeC:\Windows\system32\Pkdngf32.exe106⤵PID:5844
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe107⤵PID:4812
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe108⤵PID:5896
-
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe109⤵PID:5924
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe110⤵PID:6008
-
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe111⤵PID:3276
-
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Akdfndpd.exeC:\Windows\system32\Akdfndpd.exe113⤵PID:1384
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe114⤵PID:4180
-
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe115⤵PID:5212
-
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe116⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe117⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe118⤵PID:5488
-
C:\Windows\SysWOW64\Cjflblll.exeC:\Windows\system32\Cjflblll.exe119⤵PID:5616
-
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe121⤵PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-