Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 19:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe
-
Size
159KB
-
MD5
d308b3379b0830598f69f8df76923676
-
SHA1
b664bc44d9bbd419c8e743b2758caebf4c262117
-
SHA256
1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1
-
SHA512
40790630bd96fa08281d003b751e34d6816826c07594730c74564c5cd7a6c03caa15d394e8e7e1d8e09b84be4c942420c999117d9d35d185a58830e56cc47ca6
-
SSDEEP
3072:6WTGIQ9ubeLNt6ZojMlB5bwf1nFzwSAJB8FgBY5nd/M9dA:6NI3Kn6ZojMvy1n6xJmPM9dA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gimoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjinjnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagmpoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnnpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimkde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agikne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfcmdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcqife32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmclobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfeeelm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmnbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgimjmfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggcgeop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqahmhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbnim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boipfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neoink32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnkhoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgcidqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohfdnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgimjmfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbppknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqmincia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnfiapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohboeenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaqbdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcaemdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akffjkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfqjkljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfchcijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idpbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmnmqdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobfhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohkinob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhgfoioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdhfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jebfgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpgmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coijja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhglhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfpijll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dedceddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giinjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmnmqdee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgnnedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbfpeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacfp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4892 Dlqpaafg.exe 1060 Dgfdojfm.exe 3812 Didqkeeq.exe 1620 Dcmedk32.exe 2332 Dekapfke.exe 3432 Emgblc32.exe 4832 Eebgqe32.exe 220 Ephlnn32.exe 2672 Eippgckc.exe 3276 Egdqph32.exe 4792 Fnnimbaj.exe 3916 Fgfmeg32.exe 2464 Fcmnkh32.exe 4048 Flfbcndo.exe 1952 Fgkfqgce.exe 4240 Iqgjmg32.exe 4816 Jeilne32.exe 4120 Jjfdfl32.exe 4456 Jndmlj32.exe 1656 Jnfjbj32.exe 4200 Mmebpbod.exe 1148 Moeoje32.exe 3016 Meoggpmd.exe 3120 Mklpof32.exe 3516 Nmlhaa32.exe 2992 Nhbmnj32.exe 3108 Nnoefagj.exe 4888 Nkbfpeec.exe 4988 Nnabladg.exe 1968 Nhicoi32.exe 5012 Nockkcjg.exe 2196 Nhkpdi32.exe 4680 Onhhmpoo.exe 5092 Oeopnmoa.exe 1956 Ohpiphlb.exe 1228 Oahnhncc.exe 1796 Ohbfeh32.exe 3776 Aohfdnil.exe 4800 Dojlhg32.exe 4088 Ebcdjc32.exe 876 Fbjjkble.exe 3172 Gpjjpe32.exe 1328 Gegchl32.exe 2880 Gplged32.exe 2844 Geipnl32.exe 4836 Gpodkdll.exe 2636 Ggilgn32.exe 1304 Hcaibo32.exe 4020 Hljnkdnk.exe 2668 Hokgmpkl.exe 1964 Hlogfd32.exe 3608 Hgdlcm32.exe 5168 Icklhnop.exe 5204 Kanbjn32.exe 5256 Kclnfi32.exe 5304 Lmdbooik.exe 5348 Likcdpop.exe 5400 Lfodmdni.exe 5444 Mphamg32.exe 5508 Ndejcemn.exe 5552 Nmnnlk32.exe 5604 Nkboeobh.exe 5648 Nalgbi32.exe 5696 Nmbhgjoi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nockkcjg.exe Nhicoi32.exe File opened for modification C:\Windows\SysWOW64\Emhdeoel.exe Ejjgic32.exe File created C:\Windows\SysWOW64\Kfpqap32.exe Kofheeoq.exe File created C:\Windows\SysWOW64\Abjllocj.dll Hncmfj32.exe File created C:\Windows\SysWOW64\Ncbcjefh.dll Nahgik32.exe File created C:\Windows\SysWOW64\Cbeaib32.exe Ckkilhjm.exe File created C:\Windows\SysWOW64\Fnnimbaj.exe Egdqph32.exe File created C:\Windows\SysWOW64\Nlhiolfc.dll Oahnhncc.exe File created C:\Windows\SysWOW64\Pqknbmhc.exe Pjnipc32.exe File created C:\Windows\SysWOW64\Djekde32.dll Hkckoe32.exe File created C:\Windows\SysWOW64\Bpkllo32.exe Bmmppc32.exe File created C:\Windows\SysWOW64\Ganppk32.exe Ggfombmd.exe File created C:\Windows\SysWOW64\Igehifaa.dll Ndejcemn.exe File created C:\Windows\SysWOW64\Ogpooc32.dll Lgkhec32.exe File opened for modification C:\Windows\SysWOW64\Hgebif32.exe Gfaikoad.exe File opened for modification C:\Windows\SysWOW64\Dgqqnjea.exe Cmklaaek.exe File created C:\Windows\SysWOW64\Jcmkehcg.exe Jpooimdc.exe File opened for modification C:\Windows\SysWOW64\Eeelge32.exe Ekmhnpfl.exe File created C:\Windows\SysWOW64\Dipnio32.dll Ilgcblnp.exe File opened for modification C:\Windows\SysWOW64\Qmnbej32.exe Qefkcl32.exe File opened for modification C:\Windows\SysWOW64\Oplkgi32.exe Ogcfncjf.exe File opened for modification C:\Windows\SysWOW64\Hmnmqdee.exe Hkpqdifa.exe File created C:\Windows\SysWOW64\Dqdnjfpc.exe Dnfanjqp.exe File created C:\Windows\SysWOW64\Jfcgkj32.dll Baickimp.exe File created C:\Windows\SysWOW64\Feflikdo.dll Aolbedeh.exe File created C:\Windows\SysWOW64\Kmjinjnj.exe Kfpqap32.exe File created C:\Windows\SysWOW64\Ahlohg32.dll Cdbmifdl.exe File opened for modification C:\Windows\SysWOW64\Gfqjkljn.exe Gcbnopkj.exe File created C:\Windows\SysWOW64\Blploo32.dll Docmqp32.exe File opened for modification C:\Windows\SysWOW64\Bfchcijo.exe Bgpggm32.exe File opened for modification C:\Windows\SysWOW64\Cnahmo32.exe Ckclacmi.exe File created C:\Windows\SysWOW64\Fbbpgh32.exe Fpdckm32.exe File created C:\Windows\SysWOW64\Likcdpop.exe Lmdbooik.exe File created C:\Windows\SysWOW64\Mphamg32.exe Lfodmdni.exe File created C:\Windows\SysWOW64\Nqdfipld.dll Epgpajdp.exe File created C:\Windows\SysWOW64\Fahajbek.exe Dkdmpl32.exe File opened for modification C:\Windows\SysWOW64\Cbphncfo.exe Cjecjahd.exe File opened for modification C:\Windows\SysWOW64\Emhkmcbd.exe Eeqclfaa.exe File created C:\Windows\SysWOW64\Dmfecgim.exe Dncehk32.exe File created C:\Windows\SysWOW64\Nchihe32.dll Dnjdncio.exe File created C:\Windows\SysWOW64\Iickdgpb.exe Ifdohl32.exe File created C:\Windows\SysWOW64\Gakmni32.dll Mklpof32.exe File opened for modification C:\Windows\SysWOW64\Ppamjcpj.exe Pgihanii.exe File created C:\Windows\SysWOW64\Hcmbnk32.exe Hlcjaq32.exe File opened for modification C:\Windows\SysWOW64\Jjlmmbfo.exe Jgnqafgk.exe File opened for modification C:\Windows\SysWOW64\Klimbf32.exe Dcaefo32.exe File opened for modification C:\Windows\SysWOW64\Ecgcpc32.exe Elpknehe.exe File created C:\Windows\SysWOW64\Hnfgci32.dll Dabhmo32.exe File created C:\Windows\SysWOW64\Pfjojopo.dll Eidbbp32.exe File created C:\Windows\SysWOW64\Nijlojkd.dll Knioij32.exe File opened for modification C:\Windows\SysWOW64\Ppgeff32.exe Pbcelacq.exe File opened for modification C:\Windows\SysWOW64\Enlqdc32.exe Dfeibf32.exe File created C:\Windows\SysWOW64\Ooaghe32.exe Olcklj32.exe File opened for modification C:\Windows\SysWOW64\Ogklob32.exe Ohjlqklp.exe File created C:\Windows\SysWOW64\Emhkmcbd.exe Eeqclfaa.exe File created C:\Windows\SysWOW64\Lelncp32.dll Pjoknhbe.exe File opened for modification C:\Windows\SysWOW64\Dememj32.exe Docmqp32.exe File opened for modification C:\Windows\SysWOW64\Kdigkjpl.exe Kmaojl32.exe File created C:\Windows\SysWOW64\Fjqgpl32.exe Fbiooolb.exe File opened for modification C:\Windows\SysWOW64\Ffggdmbi.exe Fqjolfda.exe File opened for modification C:\Windows\SysWOW64\Lhdqhp32.exe Lfcdph32.exe File created C:\Windows\SysWOW64\Iblacf32.dll Dnkkcmdb.exe File opened for modification C:\Windows\SysWOW64\Jcfejfag.exe Jkomhhae.exe File created C:\Windows\SysWOW64\Cnjkgf32.exe Cfbcfh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpkkmk.dll" Ohiefdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khgdpl32.dll" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljaael.dll" Fgpilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohboeenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldam32.dll" Fcmnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnpfje32.dll" Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlpjicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jggjpgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgjmhgb.dll" Cdlpjicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oickbjmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hklglk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fokbbcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpfmc32.dll" Kicdke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnkdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlknqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poomom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhconp32.dll" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blnoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qoboofnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijdpjle.dll" Dqdnjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkgqpaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoigndf.dll" Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll" 1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghpooanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilkfajn.dll" Ldmlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpkjjaa.dll" Niconj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehcjghn.dll" Clgbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflppc32.dll" Dhqoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgebif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpkllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikndpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dncehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbbhi32.dll" Hmfbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpibai32.dll" Chhkmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajoagadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bciddihj.dll" Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhbmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcnchpa.dll" Djlkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpocciba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfiapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohnelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmkcjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocpdpf32.dll" Dbgnobpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdmgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcilgif.dll" Dbicjlji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnjkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbcg32.dll" Bhohfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjnipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeimo32.dll" Jljbogaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjnnm32.dll" Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domabi32.dll" Cnahmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbbpgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noajcphe.dll" Ikejbjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpocciba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfqkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poomom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpppj32.dll" Jdaajkfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 4892 2948 1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe 96 PID 2948 wrote to memory of 4892 2948 1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe 96 PID 2948 wrote to memory of 4892 2948 1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe 96 PID 4892 wrote to memory of 1060 4892 Dlqpaafg.exe 97 PID 4892 wrote to memory of 1060 4892 Dlqpaafg.exe 97 PID 4892 wrote to memory of 1060 4892 Dlqpaafg.exe 97 PID 1060 wrote to memory of 3812 1060 Dgfdojfm.exe 98 PID 1060 wrote to memory of 3812 1060 Dgfdojfm.exe 98 PID 1060 wrote to memory of 3812 1060 Dgfdojfm.exe 98 PID 3812 wrote to memory of 1620 3812 Didqkeeq.exe 99 PID 3812 wrote to memory of 1620 3812 Didqkeeq.exe 99 PID 3812 wrote to memory of 1620 3812 Didqkeeq.exe 99 PID 1620 wrote to memory of 2332 1620 Dcmedk32.exe 100 PID 1620 wrote to memory of 2332 1620 Dcmedk32.exe 100 PID 1620 wrote to memory of 2332 1620 Dcmedk32.exe 100 PID 2332 wrote to memory of 3432 2332 Dekapfke.exe 101 PID 2332 wrote to memory of 3432 2332 Dekapfke.exe 101 PID 2332 wrote to memory of 3432 2332 Dekapfke.exe 101 PID 3432 wrote to memory of 4832 3432 Emgblc32.exe 102 PID 3432 wrote to memory of 4832 3432 Emgblc32.exe 102 PID 3432 wrote to memory of 4832 3432 Emgblc32.exe 102 PID 4832 wrote to memory of 220 4832 Eebgqe32.exe 103 PID 4832 wrote to memory of 220 4832 Eebgqe32.exe 103 PID 4832 wrote to memory of 220 4832 Eebgqe32.exe 103 PID 220 wrote to memory of 2672 220 Ephlnn32.exe 104 PID 220 wrote to memory of 2672 220 Ephlnn32.exe 104 PID 220 wrote to memory of 2672 220 Ephlnn32.exe 104 PID 2672 wrote to memory of 3276 2672 Eippgckc.exe 105 PID 2672 wrote to memory of 3276 2672 Eippgckc.exe 105 PID 2672 wrote to memory of 3276 2672 Eippgckc.exe 105 PID 3276 wrote to memory of 4792 3276 Egdqph32.exe 106 PID 3276 wrote to memory of 4792 3276 Egdqph32.exe 106 PID 3276 wrote to memory of 4792 3276 Egdqph32.exe 106 PID 4792 wrote to memory of 3916 4792 Fnnimbaj.exe 107 PID 4792 wrote to memory of 3916 4792 Fnnimbaj.exe 107 PID 4792 wrote to memory of 3916 4792 Fnnimbaj.exe 107 PID 3916 wrote to memory of 2464 3916 Fgfmeg32.exe 108 PID 3916 wrote to memory of 2464 3916 Fgfmeg32.exe 108 PID 3916 wrote to memory of 2464 3916 Fgfmeg32.exe 108 PID 2464 wrote to memory of 4048 2464 Fcmnkh32.exe 109 PID 2464 wrote to memory of 4048 2464 Fcmnkh32.exe 109 PID 2464 wrote to memory of 4048 2464 Fcmnkh32.exe 109 PID 4048 wrote to memory of 1952 4048 Flfbcndo.exe 110 PID 4048 wrote to memory of 1952 4048 Flfbcndo.exe 110 PID 4048 wrote to memory of 1952 4048 Flfbcndo.exe 110 PID 1952 wrote to memory of 4240 1952 Fgkfqgce.exe 111 PID 1952 wrote to memory of 4240 1952 Fgkfqgce.exe 111 PID 1952 wrote to memory of 4240 1952 Fgkfqgce.exe 111 PID 4240 wrote to memory of 4816 4240 Iqgjmg32.exe 112 PID 4240 wrote to memory of 4816 4240 Iqgjmg32.exe 112 PID 4240 wrote to memory of 4816 4240 Iqgjmg32.exe 112 PID 4816 wrote to memory of 4120 4816 Jeilne32.exe 113 PID 4816 wrote to memory of 4120 4816 Jeilne32.exe 113 PID 4816 wrote to memory of 4120 4816 Jeilne32.exe 113 PID 4120 wrote to memory of 4456 4120 Jjfdfl32.exe 114 PID 4120 wrote to memory of 4456 4120 Jjfdfl32.exe 114 PID 4120 wrote to memory of 4456 4120 Jjfdfl32.exe 114 PID 4456 wrote to memory of 1656 4456 Jndmlj32.exe 115 PID 4456 wrote to memory of 1656 4456 Jndmlj32.exe 115 PID 4456 wrote to memory of 1656 4456 Jndmlj32.exe 115 PID 1656 wrote to memory of 4200 1656 Jnfjbj32.exe 116 PID 1656 wrote to memory of 4200 1656 Jnfjbj32.exe 116 PID 1656 wrote to memory of 4200 1656 Jnfjbj32.exe 116 PID 4200 wrote to memory of 1148 4200 Mmebpbod.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe"C:\Users\Admin\AppData\Local\Temp\1244e293f7e7d3bfe8c68f993ac56edf651dd653ed67d52165a033520b5a46e1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe23⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe24⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe26⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe28⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe30⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe32⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe33⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe34⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe35⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe36⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe38⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe40⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe41⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe42⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe43⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe44⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Gplged32.exeC:\Windows\system32\Gplged32.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe46⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe47⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ggilgn32.exeC:\Windows\system32\Ggilgn32.exe48⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe49⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Hljnkdnk.exeC:\Windows\system32\Hljnkdnk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe51⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe52⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe53⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe54⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe55⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe56⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Lmdbooik.exeC:\Windows\system32\Lmdbooik.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Likcdpop.exeC:\Windows\system32\Likcdpop.exe58⤵
- Executes dropped EXE
PID:5348 -
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5444 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe62⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe63⤵
- Executes dropped EXE
PID:5604 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe64⤵
- Executes dropped EXE
PID:5648 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe65⤵
- Executes dropped EXE
PID:5696 -
C:\Windows\SysWOW64\Nhhldc32.exeC:\Windows\system32\Nhhldc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe67⤵PID:5788
-
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe68⤵PID:5828
-
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe69⤵PID:5868
-
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe70⤵PID:5908
-
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe71⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe72⤵PID:5988
-
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe73⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe74⤵PID:6068
-
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe75⤵PID:6108
-
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe76⤵PID:5136
-
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe77⤵PID:5212
-
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe78⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe79⤵PID:5312
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe80⤵PID:5388
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe81⤵PID:376
-
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe82⤵PID:5516
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe84⤵
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe86⤵PID:5776
-
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe87⤵PID:5836
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe88⤵PID:5904
-
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe89⤵PID:5984
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe90⤵PID:6036
-
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe91⤵PID:6100
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe92⤵PID:5152
-
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe93⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe94⤵PID:5316
-
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe95⤵PID:5440
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe96⤵PID:5548
-
C:\Windows\SysWOW64\Ikcmmjkb.exeC:\Windows\system32\Ikcmmjkb.exe97⤵PID:4068
-
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe98⤵PID:5620
-
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe99⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe100⤵PID:5852
-
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe101⤵PID:5976
-
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe102⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe103⤵PID:5124
-
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Jfbdpabn.exeC:\Windows\system32\Jfbdpabn.exe105⤵PID:5504
-
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe106⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe107⤵PID:5764
-
C:\Windows\SysWOW64\Jloibkhh.exeC:\Windows\system32\Jloibkhh.exe108⤵PID:5956
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe109⤵PID:6096
-
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe110⤵PID:5416
-
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe111⤵PID:212
-
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe112⤵PID:5688
-
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe113⤵
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe114⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4928 -
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe116⤵PID:6000
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Kfejmobh.exeC:\Windows\system32\Kfejmobh.exe118⤵PID:4292
-
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Acpkbf32.exeC:\Windows\system32\Acpkbf32.exe120⤵PID:4148
-
C:\Windows\SysWOW64\Adohmidb.exeC:\Windows\system32\Adohmidb.exe121⤵PID:5584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-