Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 04:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe
-
Size
144KB
-
MD5
12987944a13d5895a16911dd197874e8
-
SHA1
8a8c95d956fed594ce1dae0df33d17b5b9c065f4
-
SHA256
f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb
-
SHA512
755ba1953be8cf05f859ef358f06afada858aa0ac14c4ba1ef5c053076a2976a2d29db2e4786f7c966de300582cd25175d4916adf7bf403ab5b2976cf158f633
-
SSDEEP
3072:uIzm7cMsTANJPnDvzHLQMQH2qC7ZQOlzSLUK6MwGsGnDc9nhVizLrId0:ufYxKJPnDvzH0MQWfdQOhwJ6MwGsmLr9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfpbeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolmbpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imeggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakfkfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikekmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffeoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe -
Executes dropped EXE 64 IoCs
pid Process 1828 Ijoeji32.exe 2112 Iolmbpfe.exe 2664 Ichico32.exe 2600 Iffeoj32.exe 2976 Ijaapifk.exe 2532 Impnldeo.exe 2540 Impnldeo.exe 1924 Icjfhn32.exe 2988 Iigoqe32.exe 1160 Ikekmq32.exe 944 Ioagno32.exe 2924 Ibocjk32.exe 864 Ifkojiim.exe 1612 Iiikfehq.exe 1136 Imeggc32.exe 1980 Ibapoj32.exe 792 Jnhqdkde.exe 1296 Jagmpg32.exe 1512 Jebiaelb.exe 2172 Jgqemakf.exe 1740 Jnkmjk32.exe 2020 Jaiiff32.exe 1788 Jedefejo.exe 2252 Jjanolhg.exe 924 Jnmjok32.exe 904 Jakfkfpc.exe 2552 Jmbgpg32.exe 2596 Jancafna.exe 1508 Jclomamd.exe 1584 Jghknp32.exe 2856 Jiigehkl.exe 2684 Kpcpbb32.exe 3000 Kcolba32.exe 1768 Kikdkh32.exe 2160 Kmgpkfab.exe 1448 Kpemgbqf.exe 2832 Kbcicmpj.exe 2940 Kebepion.exe 1228 Kllmmc32.exe 1684 Kphimanc.exe 1280 Knjiin32.exe 1660 Kbfeimng.exe 2276 Kedaeh32.exe 1112 Kipnfged.exe 1912 Klnjbbdh.exe 1864 Kpjfba32.exe 1144 Komfnnck.exe 2152 Klqfhbbe.exe 984 Koocdnai.exe 640 Kanopipl.exe 1996 Llccmb32.exe 3056 Loapim32.exe 3064 Lekhfgfc.exe 2572 Lfmdnp32.exe 1692 Lodlom32.exe 2868 Labhkh32.exe 2480 Lpeifeca.exe 1620 Lgoacojo.exe 2488 Lkkmdn32.exe 2352 Lmiipi32.exe 1920 Lpgele32.exe 3048 Ldcamcih.exe 2812 Lbfahp32.exe 2948 Lipjejgp.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 1828 Ijoeji32.exe 1828 Ijoeji32.exe 2112 Iolmbpfe.exe 2112 Iolmbpfe.exe 2664 Ichico32.exe 2664 Ichico32.exe 2600 Iffeoj32.exe 2600 Iffeoj32.exe 2976 Ijaapifk.exe 2976 Ijaapifk.exe 2532 Impnldeo.exe 2532 Impnldeo.exe 2540 Impnldeo.exe 2540 Impnldeo.exe 1924 Icjfhn32.exe 1924 Icjfhn32.exe 2988 Iigoqe32.exe 2988 Iigoqe32.exe 1160 Ikekmq32.exe 1160 Ikekmq32.exe 944 Ioagno32.exe 944 Ioagno32.exe 2924 Ibocjk32.exe 2924 Ibocjk32.exe 864 Ifkojiim.exe 864 Ifkojiim.exe 1612 Iiikfehq.exe 1612 Iiikfehq.exe 1136 Imeggc32.exe 1136 Imeggc32.exe 1980 Ibapoj32.exe 1980 Ibapoj32.exe 792 Jnhqdkde.exe 792 Jnhqdkde.exe 1296 Jagmpg32.exe 1296 Jagmpg32.exe 1512 Jebiaelb.exe 1512 Jebiaelb.exe 2172 Jgqemakf.exe 2172 Jgqemakf.exe 1740 Jnkmjk32.exe 1740 Jnkmjk32.exe 2020 Jaiiff32.exe 2020 Jaiiff32.exe 1788 Jedefejo.exe 1788 Jedefejo.exe 2252 Jjanolhg.exe 2252 Jjanolhg.exe 924 Jnmjok32.exe 924 Jnmjok32.exe 904 Jakfkfpc.exe 904 Jakfkfpc.exe 2552 Jmbgpg32.exe 2552 Jmbgpg32.exe 2596 Jancafna.exe 2596 Jancafna.exe 1508 Jclomamd.exe 1508 Jclomamd.exe 1584 Jghknp32.exe 1584 Jghknp32.exe 2856 Jiigehkl.exe 2856 Jiigehkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kfammbdf.dll Pfdpip32.exe File created C:\Windows\SysWOW64\Ambcae32.dll Eloemi32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Ambmpmln.exe Aigaon32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Fpgiom32.dll Bdeeqehb.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Nccjhafn.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qbelgood.exe File created C:\Windows\SysWOW64\Qdkghm32.dll Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Kanopipl.exe Koocdnai.exe File created C:\Windows\SysWOW64\Paejki32.exe Pminkk32.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Iblpjdpk.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Jmbgpg32.exe Jakfkfpc.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File created C:\Windows\SysWOW64\Begeknan.exe Balijo32.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File opened for modification C:\Windows\SysWOW64\Adpkee32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dmafennb.exe File created C:\Windows\SysWOW64\Deokcq32.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lpphap32.exe File opened for modification C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Mdghad32.dll Hlljjjnm.exe File opened for modification C:\Windows\SysWOW64\Ifkojiim.exe Ibocjk32.exe File created C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File created C:\Windows\SysWOW64\Pmddhkao.dll Bagpopmj.exe File created C:\Windows\SysWOW64\Bokphdld.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Doobajme.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Fbopgb32.exe Fncdgcqm.exe File opened for modification C:\Windows\SysWOW64\Lbfdaigg.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Ldenbcge.exe Lmkfei32.exe File opened for modification C:\Windows\SysWOW64\Iblpjdpk.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File opened for modification C:\Windows\SysWOW64\Nhnfkigh.exe Njkfpl32.exe File created C:\Windows\SysWOW64\Omgaek32.exe Ojieip32.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Nkiogn32.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Nkbalifo.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Migbnb32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Jdjfho32.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dggcffhg.exe File opened for modification C:\Windows\SysWOW64\Lfdmggnm.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Moanaiie.exe Mlcbenjb.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Bpmiamoh.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Kkolkk32.exe Kgcpjmcb.exe File created C:\Windows\SysWOW64\Jkkndnka.dll Llccmb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfadgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmnmk32.dll" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghmfhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhkcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelkpj32.dll" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" Ngfcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndipl32.dll" Lekhfgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdmmkgf.dll" Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Eflgccbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Ambmpmln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmdnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgjmd32.dll" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nfmmin32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 1828 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 28 PID 2748 wrote to memory of 1828 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 28 PID 2748 wrote to memory of 1828 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 28 PID 2748 wrote to memory of 1828 2748 f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe 28 PID 1828 wrote to memory of 2112 1828 Ijoeji32.exe 29 PID 1828 wrote to memory of 2112 1828 Ijoeji32.exe 29 PID 1828 wrote to memory of 2112 1828 Ijoeji32.exe 29 PID 1828 wrote to memory of 2112 1828 Ijoeji32.exe 29 PID 2112 wrote to memory of 2664 2112 Iolmbpfe.exe 30 PID 2112 wrote to memory of 2664 2112 Iolmbpfe.exe 30 PID 2112 wrote to memory of 2664 2112 Iolmbpfe.exe 30 PID 2112 wrote to memory of 2664 2112 Iolmbpfe.exe 30 PID 2664 wrote to memory of 2600 2664 Ichico32.exe 31 PID 2664 wrote to memory of 2600 2664 Ichico32.exe 31 PID 2664 wrote to memory of 2600 2664 Ichico32.exe 31 PID 2664 wrote to memory of 2600 2664 Ichico32.exe 31 PID 2600 wrote to memory of 2976 2600 Iffeoj32.exe 32 PID 2600 wrote to memory of 2976 2600 Iffeoj32.exe 32 PID 2600 wrote to memory of 2976 2600 Iffeoj32.exe 32 PID 2600 wrote to memory of 2976 2600 Iffeoj32.exe 32 PID 2976 wrote to memory of 2532 2976 Ijaapifk.exe 33 PID 2976 wrote to memory of 2532 2976 Ijaapifk.exe 33 PID 2976 wrote to memory of 2532 2976 Ijaapifk.exe 33 PID 2976 wrote to memory of 2532 2976 Ijaapifk.exe 33 PID 2532 wrote to memory of 2540 2532 Impnldeo.exe 34 PID 2532 wrote to memory of 2540 2532 Impnldeo.exe 34 PID 2532 wrote to memory of 2540 2532 Impnldeo.exe 34 PID 2532 wrote to memory of 2540 2532 Impnldeo.exe 34 PID 2540 wrote to memory of 1924 2540 Impnldeo.exe 35 PID 2540 wrote to memory of 1924 2540 Impnldeo.exe 35 PID 2540 wrote to memory of 1924 2540 Impnldeo.exe 35 PID 2540 wrote to memory of 1924 2540 Impnldeo.exe 35 PID 1924 wrote to memory of 2988 1924 Icjfhn32.exe 36 PID 1924 wrote to memory of 2988 1924 Icjfhn32.exe 36 PID 1924 wrote to memory of 2988 1924 Icjfhn32.exe 36 PID 1924 wrote to memory of 2988 1924 Icjfhn32.exe 36 PID 2988 wrote to memory of 1160 2988 Iigoqe32.exe 37 PID 2988 wrote to memory of 1160 2988 Iigoqe32.exe 37 PID 2988 wrote to memory of 1160 2988 Iigoqe32.exe 37 PID 2988 wrote to memory of 1160 2988 Iigoqe32.exe 37 PID 1160 wrote to memory of 944 1160 Ikekmq32.exe 38 PID 1160 wrote to memory of 944 1160 Ikekmq32.exe 38 PID 1160 wrote to memory of 944 1160 Ikekmq32.exe 38 PID 1160 wrote to memory of 944 1160 Ikekmq32.exe 38 PID 944 wrote to memory of 2924 944 Ioagno32.exe 39 PID 944 wrote to memory of 2924 944 Ioagno32.exe 39 PID 944 wrote to memory of 2924 944 Ioagno32.exe 39 PID 944 wrote to memory of 2924 944 Ioagno32.exe 39 PID 2924 wrote to memory of 864 2924 Ibocjk32.exe 40 PID 2924 wrote to memory of 864 2924 Ibocjk32.exe 40 PID 2924 wrote to memory of 864 2924 Ibocjk32.exe 40 PID 2924 wrote to memory of 864 2924 Ibocjk32.exe 40 PID 864 wrote to memory of 1612 864 Ifkojiim.exe 41 PID 864 wrote to memory of 1612 864 Ifkojiim.exe 41 PID 864 wrote to memory of 1612 864 Ifkojiim.exe 41 PID 864 wrote to memory of 1612 864 Ifkojiim.exe 41 PID 1612 wrote to memory of 1136 1612 Iiikfehq.exe 42 PID 1612 wrote to memory of 1136 1612 Iiikfehq.exe 42 PID 1612 wrote to memory of 1136 1612 Iiikfehq.exe 42 PID 1612 wrote to memory of 1136 1612 Iiikfehq.exe 42 PID 1136 wrote to memory of 1980 1136 Imeggc32.exe 43 PID 1136 wrote to memory of 1980 1136 Imeggc32.exe 43 PID 1136 wrote to memory of 1980 1136 Imeggc32.exe 43 PID 1136 wrote to memory of 1980 1136 Imeggc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe"C:\Users\Admin\AppData\Local\Temp\f5fe924434cf8c987e52378abe929c2b1e5bde4299a09cebebd845909641a3bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe34⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe35⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe36⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe37⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe38⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe39⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe40⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe41⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe42⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe44⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe45⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe46⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe47⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe48⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe49⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe51⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe53⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe56⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe57⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe58⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe59⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe60⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe61⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe62⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe63⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe64⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe65⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe66⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe67⤵PID:1292
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe68⤵PID:2828
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe69⤵PID:2776
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe70⤵PID:540
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe71⤵PID:1288
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe72⤵PID:628
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe73⤵PID:848
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe74⤵PID:2068
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe75⤵PID:2164
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe76⤵PID:1372
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe77⤵PID:1884
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe78⤵PID:884
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe79⤵PID:1760
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe80⤵PID:608
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe81⤵PID:2576
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe82⤵PID:812
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe83⤵PID:2764
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe84⤵PID:2076
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe86⤵PID:2524
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe88⤵PID:2052
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe89⤵PID:2804
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe90⤵PID:2636
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe91⤵PID:2280
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe92⤵PID:2364
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe93⤵PID:1604
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe95⤵PID:1712
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe96⤵PID:1976
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe99⤵PID:2272
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe100⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe101⤵PID:2720
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe102⤵PID:3012
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe104⤵PID:2796
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe105⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe106⤵PID:2484
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe107⤵PID:2984
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe108⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe109⤵PID:1560
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe110⤵PID:2768
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe111⤵PID:1268
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe112⤵PID:1080
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe113⤵PID:320
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe114⤵PID:688
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe115⤵PID:344
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe116⤵PID:1988
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe117⤵PID:1344
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe118⤵PID:2428
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe120⤵PID:2092
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe121⤵
- Modifies registry class
PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-