Analysis
-
max time kernel
68s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 04:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe
-
Size
75KB
-
MD5
a8c3f0fbfe05b8fc4682caa7927372fb
-
SHA1
9b89e17185c09850dd5f6697bf381f803804319d
-
SHA256
e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f
-
SHA512
48f3577ebfa8a8d58936d2b8eeda892f71cfb3bd1d3bd1c7dac0cd77e2b90f03c721ea4e59ceb36722eea551fa0a15bbfc3989c4487a6eb37962d090027d21f9
-
SSDEEP
1536:nA7UmOacirAK98dYRdA3+VV4dO53q52IrFH:AQmOaciVm4d0a4dg3qv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegpkcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malefbkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omigmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefedcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkeloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbppgona.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecidpiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaqnagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkeakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihndgmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmggingc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpjdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleiid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpjnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikechced.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaefne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppdbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfemmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbeobhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfcqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjqjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaemojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegmlnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekpljgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgegcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfihbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmgnkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolodqcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpqjmpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnkfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agkqiobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggccllai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okceaikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhiemil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmfcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdedepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cplckbmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpjgi32.exe -
Executes dropped EXE 64 IoCs
pid Process 4984 Mjjkaabc.exe 5096 Moipoh32.exe 3960 Mokmdh32.exe 3328 Mgeakekd.exe 4056 Nnafno32.exe 624 Ngjkfd32.exe 2616 Nmfcok32.exe 3220 Njjdho32.exe 3972 Ngndaccj.exe 2672 Ngqagcag.exe 4820 Ojajin32.exe 1572 Onocomdo.exe 3528 Ojfcdnjc.exe 4052 Opeiadfg.exe 1532 Paeelgnj.exe 1184 Pagbaglh.exe 1860 Pjpfjl32.exe 904 Phcgcqab.exe 4592 Pnmopk32.exe 2072 Pjdpelnc.exe 4356 Qhhpop32.exe 680 Qobhkjdi.exe 3008 Qpcecb32.exe 4412 Qjiipk32.exe 4656 Aogbfi32.exe 5040 Adcjop32.exe 1516 Apjkcadp.exe 2700 Aokkahlo.exe 1480 Ahdpjn32.exe 212 Aaldccip.exe 1096 Amcehdod.exe 1368 Bkgeainn.exe 776 Baannc32.exe 1180 Bgnffj32.exe 5104 Bacjdbch.exe 3876 Bhmbqm32.exe 4296 Bgbpaipl.exe 2580 Bhblllfo.exe 3684 Bajqda32.exe 1592 Cnaaib32.exe 2252 Cdkifmjq.exe 4472 Cncnob32.exe 5024 Cdmfllhn.exe 3964 Cdpcal32.exe 64 Cnhgjaml.exe 632 Cogddd32.exe 3868 Dojqjdbl.exe 4108 Dgeenfog.exe 432 Ddifgk32.exe 4028 Dnajppda.exe 3160 Dhgonidg.exe 1012 Ddnobj32.exe 2028 Ebaplnie.exe 1752 Eoepebho.exe 2908 Eklajcmc.exe 1976 Eomffaag.exe 4256 Edionhpn.exe 4032 Fbmohmoh.exe 3980 Foclgq32.exe 3712 Fofilp32.exe 912 Fganqbgg.exe 4804 Gnnccl32.exe 804 Gkdpbpih.exe 1536 Ggmmlamj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcknij32.dll Dojqjdbl.exe File created C:\Windows\SysWOW64\Olijkhjb.dll Eoconenj.exe File created C:\Windows\SysWOW64\Eigdflna.dll Jginej32.exe File created C:\Windows\SysWOW64\Pipeabep.dll Cdmfllhn.exe File opened for modification C:\Windows\SysWOW64\Kcjjhdjb.exe Kakmna32.exe File created C:\Windows\SysWOW64\Ggccllai.exe Fkjfakng.exe File created C:\Windows\SysWOW64\Mkbdph32.dll Bdiamnpc.exe File created C:\Windows\SysWOW64\Gemabmdn.dll Ihgnfnjl.exe File created C:\Windows\SysWOW64\Hlglnp32.dll Jhifomdj.exe File opened for modification C:\Windows\SysWOW64\Bnppkj32.exe Afdkfh32.exe File created C:\Windows\SysWOW64\Mhmmieil.exe Mfmpob32.exe File created C:\Windows\SysWOW64\Nlnkgbhp.exe Nfabok32.exe File opened for modification C:\Windows\SysWOW64\Jlkfbe32.exe Jafaem32.exe File created C:\Windows\SysWOW64\Lhjeoc32.exe Lkfeeo32.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Jglkkiea.exe Jikjmbmb.exe File created C:\Windows\SysWOW64\Lipmoo32.exe Lhopgg32.exe File created C:\Windows\SysWOW64\Fmkohkha.dll Ejdhcjpl.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ibqnkh32.exe File opened for modification C:\Windows\SysWOW64\Ckidcpjl.exe Ccblbb32.exe File created C:\Windows\SysWOW64\Dcnlnaom.exe Dkbgjo32.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Bikeni32.exe File created C:\Windows\SysWOW64\Apckeggh.dll Eljchpnl.exe File opened for modification C:\Windows\SysWOW64\Ndmgnkja.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Dpkehi32.exe Dbgdnelk.exe File created C:\Windows\SysWOW64\Fllfihmi.dll Jonlimkg.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Cdpcal32.exe File created C:\Windows\SysWOW64\Eoepebho.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Aqpika32.exe Qjeaog32.exe File created C:\Windows\SysWOW64\Jcmkjeko.exe Jfikaqme.exe File created C:\Windows\SysWOW64\Fmdbil32.dll Mfjlolpp.exe File created C:\Windows\SysWOW64\Agndidce.exe Adohmidb.exe File created C:\Windows\SysWOW64\Hkfoel32.dll Ojfcdnjc.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Mhmcck32.exe Mackfa32.exe File created C:\Windows\SysWOW64\Hoengj32.dll Fjpoio32.exe File opened for modification C:\Windows\SysWOW64\Omdnbd32.exe Nfjeej32.exe File created C:\Windows\SysWOW64\Fcfmla32.dll Pocpqcpm.exe File created C:\Windows\SysWOW64\Fbelak32.dll Cfmahknh.exe File created C:\Windows\SysWOW64\Imjgbb32.exe Ignnjk32.exe File created C:\Windows\SysWOW64\Ahpdcn32.exe Aqdbfa32.exe File created C:\Windows\SysWOW64\Mmnklgqn.dll Emdaee32.exe File created C:\Windows\SysWOW64\Mjafoapj.exe Ldgnbg32.exe File opened for modification C:\Windows\SysWOW64\Ilglgfjd.exe Iemdkl32.exe File created C:\Windows\SysWOW64\Ofijnbkb.exe Okceaikl.exe File created C:\Windows\SysWOW64\Mobbdf32.exe Mdmngm32.exe File created C:\Windows\SysWOW64\Biigildg.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Mjkmck32.dll Fhflhcfa.exe File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Apjkcadp.exe File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe Calfpk32.exe File created C:\Windows\SysWOW64\Dajnol32.exe Djpfbahm.exe File created C:\Windows\SysWOW64\Foijeajf.dll Ldlmieaa.exe File opened for modification C:\Windows\SysWOW64\Cdkifmjq.exe Cnaaib32.exe File created C:\Windows\SysWOW64\Ecfjqmbc.dll Mpeiie32.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Cfmahknh.exe Ciiaogon.exe File created C:\Windows\SysWOW64\Mgngih32.exe Meljappg.exe File created C:\Windows\SysWOW64\Nlnlqocc.dll Elhnhm32.exe File created C:\Windows\SysWOW64\Bhblllfo.exe Bgbpaipl.exe File created C:\Windows\SysWOW64\Ehkcgkdj.exe Eoconenj.exe File opened for modification C:\Windows\SysWOW64\Nfdfoala.exe Mdcmnfop.exe File opened for modification C:\Windows\SysWOW64\Mminfech.exe Mcpjnp32.exe File created C:\Windows\SysWOW64\Bpemkcck.exe Bikeni32.exe File opened for modification C:\Windows\SysWOW64\Kjmjgk32.exe Jaefne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6064 11440 Process not Found 2049 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elihef32.dll" Ndkjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heohinog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbhlfil.dll" Pmiijjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhhodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphkadgc.dll" Jhbfgflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infhebbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmmqgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Econlc32.dll" Fiilblom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajhee32.dll" Jjnqap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ildpbfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoepebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnehifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Memalfcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qejfkmem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mknlef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbnqa32.dll" Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigdefgf.dll" Qnopjfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaglma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbdkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcgfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjlqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckakb32.dll" Apqhldjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calfpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiah32.dll" Hembndee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chddpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejhoq32.dll" Opmcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpjifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcehdod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebimmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoeep32.dll" Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbqpa32.dll" Naaghoik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanpok32.dll" Aohfdnil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejgelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eigdflna.dll" Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdejf32.dll" Cjcolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdmdcjf.dll" Opiidhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loacdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egagemmk.dll" Cbglgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhiljk32.dll" Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll" Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll" Bhmbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphmhm32.dll" Gfemmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajnol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhnmolc.dll" Bjeckojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iehkpmgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmfllhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3108 wrote to memory of 4984 3108 e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe 92 PID 3108 wrote to memory of 4984 3108 e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe 92 PID 3108 wrote to memory of 4984 3108 e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe 92 PID 4984 wrote to memory of 5096 4984 Mjjkaabc.exe 93 PID 4984 wrote to memory of 5096 4984 Mjjkaabc.exe 93 PID 4984 wrote to memory of 5096 4984 Mjjkaabc.exe 93 PID 5096 wrote to memory of 3960 5096 Moipoh32.exe 94 PID 5096 wrote to memory of 3960 5096 Moipoh32.exe 94 PID 5096 wrote to memory of 3960 5096 Moipoh32.exe 94 PID 3960 wrote to memory of 3328 3960 Mokmdh32.exe 95 PID 3960 wrote to memory of 3328 3960 Mokmdh32.exe 95 PID 3960 wrote to memory of 3328 3960 Mokmdh32.exe 95 PID 3328 wrote to memory of 4056 3328 Mgeakekd.exe 96 PID 3328 wrote to memory of 4056 3328 Mgeakekd.exe 96 PID 3328 wrote to memory of 4056 3328 Mgeakekd.exe 96 PID 4056 wrote to memory of 624 4056 Nnafno32.exe 97 PID 4056 wrote to memory of 624 4056 Nnafno32.exe 97 PID 4056 wrote to memory of 624 4056 Nnafno32.exe 97 PID 624 wrote to memory of 2616 624 Ngjkfd32.exe 98 PID 624 wrote to memory of 2616 624 Ngjkfd32.exe 98 PID 624 wrote to memory of 2616 624 Ngjkfd32.exe 98 PID 2616 wrote to memory of 3220 2616 Nmfcok32.exe 99 PID 2616 wrote to memory of 3220 2616 Nmfcok32.exe 99 PID 2616 wrote to memory of 3220 2616 Nmfcok32.exe 99 PID 3220 wrote to memory of 3972 3220 Njjdho32.exe 100 PID 3220 wrote to memory of 3972 3220 Njjdho32.exe 100 PID 3220 wrote to memory of 3972 3220 Njjdho32.exe 100 PID 3972 wrote to memory of 2672 3972 Ngndaccj.exe 101 PID 3972 wrote to memory of 2672 3972 Ngndaccj.exe 101 PID 3972 wrote to memory of 2672 3972 Ngndaccj.exe 101 PID 2672 wrote to memory of 4820 2672 Ngqagcag.exe 102 PID 2672 wrote to memory of 4820 2672 Ngqagcag.exe 102 PID 2672 wrote to memory of 4820 2672 Ngqagcag.exe 102 PID 4820 wrote to memory of 1572 4820 Ojajin32.exe 103 PID 4820 wrote to memory of 1572 4820 Ojajin32.exe 103 PID 4820 wrote to memory of 1572 4820 Ojajin32.exe 103 PID 1572 wrote to memory of 3528 1572 Onocomdo.exe 104 PID 1572 wrote to memory of 3528 1572 Onocomdo.exe 104 PID 1572 wrote to memory of 3528 1572 Onocomdo.exe 104 PID 3528 wrote to memory of 4052 3528 Ojfcdnjc.exe 105 PID 3528 wrote to memory of 4052 3528 Ojfcdnjc.exe 105 PID 3528 wrote to memory of 4052 3528 Ojfcdnjc.exe 105 PID 4052 wrote to memory of 1532 4052 Opeiadfg.exe 106 PID 4052 wrote to memory of 1532 4052 Opeiadfg.exe 106 PID 4052 wrote to memory of 1532 4052 Opeiadfg.exe 106 PID 1532 wrote to memory of 1184 1532 Paeelgnj.exe 107 PID 1532 wrote to memory of 1184 1532 Paeelgnj.exe 107 PID 1532 wrote to memory of 1184 1532 Paeelgnj.exe 107 PID 1184 wrote to memory of 1860 1184 Pagbaglh.exe 108 PID 1184 wrote to memory of 1860 1184 Pagbaglh.exe 108 PID 1184 wrote to memory of 1860 1184 Pagbaglh.exe 108 PID 1860 wrote to memory of 904 1860 Pjpfjl32.exe 109 PID 1860 wrote to memory of 904 1860 Pjpfjl32.exe 109 PID 1860 wrote to memory of 904 1860 Pjpfjl32.exe 109 PID 904 wrote to memory of 4592 904 Phcgcqab.exe 110 PID 904 wrote to memory of 4592 904 Phcgcqab.exe 110 PID 904 wrote to memory of 4592 904 Phcgcqab.exe 110 PID 4592 wrote to memory of 2072 4592 Pnmopk32.exe 111 PID 4592 wrote to memory of 2072 4592 Pnmopk32.exe 111 PID 4592 wrote to memory of 2072 4592 Pnmopk32.exe 111 PID 2072 wrote to memory of 4356 2072 Pjdpelnc.exe 112 PID 2072 wrote to memory of 4356 2072 Pjdpelnc.exe 112 PID 2072 wrote to memory of 4356 2072 Pjdpelnc.exe 112 PID 4356 wrote to memory of 680 4356 Qhhpop32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe"C:\Users\Admin\AppData\Local\Temp\e79d1e16565931447b4cc1fdfbd24b6e1f7d3681598f43fb46ee5cc3a8da731f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe23⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe24⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe26⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe27⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe29⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe30⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe31⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe33⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe35⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe36⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe39⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe40⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe43⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe46⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe47⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe49⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe51⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe53⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe56⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe57⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe58⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe59⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe60⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe62⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe63⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe64⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe66⤵PID:3708
-
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe67⤵PID:3252
-
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe68⤵PID:1672
-
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe69⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe70⤵PID:4736
-
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe71⤵PID:4428
-
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe72⤵PID:1136
-
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1080 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe74⤵PID:2224
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe75⤵
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe76⤵PID:3612
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4120 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe78⤵PID:4376
-
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe79⤵PID:2452
-
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe80⤵PID:2248
-
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe81⤵
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe82⤵PID:3732
-
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe83⤵PID:688
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe84⤵PID:4916
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe85⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe86⤵PID:5204
-
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe87⤵PID:5252
-
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe88⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe89⤵PID:5332
-
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe91⤵PID:5428
-
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe92⤵PID:5472
-
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe93⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe94⤵PID:5560
-
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe95⤵PID:5604
-
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe96⤵PID:5648
-
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe97⤵PID:5688
-
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe98⤵PID:5744
-
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe99⤵PID:5792
-
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe100⤵PID:5836
-
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe101⤵PID:5876
-
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe102⤵PID:5912
-
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe103⤵PID:5960
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe104⤵PID:6012
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe105⤵PID:6060
-
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe106⤵PID:6100
-
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe108⤵PID:5180
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe109⤵PID:5248
-
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe111⤵PID:5392
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe113⤵PID:5548
-
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe114⤵PID:5600
-
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe116⤵PID:5788
-
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe117⤵PID:5856
-
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe119⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe120⤵PID:6068
-
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe121⤵PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-