Analysis
-
max time kernel
66s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe
-
Size
192KB
-
MD5
29c3d4a1bf88aabf48b710834d179ee7
-
SHA1
1350cd1f1fa1c69650938b06eb90b2fb8264ece3
-
SHA256
0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5
-
SHA512
41f14439d33c050ea17ac2fd97a13c28bbcdf85f96e2d4f50b66f0538742889d20eb284790ca2cab7634d83d034bb5502234707e91eb2a7f786f8174b61e36b4
-
SSDEEP
3072:AxanHkoj9QjdjSLH2IB6+oXO56hKpi9poF5aY6+oocpGHn:ICQc2D+Eu6QnFw5+0pUn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffjgpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbnbemf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnbhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odaiodbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkehdnee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacepmik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmifkecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoaaaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oibdhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfnphpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpaffhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkgillpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpioin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdngpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkbfdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndhkmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbgqdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geabbfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnfkgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liabjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajlpepbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnhbmgmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgknlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcflch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdalkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhmbihg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcegkamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkipi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncanhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olqqdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbdba32.exe -
Executes dropped EXE 64 IoCs
pid Process 4776 Ebimgcfi.exe 3552 Emanjldl.exe 5060 Flfkkhid.exe 2720 Fmfgek32.exe 1116 Fimhjl32.exe 1980 Fmkqpkla.exe 3180 Fmmmfj32.exe 3064 Gmafajfi.exe 4532 Gihgfk32.exe 5036 Gpelhd32.exe 5044 Hedafk32.exe 2120 Hplbickp.exe 3984 Hpnoncim.exe 2832 Hbohpn32.exe 1428 Iikmbh32.exe 4124 Illfdc32.exe 1160 Imkbnf32.exe 3636 Ilcldb32.exe 4500 Jnlkedai.exe 1136 Kcidmkpq.exe 820 Keimof32.exe 2000 Kgiiiidd.exe 3892 Kodnmkap.exe 1028 Kgnbdh32.exe 4940 Lqhdbm32.exe 3248 Lnoaaaad.exe 2964 Lcnfohmi.exe 3800 Mjjkaabc.exe 1448 Mnhdgpii.exe 4360 Mqimikfj.exe 1380 Mnmmboed.exe 1636 Nopfpgip.exe 3380 Nqbpojnp.exe 1192 Npgmpf32.exe 3084 Ojomcopk.exe 2888 Offnhpfo.exe 4540 Ofhknodl.exe 3956 Ofkgcobj.exe 3576 Oabhfg32.exe 4344 Pnfiplog.exe 4992 Phonha32.exe 1504 Pfdjinjo.exe 64 Pfiddm32.exe 2856 Qjfmkk32.exe 5100 Qdoacabq.exe 2432 Qpeahb32.exe 2672 Amjbbfgo.exe 2812 Afbgkl32.exe 1728 Adfgdpmi.exe 2816 Aokkahlo.exe 2536 Aonhghjl.exe 4744 Agimkk32.exe 2900 Bobabg32.exe 3052 Bkibgh32.exe 4272 Bgpcliao.exe 2036 Baegibae.exe 656 Bkphhgfc.exe 3604 Conanfli.exe 1620 Cglbhhga.exe 2004 Coegoe32.exe 1984 Dafppp32.exe 1120 Dgcihgaj.exe 1748 Dpkmal32.exe 2372 Ddifgk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ijjekn32.exe Icqmncof.exe File created C:\Windows\SysWOW64\Dgoiid32.dll Homcbo32.exe File created C:\Windows\SysWOW64\Dajqphlf.dll Kfbmgo32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Dpllbp32.exe Dibdeegc.exe File created C:\Windows\SysWOW64\Hipdpbgf.exe Hcflch32.exe File created C:\Windows\SysWOW64\Dcegkamd.exe Dqgjoenq.exe File opened for modification C:\Windows\SysWOW64\Offnhpfo.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Obnehj32.exe Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Jflnafno.exe Jqofippg.exe File created C:\Windows\SysWOW64\Lbccec32.dll Bkefphem.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mjjkaabc.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Ekngemhd.exe File opened for modification C:\Windows\SysWOW64\Jfjakgpa.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Mejnlpai.exe Mopeofjl.exe File created C:\Windows\SysWOW64\Fhchhm32.exe Fmndkd32.exe File opened for modification C:\Windows\SysWOW64\Lindkm32.exe Lljdai32.exe File opened for modification C:\Windows\SysWOW64\Jbppgona.exe Jhkljfok.exe File opened for modification C:\Windows\SysWOW64\Kfkamk32.exe Kanidd32.exe File created C:\Windows\SysWOW64\Hfgloiqf.exe Homcbo32.exe File created C:\Windows\SysWOW64\Qpboqfjk.dll Bkbcpb32.exe File opened for modification C:\Windows\SysWOW64\Mcicma32.exe Mfeccm32.exe File created C:\Windows\SysWOW64\Amjbbfgo.exe Qpeahb32.exe File created C:\Windows\SysWOW64\Llobhg32.dll Dpkmal32.exe File created C:\Windows\SysWOW64\Daliqjnc.dll Pcfmneaa.exe File opened for modification C:\Windows\SysWOW64\Mkgmoncl.exe Mdnebc32.exe File opened for modification C:\Windows\SysWOW64\Cgpjebcp.exe Cdbmifdl.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Emanjldl.exe File created C:\Windows\SysWOW64\Piaiqlak.exe Pbgqdb32.exe File opened for modification C:\Windows\SysWOW64\Lmfhjhdm.exe Lflpmn32.exe File opened for modification C:\Windows\SysWOW64\Dcibca32.exe Dnljkk32.exe File created C:\Windows\SysWOW64\Cfenfhnj.dll Lfmghdpl.exe File opened for modification C:\Windows\SysWOW64\Koceep32.exe Khimhefk.exe File opened for modification C:\Windows\SysWOW64\Flpbnh32.exe Fgcjea32.exe File created C:\Windows\SysWOW64\Eapmedef.exe Ejfeij32.exe File opened for modification C:\Windows\SysWOW64\Pmjhlklg.exe Pbddobla.exe File created C:\Windows\SysWOW64\Ggiipk32.dll Cmdmpe32.exe File created C:\Windows\SysWOW64\Ebldam32.dll Fgijkgeh.exe File created C:\Windows\SysWOW64\Hjdedepg.exe Hcjmhk32.exe File created C:\Windows\SysWOW64\Jakjcj32.dll Hcljmj32.exe File created C:\Windows\SysWOW64\Epqblnhh.dll Kejloi32.exe File created C:\Windows\SysWOW64\Dfonnk32.exe Cmgjee32.exe File created C:\Windows\SysWOW64\Daiodkff.dll Nbmmoklg.exe File created C:\Windows\SysWOW64\Pfdjinjo.exe Phonha32.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Gngeik32.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Jafdcbge.exe File opened for modification C:\Windows\SysWOW64\Cgbfka32.exe Cmmbmiag.exe File created C:\Windows\SysWOW64\Bkggjg32.dll Ckiipa32.exe File created C:\Windows\SysWOW64\Nphljg32.dll Gjpaffhl.exe File created C:\Windows\SysWOW64\Abmjqe32.exe Aagdnn32.exe File opened for modification C:\Windows\SysWOW64\Pocdba32.exe Pfkpiled.exe File opened for modification C:\Windows\SysWOW64\Foakpc32.exe Flpbnh32.exe File created C:\Windows\SysWOW64\Jhgpbf32.exe Jnalem32.exe File created C:\Windows\SysWOW64\Iipkfmal.dll Pmjhlklg.exe File created C:\Windows\SysWOW64\Debalegc.dll Kfdklllb.exe File created C:\Windows\SysWOW64\Nloebh32.dll Qciebg32.exe File opened for modification C:\Windows\SysWOW64\Nofefp32.exe Nfnamjhk.exe File opened for modification C:\Windows\SysWOW64\Hgnlmdcp.exe Hnehdo32.exe File created C:\Windows\SysWOW64\Lndfchdj.exe Lelajb32.exe File created C:\Windows\SysWOW64\Aeeomegd.exe Aohfdnil.exe File created C:\Windows\SysWOW64\Lipcka32.dll Ppafpm32.exe File created C:\Windows\SysWOW64\Jpgcpo32.dll Inkjfk32.exe File created C:\Windows\SysWOW64\Cbnknpqj.exe Canocm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll" Ocmjhfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjakkmpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnknim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iofpnhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmikfcb.dll" Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll" Ilhkigcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifihdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbggp32.dll" Dojlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll" Bdocph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkokbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnohnffc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idhiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flfbcndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdqnmmm.dll" Ghmbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhejgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eclmlpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjplibp.dll" Jfikaqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kanbjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalpigkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpmeimpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcaqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnljkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjmjgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgpmj32.dll" Cpmifkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjlgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdalkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghadjkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcdlepj.dll" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohbck32.dll" Kanidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebagdddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okbhlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgijkgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaphbnj.dll" Mdcmnfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdibqp32.dll" Odaiodbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okbhlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll" Lfiokmkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfedoei.dll" Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omecabkc.dll" Enbhdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebimgcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llklna32.dll" Pghaghfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnlpf32.dll" Fhchhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjidgkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjkdlall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkccgodj.dll" Fimhjl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 4776 3016 0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe 92 PID 3016 wrote to memory of 4776 3016 0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe 92 PID 3016 wrote to memory of 4776 3016 0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe 92 PID 4776 wrote to memory of 3552 4776 Ebimgcfi.exe 93 PID 4776 wrote to memory of 3552 4776 Ebimgcfi.exe 93 PID 4776 wrote to memory of 3552 4776 Ebimgcfi.exe 93 PID 3552 wrote to memory of 5060 3552 Emanjldl.exe 94 PID 3552 wrote to memory of 5060 3552 Emanjldl.exe 94 PID 3552 wrote to memory of 5060 3552 Emanjldl.exe 94 PID 5060 wrote to memory of 2720 5060 Flfkkhid.exe 95 PID 5060 wrote to memory of 2720 5060 Flfkkhid.exe 95 PID 5060 wrote to memory of 2720 5060 Flfkkhid.exe 95 PID 2720 wrote to memory of 1116 2720 Fmfgek32.exe 96 PID 2720 wrote to memory of 1116 2720 Fmfgek32.exe 96 PID 2720 wrote to memory of 1116 2720 Fmfgek32.exe 96 PID 1116 wrote to memory of 1980 1116 Fimhjl32.exe 97 PID 1116 wrote to memory of 1980 1116 Fimhjl32.exe 97 PID 1116 wrote to memory of 1980 1116 Fimhjl32.exe 97 PID 1980 wrote to memory of 3180 1980 Fmkqpkla.exe 98 PID 1980 wrote to memory of 3180 1980 Fmkqpkla.exe 98 PID 1980 wrote to memory of 3180 1980 Fmkqpkla.exe 98 PID 3180 wrote to memory of 3064 3180 Fmmmfj32.exe 99 PID 3180 wrote to memory of 3064 3180 Fmmmfj32.exe 99 PID 3180 wrote to memory of 3064 3180 Fmmmfj32.exe 99 PID 3064 wrote to memory of 4532 3064 Gmafajfi.exe 100 PID 3064 wrote to memory of 4532 3064 Gmafajfi.exe 100 PID 3064 wrote to memory of 4532 3064 Gmafajfi.exe 100 PID 4532 wrote to memory of 5036 4532 Gihgfk32.exe 101 PID 4532 wrote to memory of 5036 4532 Gihgfk32.exe 101 PID 4532 wrote to memory of 5036 4532 Gihgfk32.exe 101 PID 5036 wrote to memory of 5044 5036 Gpelhd32.exe 102 PID 5036 wrote to memory of 5044 5036 Gpelhd32.exe 102 PID 5036 wrote to memory of 5044 5036 Gpelhd32.exe 102 PID 5044 wrote to memory of 2120 5044 Hedafk32.exe 103 PID 5044 wrote to memory of 2120 5044 Hedafk32.exe 103 PID 5044 wrote to memory of 2120 5044 Hedafk32.exe 103 PID 2120 wrote to memory of 3984 2120 Hplbickp.exe 104 PID 2120 wrote to memory of 3984 2120 Hplbickp.exe 104 PID 2120 wrote to memory of 3984 2120 Hplbickp.exe 104 PID 3984 wrote to memory of 2832 3984 Hpnoncim.exe 105 PID 3984 wrote to memory of 2832 3984 Hpnoncim.exe 105 PID 3984 wrote to memory of 2832 3984 Hpnoncim.exe 105 PID 2832 wrote to memory of 1428 2832 Hbohpn32.exe 106 PID 2832 wrote to memory of 1428 2832 Hbohpn32.exe 106 PID 2832 wrote to memory of 1428 2832 Hbohpn32.exe 106 PID 1428 wrote to memory of 4124 1428 Iikmbh32.exe 107 PID 1428 wrote to memory of 4124 1428 Iikmbh32.exe 107 PID 1428 wrote to memory of 4124 1428 Iikmbh32.exe 107 PID 4124 wrote to memory of 1160 4124 Illfdc32.exe 108 PID 4124 wrote to memory of 1160 4124 Illfdc32.exe 108 PID 4124 wrote to memory of 1160 4124 Illfdc32.exe 108 PID 1160 wrote to memory of 3636 1160 Imkbnf32.exe 109 PID 1160 wrote to memory of 3636 1160 Imkbnf32.exe 109 PID 1160 wrote to memory of 3636 1160 Imkbnf32.exe 109 PID 3636 wrote to memory of 4500 3636 Ilcldb32.exe 110 PID 3636 wrote to memory of 4500 3636 Ilcldb32.exe 110 PID 3636 wrote to memory of 4500 3636 Ilcldb32.exe 110 PID 4500 wrote to memory of 1136 4500 Jnlkedai.exe 111 PID 4500 wrote to memory of 1136 4500 Jnlkedai.exe 111 PID 4500 wrote to memory of 1136 4500 Jnlkedai.exe 111 PID 1136 wrote to memory of 820 1136 Kcidmkpq.exe 112 PID 1136 wrote to memory of 820 1136 Kcidmkpq.exe 112 PID 1136 wrote to memory of 820 1136 Kcidmkpq.exe 112 PID 820 wrote to memory of 2000 820 Keimof32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe"C:\Users\Admin\AppData\Local\Temp\0e614f727a046701e87d5b34654c915ff46c47fbc9a033341686948ff3240ca5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe23⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe24⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe25⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe26⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe28⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe30⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe31⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe32⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe33⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe34⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe35⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe38⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe39⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe40⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe41⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe43⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe44⤵PID:1840
-
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe45⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe46⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe47⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe49⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe50⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe51⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe53⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe54⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe55⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe58⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe60⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe61⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe62⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe63⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe64⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe66⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe68⤵PID:4828
-
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe69⤵PID:3404
-
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe70⤵PID:4064
-
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe71⤵PID:1712
-
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe72⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe73⤵PID:5000
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe74⤵PID:2092
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe75⤵PID:1076
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe76⤵PID:1128
-
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe77⤵PID:3428
-
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe78⤵PID:5136
-
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe79⤵PID:5176
-
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe80⤵PID:5216
-
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe81⤵PID:5256
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe82⤵PID:5304
-
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe83⤵PID:5348
-
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe84⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe85⤵PID:5464
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe87⤵PID:5568
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe88⤵PID:5604
-
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe89⤵PID:5656
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe91⤵PID:5740
-
C:\Windows\SysWOW64\Ieojgc32.exeC:\Windows\system32\Ieojgc32.exe92⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe93⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe94⤵PID:5876
-
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe95⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe97⤵PID:6024
-
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe98⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe99⤵PID:6108
-
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe100⤵PID:1256
-
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe101⤵PID:5204
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe102⤵PID:5300
-
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe104⤵
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe105⤵PID:5508
-
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe106⤵PID:5596
-
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe107⤵PID:5668
-
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe108⤵PID:5756
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe109⤵PID:5824
-
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe110⤵PID:5888
-
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe111⤵PID:5968
-
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe112⤵PID:6060
-
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe113⤵PID:6124
-
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe114⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe115⤵PID:5272
-
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe116⤵PID:5396
-
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe117⤵PID:5552
-
C:\Windows\SysWOW64\Lpjjmg32.exeC:\Windows\system32\Lpjjmg32.exe118⤵PID:5736
-
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe119⤵PID:5860
-
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe121⤵PID:6100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-