Analysis
-
max time kernel
67s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 19:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe
-
Size
199KB
-
MD5
bbb32ccb5a33b32a871a27b98a3b407b
-
SHA1
236b836df5f7a1708f61ebd36704ddf21962a5c8
-
SHA256
28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae
-
SHA512
e0e2dac4eb62ac550e5b1a5d1dc0cde90244e81fb48824c44389837809c320f8bfcf29986b42a789ce2a496cce8abe8c6991de4ea74686b6bd1a429dca7af8a6
-
SSDEEP
3072:HBhqDamxipS5DSCopsIm81+jq2832dp5Xp+7+10K03Rq/ghavVQXxFaPsRbh:Hi+mkSZSCZj81+jq4peBK034YOmFz1h
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjagjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbifelba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlmgnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikame32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmchi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdialn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkhibmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqpqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjfhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffekegon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjclbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgkhnjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbihpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcifkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcpgmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijnqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjclbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbnia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofbch32.exe -
Executes dropped EXE 64 IoCs
pid Process 4224 Ecmlcmhe.exe 4852 Eflhoigi.exe 4800 Eodlho32.exe 4236 Ecphimfb.exe 4424 Elhmablc.exe 2556 Eqciba32.exe 3704 Ejlmkgkl.exe 3892 Emjjgbjp.exe 748 Ecdbdl32.exe 2996 Fhajlc32.exe 4596 Fmmfmbhn.exe 4180 Ffekegon.exe 972 Fqkocpod.exe 4616 Fjcclf32.exe 1604 Fopldmcl.exe 4488 Fbnhphbp.exe 4824 Fjepaecb.exe 2844 Fmclmabe.exe 4668 Fflaff32.exe 3940 Fqaeco32.exe 2476 Gcpapkgp.exe 2480 Gimjhafg.exe 3664 Gqdbiofi.exe 2424 Gbenqg32.exe 2660 Goiojk32.exe 1584 Gfcgge32.exe 2696 Giacca32.exe 224 Gpklpkio.exe 856 Gbjhlfhb.exe 4440 Gmoliohh.exe 2228 Gbldaffp.exe 4648 Gjclbc32.exe 2688 Gmaioo32.exe 4208 Gameonno.exe 4848 Hclakimb.exe 3208 Hfjmgdlf.exe 4144 Hmdedo32.exe 1412 Hbanme32.exe 2812 Hjhfnccl.exe 980 Hpenfjad.exe 4768 Hfofbd32.exe 2164 Hccglh32.exe 3404 Hfachc32.exe 2156 Hmklen32.exe 3420 Hbhdmd32.exe 3716 Hibljoco.exe 3692 Ibjqcd32.exe 3068 Iidipnal.exe 3384 Ifhiib32.exe 3480 Iannfk32.exe 4480 Ifjfnb32.exe 2236 Ipckgh32.exe 348 Iikopmkd.exe 2664 Ipegmg32.exe 3680 Ifopiajn.exe 3864 Imihfl32.exe 4220 Jjmhppqd.exe 2976 Jdemhe32.exe 2088 Jjpeepnb.exe 2796 Jplmmfmi.exe 4436 Jjbako32.exe 1176 Jaljgidl.exe 4260 Jfhbppbc.exe 4216 Jangmibi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mpdelajl.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Okolkg32.exe Ocgdji32.exe File created C:\Windows\SysWOW64\Bhkhibmc.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Menjdbgj.exe Mdmnlj32.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Lnhmng32.exe Lgneampk.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Qalnjkgo.exe Qnnanphk.exe File created C:\Windows\SysWOW64\Lihoogdd.dll Ipckgh32.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nafokcol.exe File created C:\Windows\SysWOW64\Acmflf32.exe Abkjdnoa.exe File created C:\Windows\SysWOW64\Lbmhlihl.exe Llcpoo32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bjokdipf.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Gmoliohh.exe Gbjhlfhb.exe File created C:\Windows\SysWOW64\Kpjgop32.dll Eleiam32.exe File opened for modification C:\Windows\SysWOW64\Ojjolnaq.exe Ofnckp32.exe File created C:\Windows\SysWOW64\Aaepqjpd.exe Angddopp.exe File created C:\Windows\SysWOW64\Mnfipekh.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Gqffpbnb.dll Oqgkhnjf.exe File created C:\Windows\SysWOW64\Mipaiqmd.dll Qloebdig.exe File created C:\Windows\SysWOW64\Meknidfo.dll Qnnanphk.exe File created C:\Windows\SysWOW64\Cleqadmh.dll Abpcon32.exe File created C:\Windows\SysWOW64\Fchddejl.exe Fhcpgmjf.exe File opened for modification C:\Windows\SysWOW64\Kboljk32.exe Jpppnp32.exe File created C:\Windows\SysWOW64\Iannfk32.exe Ifhiib32.exe File created C:\Windows\SysWOW64\Jdencjac.dll Bldgdago.exe File created C:\Windows\SysWOW64\Dammlf32.dll Hflcbngh.exe File created C:\Windows\SysWOW64\Qgejif32.dll Lpocjdld.exe File created C:\Windows\SysWOW64\Filmclmj.dll Ocqnij32.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pkhoae32.exe File created C:\Windows\SysWOW64\Iclnemml.dll Qalnjkgo.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bbgipldd.exe File created C:\Windows\SysWOW64\Hnigkegh.dll Clkndpag.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fafkecel.exe File created C:\Windows\SysWOW64\Bnmcjg32.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Ojmmkpmf.dll Kacphh32.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jdemhe32.exe File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lgneampk.exe File created C:\Windows\SysWOW64\Clpelohh.dll Nqpego32.exe File opened for modification C:\Windows\SysWOW64\Pengdk32.exe Pndohaqe.exe File created C:\Windows\SysWOW64\Gomakdcp.exe Gfembo32.exe File created C:\Windows\SysWOW64\Olpppj32.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Immapg32.exe Hfcicmqp.exe File created C:\Windows\SysWOW64\Elhmablc.exe Ecphimfb.exe File created C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Ceehho32.exe File created C:\Windows\SysWOW64\Elcmjaol.dll Pflplnlg.exe File created C:\Windows\SysWOW64\Paihpaak.dll Fdialn32.exe File opened for modification C:\Windows\SysWOW64\Jangmibi.exe Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Oqgkhnjf.exe Ojmcld32.exe File created C:\Windows\SysWOW64\Danecp32.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Hbhdmd32.exe Hmklen32.exe File created C:\Windows\SysWOW64\Lgdalf32.dll Ehnglm32.exe File created C:\Windows\SysWOW64\Ipdqba32.exe Imfdff32.exe File created C:\Windows\SysWOW64\Anmcpemd.dll Jifhaenk.exe File created C:\Windows\SysWOW64\Kboljk32.exe Jpppnp32.exe File created C:\Windows\SysWOW64\Jcjpfk32.dll Lgmngglp.exe File created C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Kpjcdn32.exe Kipkhdeq.exe File created C:\Windows\SysWOW64\Likjcbkc.exe Lgmngglp.exe File opened for modification C:\Windows\SysWOW64\Npfkgjdn.exe Nilcjp32.exe File created C:\Windows\SysWOW64\Agffge32.exe Qalnjkgo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11668 11584 WerFault.exe 564 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmkghpm.dll" Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" Bbgipldd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfobjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alabgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgfooop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemnjbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkocpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbbgnpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekemhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll" Eflhoigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjmhppqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll" Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohkbc32.dll" Gomakdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acocaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbldaffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll" Ecphimfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiojk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjpej32.dll" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hioiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll" 28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gameonno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffpbnb.dll" Oqgkhnjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcifmbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menjdbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjcclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmcmj32.dll" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidpnp32.dll" Cbcilkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcogch32.dll" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfioebm.dll" Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpklpkio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 884 wrote to memory of 4224 884 28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe 83 PID 884 wrote to memory of 4224 884 28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe 83 PID 884 wrote to memory of 4224 884 28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe 83 PID 4224 wrote to memory of 4852 4224 Ecmlcmhe.exe 84 PID 4224 wrote to memory of 4852 4224 Ecmlcmhe.exe 84 PID 4224 wrote to memory of 4852 4224 Ecmlcmhe.exe 84 PID 4852 wrote to memory of 4800 4852 Eflhoigi.exe 85 PID 4852 wrote to memory of 4800 4852 Eflhoigi.exe 85 PID 4852 wrote to memory of 4800 4852 Eflhoigi.exe 85 PID 4800 wrote to memory of 4236 4800 Eodlho32.exe 86 PID 4800 wrote to memory of 4236 4800 Eodlho32.exe 86 PID 4800 wrote to memory of 4236 4800 Eodlho32.exe 86 PID 4236 wrote to memory of 4424 4236 Ecphimfb.exe 87 PID 4236 wrote to memory of 4424 4236 Ecphimfb.exe 87 PID 4236 wrote to memory of 4424 4236 Ecphimfb.exe 87 PID 4424 wrote to memory of 2556 4424 Elhmablc.exe 88 PID 4424 wrote to memory of 2556 4424 Elhmablc.exe 88 PID 4424 wrote to memory of 2556 4424 Elhmablc.exe 88 PID 2556 wrote to memory of 3704 2556 Eqciba32.exe 90 PID 2556 wrote to memory of 3704 2556 Eqciba32.exe 90 PID 2556 wrote to memory of 3704 2556 Eqciba32.exe 90 PID 3704 wrote to memory of 3892 3704 Ejlmkgkl.exe 91 PID 3704 wrote to memory of 3892 3704 Ejlmkgkl.exe 91 PID 3704 wrote to memory of 3892 3704 Ejlmkgkl.exe 91 PID 3892 wrote to memory of 748 3892 Emjjgbjp.exe 92 PID 3892 wrote to memory of 748 3892 Emjjgbjp.exe 92 PID 3892 wrote to memory of 748 3892 Emjjgbjp.exe 92 PID 748 wrote to memory of 2996 748 Ecdbdl32.exe 94 PID 748 wrote to memory of 2996 748 Ecdbdl32.exe 94 PID 748 wrote to memory of 2996 748 Ecdbdl32.exe 94 PID 2996 wrote to memory of 4596 2996 Fhajlc32.exe 95 PID 2996 wrote to memory of 4596 2996 Fhajlc32.exe 95 PID 2996 wrote to memory of 4596 2996 Fhajlc32.exe 95 PID 4596 wrote to memory of 4180 4596 Fmmfmbhn.exe 96 PID 4596 wrote to memory of 4180 4596 Fmmfmbhn.exe 96 PID 4596 wrote to memory of 4180 4596 Fmmfmbhn.exe 96 PID 4180 wrote to memory of 972 4180 Ffekegon.exe 98 PID 4180 wrote to memory of 972 4180 Ffekegon.exe 98 PID 4180 wrote to memory of 972 4180 Ffekegon.exe 98 PID 972 wrote to memory of 4616 972 Fqkocpod.exe 99 PID 972 wrote to memory of 4616 972 Fqkocpod.exe 99 PID 972 wrote to memory of 4616 972 Fqkocpod.exe 99 PID 4616 wrote to memory of 1604 4616 Fjcclf32.exe 100 PID 4616 wrote to memory of 1604 4616 Fjcclf32.exe 100 PID 4616 wrote to memory of 1604 4616 Fjcclf32.exe 100 PID 1604 wrote to memory of 4488 1604 Fopldmcl.exe 101 PID 1604 wrote to memory of 4488 1604 Fopldmcl.exe 101 PID 1604 wrote to memory of 4488 1604 Fopldmcl.exe 101 PID 4488 wrote to memory of 4824 4488 Fbnhphbp.exe 102 PID 4488 wrote to memory of 4824 4488 Fbnhphbp.exe 102 PID 4488 wrote to memory of 4824 4488 Fbnhphbp.exe 102 PID 4824 wrote to memory of 2844 4824 Fjepaecb.exe 103 PID 4824 wrote to memory of 2844 4824 Fjepaecb.exe 103 PID 4824 wrote to memory of 2844 4824 Fjepaecb.exe 103 PID 2844 wrote to memory of 4668 2844 Fmclmabe.exe 104 PID 2844 wrote to memory of 4668 2844 Fmclmabe.exe 104 PID 2844 wrote to memory of 4668 2844 Fmclmabe.exe 104 PID 4668 wrote to memory of 3940 4668 Fflaff32.exe 105 PID 4668 wrote to memory of 3940 4668 Fflaff32.exe 105 PID 4668 wrote to memory of 3940 4668 Fflaff32.exe 105 PID 3940 wrote to memory of 2476 3940 Fqaeco32.exe 106 PID 3940 wrote to memory of 2476 3940 Fqaeco32.exe 106 PID 3940 wrote to memory of 2476 3940 Fqaeco32.exe 106 PID 2476 wrote to memory of 2480 2476 Gcpapkgp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe"C:\Users\Admin\AppData\Local\Temp\28321786069b8c9df26a6e62f292af5bab5ebfde601967e4b15047bd07dff5ae.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe23⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe24⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe25⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe27⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe28⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe31⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe34⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe36⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe37⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe38⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe39⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe40⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe41⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe42⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe47⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe48⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe49⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe51⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe54⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe55⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe56⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe61⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe62⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe63⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4260 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe65⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe66⤵PID:4444
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe67⤵PID:3972
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe68⤵PID:2352
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe69⤵PID:2616
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe70⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe71⤵PID:908
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe72⤵PID:3644
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe73⤵PID:3548
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe74⤵PID:4664
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe76⤵PID:4908
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe77⤵PID:1648
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe78⤵
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe79⤵PID:4212
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe80⤵PID:1736
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe82⤵PID:2804
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe83⤵
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe84⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe85⤵PID:2180
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe87⤵PID:4544
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe88⤵PID:868
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe89⤵PID:3960
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe90⤵PID:1812
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe91⤵PID:3112
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe92⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe93⤵PID:5128
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe94⤵PID:5168
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe95⤵PID:5216
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe96⤵PID:5260
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe97⤵PID:5304
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe98⤵PID:5344
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe99⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe101⤵PID:5472
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe102⤵PID:5504
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe103⤵PID:5556
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe104⤵PID:5596
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe105⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe106⤵PID:5680
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe107⤵PID:5728
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe108⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe109⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe110⤵PID:5860
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe111⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe112⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe113⤵
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe114⤵PID:6032
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe115⤵PID:6072
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe116⤵PID:6116
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe117⤵PID:5156
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe118⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe119⤵PID:5284
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe120⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe121⤵PID:5420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-