Analysis
-
max time kernel
67s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe
-
Size
64KB
-
MD5
9bb0a7724c7e26b8a672d3e6c209e196
-
SHA1
23c1018f97a2369cd9e2179c54df0394e24a7993
-
SHA256
c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570
-
SHA512
23294039cc627f803d68326d17a4b87e0431707e8690afcd417b596a0fe708bd379576878876207614f7fe91473b1789a50a1c7c4c85c8f99a2d6e185ea7f48c
-
SSDEEP
1536:WEhmfvhwPllIAeRacDDAJ/31FV1iL+iALMH6:W20clexDDAdjV1iL+9Ma
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdnklfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqcioba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijmbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojjqlpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofdacke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaicfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobiilai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgmpccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjjckag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giofnacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmhgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakbckbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqfeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcnke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmlmml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinemkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qalnjkgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdilcla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkfhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcncpbmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldohebqh.exe -
Executes dropped EXE 64 IoCs
pid Process 3708 Dphifcoi.exe 1328 Dcfebonm.exe 1244 Dfdbojmq.exe 4100 Dhcnke32.exe 2016 Dpjflb32.exe 4628 Dakbckbe.exe 4956 Efgodj32.exe 2972 Elagacbk.exe 4820 Eoocmoao.exe 1968 Eckonn32.exe 2148 Efikji32.exe 1772 Ejegjh32.exe 3892 Epopgbia.exe 4116 Ecmlcmhe.exe 5088 Eflhoigi.exe 4648 Ehjdldfl.exe 4848 Eqalmafo.exe 1368 Ecphimfb.exe 3120 Efneehef.exe 2420 Ehlaaddj.exe 4276 Eqciba32.exe 1820 Ebeejijj.exe 5000 Ejlmkgkl.exe 4996 Eqfeha32.exe 1640 Ecdbdl32.exe 4192 Fbgbpihg.exe 4408 Fhajlc32.exe 4612 Fqhbmqqg.exe 2892 Fcgoilpj.exe 3076 Ffekegon.exe 1932 Ficgacna.exe 3896 Fomonm32.exe 1448 Ffggkgmk.exe 932 Fifdgblo.exe 4000 Fmapha32.exe 2932 Fqmlhpla.exe 4524 Fckhdk32.exe 4948 Fbnhphbp.exe 740 Fihqmb32.exe 3168 Fmclmabe.exe 4976 Fobiilai.exe 1632 Fflaff32.exe 1724 Fijmbb32.exe 116 Fqaeco32.exe 3508 Gcpapkgp.exe 552 Gfnnlffc.exe 224 Gjjjle32.exe 1648 Gimjhafg.exe 4472 Gqdbiofi.exe 3204 Gcbnejem.exe 1848 Gbenqg32.exe 3832 Gjlfbd32.exe 1924 Giofnacd.exe 1944 Gmkbnp32.exe 4452 Goiojk32.exe 4352 Gcekkjcj.exe 3584 Gfcgge32.exe 2964 Gjocgdkg.exe 1400 Giacca32.exe 2024 Gqikdn32.exe 3444 Gcggpj32.exe 2564 Gfedle32.exe 3936 Gidphq32.exe 220 Gmoliohh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jclhkbae.dll Njefqo32.exe File created C:\Windows\SysWOW64\Pncgmkmj.exe Pflplnlg.exe File created C:\Windows\SysWOW64\Efneehef.exe Ecphimfb.exe File opened for modification C:\Windows\SysWOW64\Bahmfj32.exe Aniajnnn.exe File created C:\Windows\SysWOW64\Iphkfg32.dll Bjpaooda.exe File created C:\Windows\SysWOW64\Igoedk32.dll Ekcpbj32.exe File created C:\Windows\SysWOW64\Bdfibe32.exe Bahmfj32.exe File created C:\Windows\SysWOW64\Jcbihpel.exe Jpgmha32.exe File created C:\Windows\SysWOW64\Lbabgh32.exe Ldoaklml.exe File opened for modification C:\Windows\SysWOW64\Eoocmoao.exe Elagacbk.exe File created C:\Windows\SysWOW64\Ibojncfj.exe Iiffen32.exe File created C:\Windows\SysWOW64\Filmeaek.dll Qalnjkgo.exe File created C:\Windows\SysWOW64\Ahhblemi.exe Aejfpjne.exe File created C:\Windows\SysWOW64\Jcgaen32.dll Ejlmkgkl.exe File opened for modification C:\Windows\SysWOW64\Kdnidn32.exe Kmdqgd32.exe File created C:\Windows\SysWOW64\Kofpij32.dll Bcjlcn32.exe File created C:\Windows\SysWOW64\Pqpnombl.exe Pnbbbabh.exe File created C:\Windows\SysWOW64\Meiaib32.exe Mdhdajea.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Fqaeco32.exe Fijmbb32.exe File created C:\Windows\SysWOW64\Hakfehok.dll Fijmbb32.exe File created C:\Windows\SysWOW64\Jfenmm32.dll Mmpijp32.exe File created C:\Windows\SysWOW64\Feibedlp.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Lmbmibhb.exe Lekehdgp.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File created C:\Windows\SysWOW64\Ijkljp32.exe Ipegmg32.exe File created C:\Windows\SysWOW64\Edihepnm.exe Eaklidoi.exe File created C:\Windows\SysWOW64\Adecfl32.dll Ipnjab32.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Dphifcoi.exe c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe File created C:\Windows\SysWOW64\Aaqgek32.exe Ajfoiqll.exe File opened for modification C:\Windows\SysWOW64\Fhjfhl32.exe Foabofnn.exe File created C:\Windows\SysWOW64\Ngbpidjh.exe Ncfdie32.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Ndbnboqb.exe File created C:\Windows\SysWOW64\Elbmlmml.exe Edkdkplj.exe File opened for modification C:\Windows\SysWOW64\Olkhmi32.exe Ojllan32.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bhkhibmc.exe File created C:\Windows\SysWOW64\Hlpijopg.dll Cojjqlpk.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hmhhehlb.exe File created C:\Windows\SysWOW64\Oneklm32.exe Ogkcpbam.exe File created C:\Windows\SysWOW64\Pkfhoiaf.dll Oflgep32.exe File opened for modification C:\Windows\SysWOW64\Hippdo32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Qghlmgij.dll Ghaliknf.exe File created C:\Windows\SysWOW64\Kgdphnlp.dll Hofdacke.exe File created C:\Windows\SysWOW64\Nnbnoffm.dll Jblpek32.exe File opened for modification C:\Windows\SysWOW64\Chpada32.exe Cafigg32.exe File created C:\Windows\SysWOW64\Mdhdajea.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Dhcbhjlp.dll Dldpkoil.exe File created C:\Windows\SysWOW64\Dddojq32.exe Dccbbhld.exe File opened for modification C:\Windows\SysWOW64\Kboljk32.exe Jcllonma.exe File created C:\Windows\SysWOW64\Cihmlb32.dll Nphhmj32.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Olihhh32.dll Pqnaim32.exe File created C:\Windows\SysWOW64\Eemnjbaj.exe Ecoangbg.exe File created C:\Windows\SysWOW64\Pemfincl.dll Njnpppkn.exe File created C:\Windows\SysWOW64\Nkklocjg.dll Eoocmoao.exe File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe Jbmfoa32.exe File created C:\Windows\SysWOW64\Flnlhk32.exe Fcfhof32.exe File created C:\Windows\SysWOW64\Jmpgldhg.exe Jehokgge.exe File opened for modification C:\Windows\SysWOW64\Fqhbmqqg.exe Fhajlc32.exe File opened for modification C:\Windows\SysWOW64\Ddbbeade.exe Doeiljfn.exe File created C:\Windows\SysWOW64\Mglncdoj.dll Amgapeea.exe File opened for modification C:\Windows\SysWOW64\Pkfblfab.exe Pcojkhap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12796 12716 WerFault.exe 633 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipabjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpenfjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjihje32.dll" Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Lklnhlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkdkplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll" Kbfiep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfedle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnlpnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqppkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfnphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejegjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll" Imdnklfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiidgeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbckbepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll" Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceipnc32.dll" Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll" Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll" Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkjdnoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfibe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3708 3408 c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe 83 PID 3408 wrote to memory of 3708 3408 c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe 83 PID 3408 wrote to memory of 3708 3408 c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe 83 PID 3708 wrote to memory of 1328 3708 Dphifcoi.exe 84 PID 3708 wrote to memory of 1328 3708 Dphifcoi.exe 84 PID 3708 wrote to memory of 1328 3708 Dphifcoi.exe 84 PID 1328 wrote to memory of 1244 1328 Dcfebonm.exe 85 PID 1328 wrote to memory of 1244 1328 Dcfebonm.exe 85 PID 1328 wrote to memory of 1244 1328 Dcfebonm.exe 85 PID 1244 wrote to memory of 4100 1244 Dfdbojmq.exe 86 PID 1244 wrote to memory of 4100 1244 Dfdbojmq.exe 86 PID 1244 wrote to memory of 4100 1244 Dfdbojmq.exe 86 PID 4100 wrote to memory of 2016 4100 Dhcnke32.exe 87 PID 4100 wrote to memory of 2016 4100 Dhcnke32.exe 87 PID 4100 wrote to memory of 2016 4100 Dhcnke32.exe 87 PID 2016 wrote to memory of 4628 2016 Dpjflb32.exe 88 PID 2016 wrote to memory of 4628 2016 Dpjflb32.exe 88 PID 2016 wrote to memory of 4628 2016 Dpjflb32.exe 88 PID 4628 wrote to memory of 4956 4628 Dakbckbe.exe 89 PID 4628 wrote to memory of 4956 4628 Dakbckbe.exe 89 PID 4628 wrote to memory of 4956 4628 Dakbckbe.exe 89 PID 4956 wrote to memory of 2972 4956 Efgodj32.exe 90 PID 4956 wrote to memory of 2972 4956 Efgodj32.exe 90 PID 4956 wrote to memory of 2972 4956 Efgodj32.exe 90 PID 2972 wrote to memory of 4820 2972 Elagacbk.exe 91 PID 2972 wrote to memory of 4820 2972 Elagacbk.exe 91 PID 2972 wrote to memory of 4820 2972 Elagacbk.exe 91 PID 4820 wrote to memory of 1968 4820 Eoocmoao.exe 92 PID 4820 wrote to memory of 1968 4820 Eoocmoao.exe 92 PID 4820 wrote to memory of 1968 4820 Eoocmoao.exe 92 PID 1968 wrote to memory of 2148 1968 Eckonn32.exe 93 PID 1968 wrote to memory of 2148 1968 Eckonn32.exe 93 PID 1968 wrote to memory of 2148 1968 Eckonn32.exe 93 PID 2148 wrote to memory of 1772 2148 Efikji32.exe 94 PID 2148 wrote to memory of 1772 2148 Efikji32.exe 94 PID 2148 wrote to memory of 1772 2148 Efikji32.exe 94 PID 1772 wrote to memory of 3892 1772 Ejegjh32.exe 95 PID 1772 wrote to memory of 3892 1772 Ejegjh32.exe 95 PID 1772 wrote to memory of 3892 1772 Ejegjh32.exe 95 PID 3892 wrote to memory of 4116 3892 Epopgbia.exe 96 PID 3892 wrote to memory of 4116 3892 Epopgbia.exe 96 PID 3892 wrote to memory of 4116 3892 Epopgbia.exe 96 PID 4116 wrote to memory of 5088 4116 Ecmlcmhe.exe 97 PID 4116 wrote to memory of 5088 4116 Ecmlcmhe.exe 97 PID 4116 wrote to memory of 5088 4116 Ecmlcmhe.exe 97 PID 5088 wrote to memory of 4648 5088 Eflhoigi.exe 98 PID 5088 wrote to memory of 4648 5088 Eflhoigi.exe 98 PID 5088 wrote to memory of 4648 5088 Eflhoigi.exe 98 PID 4648 wrote to memory of 4848 4648 Ehjdldfl.exe 99 PID 4648 wrote to memory of 4848 4648 Ehjdldfl.exe 99 PID 4648 wrote to memory of 4848 4648 Ehjdldfl.exe 99 PID 4848 wrote to memory of 1368 4848 Eqalmafo.exe 100 PID 4848 wrote to memory of 1368 4848 Eqalmafo.exe 100 PID 4848 wrote to memory of 1368 4848 Eqalmafo.exe 100 PID 1368 wrote to memory of 3120 1368 Ecphimfb.exe 101 PID 1368 wrote to memory of 3120 1368 Ecphimfb.exe 101 PID 1368 wrote to memory of 3120 1368 Ecphimfb.exe 101 PID 3120 wrote to memory of 2420 3120 Efneehef.exe 103 PID 3120 wrote to memory of 2420 3120 Efneehef.exe 103 PID 3120 wrote to memory of 2420 3120 Efneehef.exe 103 PID 2420 wrote to memory of 4276 2420 Ehlaaddj.exe 104 PID 2420 wrote to memory of 4276 2420 Ehlaaddj.exe 104 PID 2420 wrote to memory of 4276 2420 Ehlaaddj.exe 104 PID 4276 wrote to memory of 1820 4276 Eqciba32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe"C:\Users\Admin\AppData\Local\Temp\c2ce3f1276f8b33004f6be6e89bd1cc807bb8dc89168693ea102d157a3842570.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe23⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe26⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe27⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe29⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe30⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe31⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe32⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe33⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe34⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe35⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe36⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe37⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe38⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe40⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe43⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe45⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe46⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe47⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe48⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe49⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe50⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe51⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe52⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe53⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe55⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe56⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe57⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe58⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe60⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe61⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe64⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe65⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe66⤵PID:2256
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe67⤵PID:712
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe68⤵
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe69⤵PID:2364
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe70⤵PID:1156
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe71⤵PID:3668
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe72⤵PID:2348
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe73⤵PID:4500
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe74⤵PID:4608
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe75⤵PID:4960
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe76⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe77⤵
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe78⤵PID:1044
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe79⤵
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe80⤵PID:4120
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe82⤵PID:4448
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe83⤵PID:1352
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3996 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe85⤵PID:2040
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe86⤵PID:4544
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe87⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe88⤵PID:4068
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe90⤵PID:1784
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe91⤵PID:3148
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe92⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe93⤵PID:3572
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe94⤵PID:848
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe95⤵PID:5144
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe96⤵PID:5188
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe97⤵PID:5232
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe102⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe103⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe105⤵PID:5588
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe106⤵PID:5628
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe107⤵PID:5672
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe108⤵PID:5708
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe109⤵PID:5748
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe110⤵PID:5800
-
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe111⤵PID:5844
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe112⤵PID:5880
-
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe114⤵PID:5976
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe115⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe116⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe117⤵PID:6104
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe118⤵PID:2904
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe119⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe120⤵PID:5256
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe121⤵PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-