Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 20:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe
-
Size
77KB
-
MD5
e24d4d35d8037d1b310f63b1591a9a42
-
SHA1
43a4f37948f2a29ae39daff190fe9db60c1386d0
-
SHA256
165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434
-
SHA512
5d725a507c1c85c826da493fa01dc93d1da526438516b39b04d9bc4fb61057d122fd16f09855159661799049b2485da529149dbd42d9f20220b5c2cf9f6c33da
-
SSDEEP
1536:PzOoqwQGGM2j6GteqB2gTQN5ks1O6W2Ltnwfi+TjRC/D:P6oTrGMq9/I5ks1T7twf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcead32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoepkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gccmaack.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcjmclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgafqla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkgceeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnabladg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgodjiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljleil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfncia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmahojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollgiplp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbcik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhaipei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglgdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjabdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmnbjcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmjojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpoop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moefdljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcjjhgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfcflfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbcik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkangg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhjhlqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbmifdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhidaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifnphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionbcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffjgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmpqjad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbjhini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhina32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmcbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enomic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeljd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgcgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galoohke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhlepkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbjidbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feljgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbkcek32.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 Gbeejp32.exe 1660 Iebngial.exe 4924 Jmeede32.exe 112 Kjblje32.exe 4252 Kcmmhj32.exe 3696 Kgkfnh32.exe 1312 Kjlopc32.exe 3700 Loighj32.exe 1004 Lfeljd32.exe 2900 Ljeafb32.exe 1544 Lcnfohmi.exe 2888 Mcpcdg32.exe 2856 Mogcihaj.exe 5068 Moipoh32.exe 3672 Nopfpgip.exe 4344 Nmfcok32.exe 4568 Nfohgqlg.exe 756 Ngndaccj.exe 2320 Ojomcopk.exe 1512 Oakbehfe.exe 3784 Oclkgccf.exe 500 Ondljl32.exe 4912 Phonha32.exe 3296 Pplobcpp.exe 4468 Pmpolgoi.exe 3328 Qhhpop32.exe 2304 Ahmjjoig.exe 2488 Afbgkl32.exe 2312 Agdcpkll.exe 4460 Aonhghjl.exe 4964 Aopemh32.exe 2260 Bkgeainn.exe 1444 Boenhgdd.exe 1724 Bphgeo32.exe 4444 Bgelgi32.exe 3392 Cdimqm32.exe 3288 Caojpaij.exe 1308 Caageq32.exe 2052 Cacckp32.exe 936 Ddgibkpc.exe 5012 Dakikoom.exe 2672 Dqpfmlce.exe 4060 Dqbcbkab.exe 2704 Eqdpgk32.exe 3552 Eoepebho.exe 32 Egaejeej.exe 1972 Edeeci32.exe 4516 Enmjlojd.exe 4608 Egened32.exe 1160 Fnbcgn32.exe 2292 Fqbliicp.exe 4972 Fqeioiam.exe 1760 Fkjmlaac.exe 2324 Fnkfmm32.exe 1304 Fiqjke32.exe 3760 Galoohke.exe 2980 Gejhef32.exe 4376 Geldkfpi.exe 2968 Glhimp32.exe 4952 Hlmchoan.exe 1392 Ihmfco32.exe 3196 Ibcjqgnm.exe 1648 Iojkeh32.exe 1536 Iajdgcab.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pndjmkng.dll Bpbpecen.exe File created C:\Windows\SysWOW64\Qbkcek32.exe Pbifol32.exe File created C:\Windows\SysWOW64\Mlolhd32.dll Kbfjljhf.exe File created C:\Windows\SysWOW64\Cgffmigc.dll Qipjokik.exe File opened for modification C:\Windows\SysWOW64\Hqmggi32.exe Hgebnc32.exe File created C:\Windows\SysWOW64\Bdlncn32.exe Bkcjjhgp.exe File created C:\Windows\SysWOW64\Ollpdaom.dll Eapmedef.exe File opened for modification C:\Windows\SysWOW64\Bdlncn32.exe Bkcjjhgp.exe File opened for modification C:\Windows\SysWOW64\Iebngial.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Oclkgccf.exe Oakbehfe.exe File created C:\Windows\SysWOW64\Fmenlgog.dll Hqkjaifk.exe File created C:\Windows\SysWOW64\Qcoaqo32.dll Bglgdi32.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Pfenga32.exe File opened for modification C:\Windows\SysWOW64\Laglkb32.exe Lfbgmj32.exe File created C:\Windows\SysWOW64\Elngne32.dll Nefmgogl.exe File created C:\Windows\SysWOW64\Mpdodk32.dll Ghqeihbb.exe File created C:\Windows\SysWOW64\Dklomnmf.exe Djmbbk32.exe File created C:\Windows\SysWOW64\Ldccid32.exe Lkjoqnei.exe File created C:\Windows\SysWOW64\Benibond.dll Jeapcq32.exe File created C:\Windows\SysWOW64\Gpkehj32.dll Aplaoj32.exe File created C:\Windows\SysWOW64\Conpjg32.dll Gchflq32.exe File opened for modification C:\Windows\SysWOW64\Lfiokmkc.exe Lplfcf32.exe File created C:\Windows\SysWOW64\Kdbbihid.dll Gmdoel32.exe File opened for modification C:\Windows\SysWOW64\Hjmfmnhp.exe Hnfehm32.exe File created C:\Windows\SysWOW64\Qcbegphl.dll Oolnabal.exe File created C:\Windows\SysWOW64\Kpdbkaca.dll Ehbihj32.exe File opened for modification C:\Windows\SysWOW64\Joikdk32.exe Jmjojh32.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ibcjqgnm.exe File created C:\Windows\SysWOW64\Cefked32.dll Qbkcek32.exe File opened for modification C:\Windows\SysWOW64\Gjghdj32.exe Goadfa32.exe File created C:\Windows\SysWOW64\Kkgepcpk.dll Kbgafqla.exe File created C:\Windows\SysWOW64\Nejbaqgo.exe Npmjij32.exe File created C:\Windows\SysWOW64\Mmjekp32.dll Cjbhbf32.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Efoope32.dll Cgmhcaac.exe File created C:\Windows\SysWOW64\Hahlnefd.exe Hafpiehg.exe File created C:\Windows\SysWOW64\Bmgagk32.dll Lcnfohmi.exe File created C:\Windows\SysWOW64\Ciofjflg.dll Abbiej32.exe File opened for modification C:\Windows\SysWOW64\Cqghcn32.exe Bgodjiio.exe File created C:\Windows\SysWOW64\Iefedcmk.exe Hahlnefd.exe File created C:\Windows\SysWOW64\Pdmgmj32.dll Jjefao32.exe File created C:\Windows\SysWOW64\Baokejco.dll Fjbddh32.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Hjabdo32.exe Hcgjhega.exe File opened for modification C:\Windows\SysWOW64\Okeklcen.exe Oggbfdog.exe File opened for modification C:\Windows\SysWOW64\Lbpmbipk.exe Lkfeeo32.exe File created C:\Windows\SysWOW64\Apcead32.exe Abodhpic.exe File created C:\Windows\SysWOW64\Apdicjnk.dll Mclpbqal.exe File opened for modification C:\Windows\SysWOW64\Alelkf32.exe Aeigilml.exe File created C:\Windows\SysWOW64\Ofkhpmpa.dll Nopfpgip.exe File created C:\Windows\SysWOW64\Aaeekb32.dll Hgnlmdcp.exe File created C:\Windows\SysWOW64\Mpqklh32.exe Mhefhf32.exe File opened for modification C:\Windows\SysWOW64\Cnokmkfh.exe Cnmoglij.exe File created C:\Windows\SysWOW64\Kodeje32.dll Opgloh32.exe File created C:\Windows\SysWOW64\Fegndm32.dll Fpoaom32.exe File created C:\Windows\SysWOW64\Gjcfcakn.exe Gcimfg32.exe File opened for modification C:\Windows\SysWOW64\Opopdd32.exe Onngci32.exe File opened for modification C:\Windows\SysWOW64\Nhffijdm.exe Nnabladg.exe File opened for modification C:\Windows\SysWOW64\Qkcackeb.exe Qpmmfbfl.exe File opened for modification C:\Windows\SysWOW64\Hlmiagbo.exe Hoiihcde.exe File created C:\Windows\SysWOW64\Qnoeacho.dll Kkgbjkac.exe File opened for modification C:\Windows\SysWOW64\Mgjkag32.exe Mbmbiqqp.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Dqbcbkab.exe File created C:\Windows\SysWOW64\Cpcpfg32.exe Ccppmc32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3744 8352 WerFault.exe 758 9024 8352 WerFault.exe 758 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipqcn32.dll" Npkmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkcccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifcnjpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neeifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqklnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacemc32.dll" Ppnbpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpcklpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgqhicg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnokmkfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkila32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoakaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclbijhm.dll" Donecfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkjaifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhjae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oolnabal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgcol32.dll" Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladhkmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddoned32.dll" Nhhldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckji32.dll" Pmfldkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll" Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgqded32.dll" Khhaanop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmiepcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmmoklg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbjidbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgedkcjf.dll" Hmjmnpmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boaeioej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihaidhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegndm32.dll" Fpoaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkidkeeb.dll" Mbkmngfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkkcn32.dll" Mjcljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhikgob.dll" Dehnpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmcgbnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlihj32.dll" Dlkiaece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnfehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll" Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjllnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddifbphg.dll" Ionlhlld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfcf32.dll" Mmghklif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkajnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnigcj32.dll" Gnkflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgepcpk.dll" Kbgafqla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminfech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll" Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdoolge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjkag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefedcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oianmm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 2824 3400 165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe 91 PID 3400 wrote to memory of 2824 3400 165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe 91 PID 3400 wrote to memory of 2824 3400 165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe 91 PID 2824 wrote to memory of 1660 2824 Gbeejp32.exe 92 PID 2824 wrote to memory of 1660 2824 Gbeejp32.exe 92 PID 2824 wrote to memory of 1660 2824 Gbeejp32.exe 92 PID 1660 wrote to memory of 4924 1660 Iebngial.exe 93 PID 1660 wrote to memory of 4924 1660 Iebngial.exe 93 PID 1660 wrote to memory of 4924 1660 Iebngial.exe 93 PID 4924 wrote to memory of 112 4924 Jmeede32.exe 94 PID 4924 wrote to memory of 112 4924 Jmeede32.exe 94 PID 4924 wrote to memory of 112 4924 Jmeede32.exe 94 PID 112 wrote to memory of 4252 112 Kjblje32.exe 95 PID 112 wrote to memory of 4252 112 Kjblje32.exe 95 PID 112 wrote to memory of 4252 112 Kjblje32.exe 95 PID 4252 wrote to memory of 3696 4252 Kcmmhj32.exe 96 PID 4252 wrote to memory of 3696 4252 Kcmmhj32.exe 96 PID 4252 wrote to memory of 3696 4252 Kcmmhj32.exe 96 PID 3696 wrote to memory of 1312 3696 Kgkfnh32.exe 97 PID 3696 wrote to memory of 1312 3696 Kgkfnh32.exe 97 PID 3696 wrote to memory of 1312 3696 Kgkfnh32.exe 97 PID 1312 wrote to memory of 3700 1312 Kjlopc32.exe 98 PID 1312 wrote to memory of 3700 1312 Kjlopc32.exe 98 PID 1312 wrote to memory of 3700 1312 Kjlopc32.exe 98 PID 3700 wrote to memory of 1004 3700 Loighj32.exe 99 PID 3700 wrote to memory of 1004 3700 Loighj32.exe 99 PID 3700 wrote to memory of 1004 3700 Loighj32.exe 99 PID 1004 wrote to memory of 2900 1004 Lfeljd32.exe 100 PID 1004 wrote to memory of 2900 1004 Lfeljd32.exe 100 PID 1004 wrote to memory of 2900 1004 Lfeljd32.exe 100 PID 2900 wrote to memory of 1544 2900 Ljeafb32.exe 101 PID 2900 wrote to memory of 1544 2900 Ljeafb32.exe 101 PID 2900 wrote to memory of 1544 2900 Ljeafb32.exe 101 PID 1544 wrote to memory of 2888 1544 Lcnfohmi.exe 102 PID 1544 wrote to memory of 2888 1544 Lcnfohmi.exe 102 PID 1544 wrote to memory of 2888 1544 Lcnfohmi.exe 102 PID 2888 wrote to memory of 2856 2888 Mcpcdg32.exe 103 PID 2888 wrote to memory of 2856 2888 Mcpcdg32.exe 103 PID 2888 wrote to memory of 2856 2888 Mcpcdg32.exe 103 PID 2856 wrote to memory of 5068 2856 Mogcihaj.exe 104 PID 2856 wrote to memory of 5068 2856 Mogcihaj.exe 104 PID 2856 wrote to memory of 5068 2856 Mogcihaj.exe 104 PID 5068 wrote to memory of 3672 5068 Moipoh32.exe 105 PID 5068 wrote to memory of 3672 5068 Moipoh32.exe 105 PID 5068 wrote to memory of 3672 5068 Moipoh32.exe 105 PID 3672 wrote to memory of 4344 3672 Nopfpgip.exe 106 PID 3672 wrote to memory of 4344 3672 Nopfpgip.exe 106 PID 3672 wrote to memory of 4344 3672 Nopfpgip.exe 106 PID 4344 wrote to memory of 4568 4344 Nmfcok32.exe 107 PID 4344 wrote to memory of 4568 4344 Nmfcok32.exe 107 PID 4344 wrote to memory of 4568 4344 Nmfcok32.exe 107 PID 4568 wrote to memory of 756 4568 Nfohgqlg.exe 108 PID 4568 wrote to memory of 756 4568 Nfohgqlg.exe 108 PID 4568 wrote to memory of 756 4568 Nfohgqlg.exe 108 PID 756 wrote to memory of 2320 756 Ngndaccj.exe 109 PID 756 wrote to memory of 2320 756 Ngndaccj.exe 109 PID 756 wrote to memory of 2320 756 Ngndaccj.exe 109 PID 2320 wrote to memory of 1512 2320 Ojomcopk.exe 110 PID 2320 wrote to memory of 1512 2320 Ojomcopk.exe 110 PID 2320 wrote to memory of 1512 2320 Ojomcopk.exe 110 PID 1512 wrote to memory of 3784 1512 Oakbehfe.exe 111 PID 1512 wrote to memory of 3784 1512 Oakbehfe.exe 111 PID 1512 wrote to memory of 3784 1512 Oakbehfe.exe 111 PID 3784 wrote to memory of 500 3784 Oclkgccf.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe"C:\Users\Admin\AppData\Local\Temp\165e784f073b4bafa0bddcedf2e7970a6d6592a83b055fc15148bdc4c12ff434.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe23⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe24⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe25⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe26⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe27⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe28⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe30⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe31⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe32⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe33⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe34⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe35⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe36⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe38⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe39⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe41⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe42⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe43⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe45⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe46⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe47⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe48⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe49⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe50⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe51⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe52⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe53⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe54⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe55⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe56⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe58⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe59⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe60⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe61⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe62⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe66⤵PID:5052
-
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe67⤵PID:1360
-
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe68⤵PID:2960
-
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe69⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe70⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe71⤵PID:3684
-
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe72⤵
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe73⤵PID:3052
-
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe74⤵PID:2136
-
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe75⤵PID:4176
-
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe77⤵PID:1596
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe78⤵PID:4852
-
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe79⤵PID:5140
-
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe80⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe81⤵PID:5220
-
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe82⤵PID:5260
-
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe83⤵PID:5304
-
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe85⤵PID:5392
-
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe86⤵PID:5440
-
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe87⤵PID:5500
-
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe88⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Qbajeg32.exeC:\Windows\system32\Qbajeg32.exe89⤵PID:5596
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe90⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe91⤵PID:5688
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe92⤵PID:5732
-
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe94⤵PID:5824
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe95⤵PID:5868
-
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe96⤵PID:5912
-
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe97⤵PID:5956
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe98⤵PID:6000
-
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe99⤵PID:6044
-
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe100⤵PID:6088
-
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe101⤵PID:6132
-
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe102⤵PID:5160
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe103⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe104⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe105⤵PID:5372
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe106⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe107⤵PID:5508
-
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe108⤵PID:5580
-
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe110⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe111⤵PID:5776
-
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe112⤵PID:5856
-
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe113⤵PID:5920
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe115⤵PID:6080
-
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe116⤵PID:4404
-
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe117⤵PID:5296
-
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe119⤵PID:5464
-
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe120⤵
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-