Analysis
-
max time kernel
119s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe
-
Size
384KB
-
MD5
b25a0970e4a5fdd7f5d14e1f26f617dc
-
SHA1
400fb43d48f2c7c7d5fc74f90eb1f9eae1585773
-
SHA256
84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d
-
SHA512
e32c10514b2e53d20967ee50186b3357f998e7de2d7de69d672bcc72ddc0353deb9e5aad8b8ed500a89583ae22fb7000f9561d655f2ea9f8c3f078d753793836
-
SSDEEP
6144:Mnd7m07aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBY:Md7z7aOlxzr3cOK3TajRfX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhlego.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhncnodp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbmhadm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmnkdfce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhgkcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfanen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loeoei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcokah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Difpflco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgcoaock.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhkblii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bleebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihecici.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaecdnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebfmfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moljgeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgcpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgjldfqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklddmep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifkkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfcdph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgcjmjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdnce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphlpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhokkel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplcnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qleahgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgmpkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpbdiehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jflnafno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijdbofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgamhjja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppopcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqjiohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlponebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcneca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbgkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcagjndj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppbdmig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfogohpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oifekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blecdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pojccmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdopkhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mallojmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbjdcml.exe -
Executes dropped EXE 64 IoCs
pid Process 376 Hjjldpdf.exe 620 Ijfkpnji.exe 1776 Ijjekn32.exe 4752 Iqdmghnp.exe 1396 Ifaepolg.exe 4324 Iebfmfdg.exe 3812 Ijonfmbn.exe 3572 Jegohe32.exe 1400 Khcgfo32.exe 2136 Lokldg32.exe 4460 Mkdiog32.exe 4032 Moiheebb.exe 3592 Ndpcdjho.exe 664 Qkakhakq.exe 1980 Fhllni32.exe 1964 Ggfobofl.exe 4320 Goadfa32.exe 2300 Gledpe32.exe 3472 Hfniikha.exe 4428 Hcipcnac.exe 4020 Iqdfmajd.exe 984 Ioicnn32.exe 3800 Ijngkf32.exe 652 Jflnafno.exe 1388 Kgngqico.exe 1812 Kcgekjgp.exe 4184 Kjamhd32.exe 4944 Ljffccjh.exe 4744 Lpbokjho.exe 3312 Lfodmdni.exe 3348 Lmneemaq.exe 2072 Oahgnh32.exe 2372 Pjgemi32.exe 3040 Ahkkhnpg.exe 2924 Ndgpnogo.exe 3968 Odqbdnod.exe 3192 Ojkkah32.exe 456 Ofdhlh32.exe 4180 Pphlpl32.exe 3100 Agpqnd32.exe 3512 Anjikoip.exe 1636 Addahh32.exe 4992 Bjqjpp32.exe 3284 Bdfnmhnj.exe 3096 Bdpqcg32.exe 2284 Cjlilndf.exe 4444 Ccgjjc32.exe 3760 Cjabgm32.exe 4016 Cqkkcghn.exe 3676 Cgecpa32.exe 4228 Cnokmkfh.exe 4500 Cqpdof32.exe 1588 Dcqmpa32.exe 4464 Dccjfaog.exe 3908 Djmbbk32.exe 4012 Dklomnmf.exe 4584 Dmnkdfce.exe 2020 Dgcoaock.exe 2960 Dmphjfab.exe 2108 Fndgfffm.exe 4764 Ghohdk32.exe 2488 Gmlplbib.exe 4084 Gdfhil32.exe 1496 Incpdodg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oiepphim.dll Dccjfaog.exe File created C:\Windows\SysWOW64\Aleemb32.dll Gmclgghc.exe File opened for modification C:\Windows\SysWOW64\Cqpdof32.exe Cnokmkfh.exe File opened for modification C:\Windows\SysWOW64\Immhdc32.exe Hmdend32.exe File created C:\Windows\SysWOW64\Pchljlpo.exe Plndma32.exe File opened for modification C:\Windows\SysWOW64\Iqdmghnp.exe Ijjekn32.exe File opened for modification C:\Windows\SysWOW64\Fgcang32.exe Efolidno.exe File created C:\Windows\SysWOW64\Cjppfp32.dll Emniheha.exe File created C:\Windows\SysWOW64\Nlapob32.dll Femgia32.exe File created C:\Windows\SysWOW64\Hgjldfqj.exe Hbhjqp32.exe File opened for modification C:\Windows\SysWOW64\Ikokkc32.exe Iohjebkd.exe File opened for modification C:\Windows\SysWOW64\Kilpgnfi.exe Kbiede32.exe File created C:\Windows\SysWOW64\Fmbdnhme.exe Ejchbmna.exe File created C:\Windows\SysWOW64\Knenffqf.exe Kgkfil32.exe File opened for modification C:\Windows\SysWOW64\Ijcecgnl.exe Immhdc32.exe File created C:\Windows\SysWOW64\Faejhf32.dll Aaflag32.exe File opened for modification C:\Windows\SysWOW64\Dpbdiehi.exe Dihllkal.exe File created C:\Windows\SysWOW64\Anjikoip.exe Agpqnd32.exe File created C:\Windows\SysWOW64\Lambibap.dll Gfcnka32.exe File created C:\Windows\SysWOW64\Mqnfon32.exe Moljgeco.exe File opened for modification C:\Windows\SysWOW64\Ohlifj32.exe Oghpib32.exe File created C:\Windows\SysWOW64\Lbgongoo.dll Diicfa32.exe File created C:\Windows\SysWOW64\Kqgbobll.dll Moiheebb.exe File created C:\Windows\SysWOW64\Gledpe32.exe Goadfa32.exe File created C:\Windows\SysWOW64\Eaohkjak.dll Pjgemi32.exe File created C:\Windows\SysWOW64\Dcdnce32.exe Dmjefkap.exe File opened for modification C:\Windows\SysWOW64\Fikbhiaf.exe Fbajlo32.exe File opened for modification C:\Windows\SysWOW64\Mqnfon32.exe Moljgeco.exe File created C:\Windows\SysWOW64\Befcqjoh.dll Aloekjod.exe File created C:\Windows\SysWOW64\Hmblee32.dll Gbdgpfni.exe File created C:\Windows\SysWOW64\Ehkllbpl.dll Qhlamhkj.exe File created C:\Windows\SysWOW64\Oampdkbj.exe Ohdlke32.exe File created C:\Windows\SysWOW64\Bcokah32.exe Blecdn32.exe File created C:\Windows\SysWOW64\Aafghjbq.dll Npfchkop.exe File created C:\Windows\SysWOW64\Ebcclm32.dll Jbccbi32.exe File created C:\Windows\SysWOW64\Cokpekpj.exe Chokcakp.exe File created C:\Windows\SysWOW64\Fpejjabq.dll Lgcjmjho.exe File created C:\Windows\SysWOW64\Cfldob32.exe Cobkbhgk.exe File opened for modification C:\Windows\SysWOW64\Fppqjcli.exe Fmbdnhme.exe File created C:\Windows\SysWOW64\Jegohe32.exe Ijonfmbn.exe File created C:\Windows\SysWOW64\Gahlnk32.dll Agpqnd32.exe File created C:\Windows\SysWOW64\Copajm32.exe Cjbhbf32.exe File created C:\Windows\SysWOW64\Hjokhh32.dll Jcplle32.exe File opened for modification C:\Windows\SysWOW64\Jijaef32.exe Ighhed32.exe File created C:\Windows\SysWOW64\Eagahnob.exe Diicfa32.exe File opened for modification C:\Windows\SysWOW64\Qhlkbaho.exe Qaabfgpa.exe File created C:\Windows\SysWOW64\Pjgemi32.exe Oahgnh32.exe File created C:\Windows\SysWOW64\Digcnb32.dll Bpodmb32.exe File created C:\Windows\SysWOW64\Elighial.dll Dagiba32.exe File created C:\Windows\SysWOW64\Mallojmd.exe Ldohogfe.exe File created C:\Windows\SysWOW64\Qkngdp32.dll Femndhgh.exe File created C:\Windows\SysWOW64\Emkhfj32.dll Capikhgh.exe File created C:\Windows\SysWOW64\Ljkgpamj.dll Pbkagfba.exe File created C:\Windows\SysWOW64\Khmjga32.exe Knefnkla.exe File created C:\Windows\SysWOW64\Bkcbaf32.dll Qcpieamc.exe File created C:\Windows\SysWOW64\Cmhial32.exe Cfnqdale.exe File opened for modification C:\Windows\SysWOW64\Eiaobjia.exe Ebggep32.exe File created C:\Windows\SysWOW64\Dkdeofjc.dll Iebfmfdg.exe File created C:\Windows\SysWOW64\Incpdodg.exe Gdfhil32.exe File opened for modification C:\Windows\SysWOW64\Jcplle32.exe Iempingp.exe File created C:\Windows\SysWOW64\Obbgom32.dll Ijonfmbn.exe File created C:\Windows\SysWOW64\Hmedbiid.dll Ijfkpnji.exe File opened for modification C:\Windows\SysWOW64\Imnoni32.exe Hanlcjgh.exe File created C:\Windows\SysWOW64\Inicnm32.dll Obdkfg32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 11908 5412 WerFault.exe 870 12032 5412 WerFault.exe 870 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppnjc32.dll" Jlponebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbhbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbkagfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oflfoepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgnief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nahgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegicjdd.dll" Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogknhjcn.dll" Okhmnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Femgia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcpieamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naodbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgelq32.dll" Cobkbhgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffjignde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johfep32.dll" Lcpledob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgjldfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faejhf32.dll" Aaflag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfjkmma.dll" Goadfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiepphim.dll" Dccjfaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabokoop.dll" Dklomnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdglka32.dll" Giacmggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimbcc32.dll" Eolpfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcmall32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knefnkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mefmbbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Licfgmpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolpli32.dll" Oampdkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjlij32.dll" Poggnnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joikdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqnfon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdgjj32.dll" Gcneca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkjocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdopkhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbmhadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiofp32.dll" Qaabfgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aklddmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acfhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffaogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndinf32.dll" Bpjkbcbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knpmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfiklno.dll" Pomgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhoch32.dll" Fdopkhfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnaqqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpclq32.dll" Lbgaecjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbmhadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aklddmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffobbmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgckgcem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkmgladi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pedlpgqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapilbaa.dll" Kabpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkipdpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagai32.dll" Aadokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efafqolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbcfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meknelcg.dll" Ccipelcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khmjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpelljmd.dll" Kgkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblcinm.dll" Njcpok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcmolimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehofco32.dll" Mkdiog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 376 4644 84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe 91 PID 4644 wrote to memory of 376 4644 84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe 91 PID 4644 wrote to memory of 376 4644 84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe 91 PID 376 wrote to memory of 620 376 Hjjldpdf.exe 92 PID 376 wrote to memory of 620 376 Hjjldpdf.exe 92 PID 376 wrote to memory of 620 376 Hjjldpdf.exe 92 PID 620 wrote to memory of 1776 620 Ijfkpnji.exe 93 PID 620 wrote to memory of 1776 620 Ijfkpnji.exe 93 PID 620 wrote to memory of 1776 620 Ijfkpnji.exe 93 PID 1776 wrote to memory of 4752 1776 Ijjekn32.exe 167 PID 1776 wrote to memory of 4752 1776 Ijjekn32.exe 167 PID 1776 wrote to memory of 4752 1776 Ijjekn32.exe 167 PID 4752 wrote to memory of 1396 4752 Iqdmghnp.exe 95 PID 4752 wrote to memory of 1396 4752 Iqdmghnp.exe 95 PID 4752 wrote to memory of 1396 4752 Iqdmghnp.exe 95 PID 1396 wrote to memory of 4324 1396 Ifaepolg.exe 169 PID 1396 wrote to memory of 4324 1396 Ifaepolg.exe 169 PID 1396 wrote to memory of 4324 1396 Ifaepolg.exe 169 PID 4324 wrote to memory of 3812 4324 Iebfmfdg.exe 97 PID 4324 wrote to memory of 3812 4324 Iebfmfdg.exe 97 PID 4324 wrote to memory of 3812 4324 Iebfmfdg.exe 97 PID 3812 wrote to memory of 3572 3812 Ijonfmbn.exe 98 PID 3812 wrote to memory of 3572 3812 Ijonfmbn.exe 98 PID 3812 wrote to memory of 3572 3812 Ijonfmbn.exe 98 PID 3572 wrote to memory of 1400 3572 Jegohe32.exe 99 PID 3572 wrote to memory of 1400 3572 Jegohe32.exe 99 PID 3572 wrote to memory of 1400 3572 Jegohe32.exe 99 PID 1400 wrote to memory of 2136 1400 Khcgfo32.exe 100 PID 1400 wrote to memory of 2136 1400 Khcgfo32.exe 100 PID 1400 wrote to memory of 2136 1400 Khcgfo32.exe 100 PID 2136 wrote to memory of 4460 2136 Lokldg32.exe 101 PID 2136 wrote to memory of 4460 2136 Lokldg32.exe 101 PID 2136 wrote to memory of 4460 2136 Lokldg32.exe 101 PID 4460 wrote to memory of 4032 4460 Mkdiog32.exe 102 PID 4460 wrote to memory of 4032 4460 Mkdiog32.exe 102 PID 4460 wrote to memory of 4032 4460 Mkdiog32.exe 102 PID 4032 wrote to memory of 3592 4032 Moiheebb.exe 103 PID 4032 wrote to memory of 3592 4032 Moiheebb.exe 103 PID 4032 wrote to memory of 3592 4032 Moiheebb.exe 103 PID 3592 wrote to memory of 664 3592 Ndpcdjho.exe 251 PID 3592 wrote to memory of 664 3592 Ndpcdjho.exe 251 PID 3592 wrote to memory of 664 3592 Ndpcdjho.exe 251 PID 664 wrote to memory of 1980 664 Qkakhakq.exe 107 PID 664 wrote to memory of 1980 664 Qkakhakq.exe 107 PID 664 wrote to memory of 1980 664 Qkakhakq.exe 107 PID 1980 wrote to memory of 1964 1980 Fhllni32.exe 108 PID 1980 wrote to memory of 1964 1980 Fhllni32.exe 108 PID 1980 wrote to memory of 1964 1980 Fhllni32.exe 108 PID 1964 wrote to memory of 4320 1964 Ggfobofl.exe 243 PID 1964 wrote to memory of 4320 1964 Ggfobofl.exe 243 PID 1964 wrote to memory of 4320 1964 Ggfobofl.exe 243 PID 4320 wrote to memory of 2300 4320 Goadfa32.exe 233 PID 4320 wrote to memory of 2300 4320 Goadfa32.exe 233 PID 4320 wrote to memory of 2300 4320 Goadfa32.exe 233 PID 2300 wrote to memory of 3472 2300 Gledpe32.exe 111 PID 2300 wrote to memory of 3472 2300 Gledpe32.exe 111 PID 2300 wrote to memory of 3472 2300 Gledpe32.exe 111 PID 3472 wrote to memory of 4428 3472 Hfniikha.exe 112 PID 3472 wrote to memory of 4428 3472 Hfniikha.exe 112 PID 3472 wrote to memory of 4428 3472 Hfniikha.exe 112 PID 4428 wrote to memory of 4020 4428 Hcipcnac.exe 113 PID 4428 wrote to memory of 4020 4428 Hcipcnac.exe 113 PID 4428 wrote to memory of 4020 4428 Hcipcnac.exe 113 PID 4020 wrote to memory of 984 4020 Iqdfmajd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe"C:\Users\Admin\AppData\Local\Temp\84ce26856214a66583f71f123184ea3fcf3f6ad218b146ad92a8c7d980dabd4d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Goadfa32.exeC:\Windows\system32\Goadfa32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Iqdfmajd.exeC:\Windows\system32\Iqdfmajd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Ioicnn32.exeC:\Windows\system32\Ioicnn32.exe23⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe24⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe26⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe27⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe28⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe29⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe30⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe31⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe32⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe35⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe37⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Ojkkah32.exeC:\Windows\system32\Ojkkah32.exe38⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe42⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe43⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe44⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe45⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe46⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Cjlilndf.exeC:\Windows\system32\Cjlilndf.exe47⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ccgjjc32.exeC:\Windows\system32\Ccgjjc32.exe48⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe49⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Cqkkcghn.exeC:\Windows\system32\Cqkkcghn.exe50⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe51⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe53⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe54⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Djmbbk32.exeC:\Windows\system32\Djmbbk32.exe56⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe60⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Fndgfffm.exeC:\Windows\system32\Fndgfffm.exe61⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe62⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Gmlplbib.exeC:\Windows\system32\Gmlplbib.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gdfhil32.exeC:\Windows\system32\Gdfhil32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe65⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe66⤵PID:1268
-
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe68⤵PID:4204
-
C:\Windows\SysWOW64\Mkdagm32.exeC:\Windows\system32\Mkdagm32.exe69⤵PID:4548
-
C:\Windows\SysWOW64\Mbnjcg32.exeC:\Windows\system32\Mbnjcg32.exe70⤵PID:3724
-
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe72⤵
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe73⤵PID:4324
-
C:\Windows\SysWOW64\Nifnao32.exeC:\Windows\system32\Nifnao32.exe74⤵PID:1604
-
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe75⤵PID:3720
-
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe76⤵
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe77⤵PID:5008
-
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe78⤵
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Bckddn32.exeC:\Windows\system32\Bckddn32.exe79⤵PID:3804
-
C:\Windows\SysWOW64\Bpodmb32.exeC:\Windows\system32\Bpodmb32.exe80⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Bekmei32.exeC:\Windows\system32\Bekmei32.exe81⤵PID:1756
-
C:\Windows\SysWOW64\Bleebc32.exeC:\Windows\system32\Bleebc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Bcomonkq.exeC:\Windows\system32\Bcomonkq.exe83⤵PID:756
-
C:\Windows\SysWOW64\Cfbcfh32.exeC:\Windows\system32\Cfbcfh32.exe84⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe85⤵PID:1592
-
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe86⤵PID:1512
-
C:\Windows\SysWOW64\Cnlhme32.exeC:\Windows\system32\Cnlhme32.exe87⤵PID:4644
-
C:\Windows\SysWOW64\Ccipelcf.exeC:\Windows\system32\Ccipelcf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Cjbhbf32.exeC:\Windows\system32\Cjbhbf32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Copajm32.exeC:\Windows\system32\Copajm32.exe90⤵PID:5260
-
C:\Windows\SysWOW64\Dfnbbg32.exeC:\Windows\system32\Dfnbbg32.exe91⤵PID:5304
-
C:\Windows\SysWOW64\Dnjdncio.exeC:\Windows\system32\Dnjdncio.exe92⤵PID:5344
-
C:\Windows\SysWOW64\Ejaecdnc.exeC:\Windows\system32\Ejaecdnc.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe94⤵PID:5436
-
C:\Windows\SysWOW64\Efolidno.exeC:\Windows\system32\Efolidno.exe95⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Fgcang32.exeC:\Windows\system32\Fgcang32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5548 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe98⤵PID:5656
-
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe99⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe100⤵PID:5756
-
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe101⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe102⤵PID:5848
-
C:\Windows\SysWOW64\Idhgkcln.exeC:\Windows\system32\Idhgkcln.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe104⤵PID:5940
-
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe105⤵PID:5984
-
C:\Windows\SysWOW64\Jhocgqjj.exeC:\Windows\system32\Jhocgqjj.exe106⤵PID:6028
-
C:\Windows\SysWOW64\Joikdk32.exeC:\Windows\system32\Joikdk32.exe107⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe108⤵PID:5132
-
C:\Windows\SysWOW64\Kpanmb32.exeC:\Windows\system32\Kpanmb32.exe109⤵PID:5208
-
C:\Windows\SysWOW64\Kgkfil32.exeC:\Windows\system32\Kgkfil32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe111⤵PID:5340
-
C:\Windows\SysWOW64\Kdpfbp32.exeC:\Windows\system32\Kdpfbp32.exe112⤵PID:5408
-
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe113⤵PID:5468
-
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe114⤵PID:4248
-
C:\Windows\SysWOW64\Moljgeco.exeC:\Windows\system32\Moljgeco.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Mqnfon32.exeC:\Windows\system32\Mqnfon32.exe116⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe117⤵PID:5748
-
C:\Windows\SysWOW64\Nildajdg.exeC:\Windows\system32\Nildajdg.exe118⤵PID:3052
-
C:\Windows\SysWOW64\Neebkkgi.exeC:\Windows\system32\Neebkkgi.exe119⤵PID:5824
-
C:\Windows\SysWOW64\Ngcngfgl.exeC:\Windows\system32\Ngcngfgl.exe120⤵PID:5884
-
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-