Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 00:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe
-
Size
800KB
-
MD5
4043afa214e401ab7723b1eb033494b1
-
SHA1
17aa56dbd065efa1dc03f3931402589217c52488
-
SHA256
7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c
-
SHA512
7a35dcc1b4c0f7211ffbbc63d44716a527f4717dd11887edd6a2296cf4fadeb56e2c6f3f63b8c789e78367006c29cbddea60be9f21d89add467e00e5f1d40747
-
SSDEEP
12288:CcKG7/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KFum/+zrC:u4m0BmmvFimm0MTP7hm0BmmvK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfldelik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kebbafoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmbddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkldqkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgafjpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehdmlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqbkfkal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkaejf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfjapcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odoogi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjdilcla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcqpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglipp32.exe -
Executes dropped EXE 64 IoCs
pid Process 3924 Ngcgcjnc.exe 3728 Njacpf32.exe 2108 Nbhkac32.exe 1176 Ndghmo32.exe 688 Okeieh32.exe 3992 Ocqnij32.exe 1468 Occkojkm.exe 2264 Oqgkhnjf.exe 3688 Ogaceh32.exe 1400 Ocgdji32.exe 1640 Pjdilcla.exe 2472 Pghieg32.exe 1956 Pqpnombl.exe 3244 Pcagphom.exe 3988 Pnihcq32.exe 3788 Qbgqio32.exe 3108 Qalnjkgo.exe 3172 Abkjdnoa.exe 3136 Ahhblemi.exe 672 Ajiknpjj.exe 1128 Aacckjaf.exe 792 Ahoimd32.exe 2556 Becifhfj.exe 4796 Bnlnon32.exe 2728 Bjbndobo.exe 4256 Bopgjmhe.exe 4872 Baaplhef.exe 3124 Cbqlfkmi.exe 4340 Cogmkl32.exe 3912 Cknnpm32.exe 2012 Cajcbgml.exe 4628 Cbjoljdo.exe 4292 Daolnf32.exe 960 Ddmhja32.exe 4780 Docmgjhp.exe 944 Ddpeoafg.exe 2128 Dbaemi32.exe 4372 Ddbbeade.exe 4496 Dafbne32.exe 4552 Dojcgi32.exe 2828 Dahode32.exe 4100 Ekacmjgl.exe 4644 Edihepnm.exe 2536 Ekcpbj32.exe 3132 Eeidoc32.exe 2520 Elbmlmml.exe 4768 Ecmeig32.exe 2784 Ednaqo32.exe 4516 Eocenh32.exe 4892 Eemnjbaj.exe 972 Ekjfcipa.exe 3364 Eadopc32.exe 3600 Edbklofb.exe 3180 Fkmchi32.exe 3848 Febgea32.exe 2224 Fllpbldb.exe 2712 Fojlngce.exe 4384 Flnlhk32.exe 4488 Fdialn32.exe 4952 Fkciihgg.exe 4240 Ffimfqgm.exe 2928 Fkffog32.exe 1396 Ffkjlp32.exe 4332 Gododflk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mjegoo32.dll Hbpgbo32.exe File created C:\Windows\SysWOW64\Mjhmqf32.dll Hfnphn32.exe File created C:\Windows\SysWOW64\Gnepna32.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Ebdijfii.dll Balpgb32.exe File created C:\Windows\SysWOW64\Ejpfhnpe.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Ahqddk32.exe File created C:\Windows\SysWOW64\Fjbnapki.dll Pgefeajb.exe File created C:\Windows\SysWOW64\Liokmchg.dll Edhjqc32.exe File created C:\Windows\SysWOW64\Geqnma32.dll Process not Found File created C:\Windows\SysWOW64\Leoghn32.exe Lpbopfag.exe File created C:\Windows\SysWOW64\Fkciihgg.exe Fdialn32.exe File created C:\Windows\SysWOW64\Gkaopp32.exe Gahjgj32.exe File created C:\Windows\SysWOW64\Cgbiiion.dll Dclkee32.exe File created C:\Windows\SysWOW64\Ggiabl32.dll Mkhapk32.exe File created C:\Windows\SysWOW64\Bohgljdl.dll Kodnmkap.exe File created C:\Windows\SysWOW64\Jbileede.exe Jgdhgmep.exe File opened for modification C:\Windows\SysWOW64\Mibijk32.exe Mfcmmp32.exe File created C:\Windows\SysWOW64\Ekodjiol.exe Eiahnnph.exe File created C:\Windows\SysWOW64\Ahhblemi.exe Abkjdnoa.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lebkhc32.exe File created C:\Windows\SysWOW64\Ocopdn32.exe Olehhc32.exe File created C:\Windows\SysWOW64\Ibifekgh.dll Hpomcp32.exe File created C:\Windows\SysWOW64\Hgmgqc32.exe Hlhccj32.exe File opened for modification C:\Windows\SysWOW64\Gbalopbn.exe Gnepna32.exe File created C:\Windows\SysWOW64\Ejldilhc.dll Jghabl32.exe File created C:\Windows\SysWOW64\Pbegml32.dll Hlepcdoa.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Inlihl32.exe File created C:\Windows\SysWOW64\Cmkmlmnl.dll Gfhndpol.exe File created C:\Windows\SysWOW64\Llcpoo32.exe Lbjlfi32.exe File opened for modification C:\Windows\SysWOW64\Afinioip.exe Ackbmcjl.exe File created C:\Windows\SysWOW64\Megdccmb.exe Mdehlk32.exe File created C:\Windows\SysWOW64\Dohjem32.dll Kfpcoefj.exe File created C:\Windows\SysWOW64\Jcbihpel.exe Jmhale32.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Pcobaedj.exe File created C:\Windows\SysWOW64\Ljalni32.dll Bckkca32.exe File opened for modification C:\Windows\SysWOW64\Jblpek32.exe Jmpgldhg.exe File created C:\Windows\SysWOW64\Aoglcqao.dll Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Klifnj32.exe Kijjbofj.exe File created C:\Windows\SysWOW64\Gklnjj32.exe Ghmbno32.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cofnik32.exe File opened for modification C:\Windows\SysWOW64\Lpfgmnfp.exe Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Bokehc32.exe Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Nohehq32.exe Neppokal.exe File created C:\Windows\SysWOW64\Dleglm32.dll Ookjdn32.exe File created C:\Windows\SysWOW64\Gikgni32.dll Process not Found File created C:\Windows\SysWOW64\Aimkjp32.exe Aglnbhal.exe File created C:\Windows\SysWOW64\Ahqddk32.exe Qaflgago.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Kjmfjj32.exe File created C:\Windows\SysWOW64\Lpfgmnfp.exe Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Occkojkm.exe Ocqnij32.exe File created C:\Windows\SysWOW64\Mockmala.exe Mleoafmn.exe File opened for modification C:\Windows\SysWOW64\Nibbqicm.exe Neffpj32.exe File opened for modification C:\Windows\SysWOW64\Cgjjdf32.exe Cqpbglno.exe File created C:\Windows\SysWOW64\Bilqdmae.dll Cfcqpa32.exe File opened for modification C:\Windows\SysWOW64\Cioilg32.exe Cfqmpl32.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Baadiiif.exe File created C:\Windows\SysWOW64\Igdgglfl.exe Ilnbicff.exe File opened for modification C:\Windows\SysWOW64\Cpmapodj.exe Process not Found File created C:\Windows\SysWOW64\Pjkolmml.dll Flnlhk32.exe File created C:\Windows\SysWOW64\Eajeon32.exe Ekpmbddq.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Bhamkipi.exe Bfbaonae.exe File created C:\Windows\SysWOW64\Gddedlaq.dll Lpfgmnfp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9572 9232 Process not Found 1215 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkbik32.dll" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecabifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eemgplno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fahaplon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqhcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgdeof.dll" Occkojkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkecidg.dll" Ffaong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgeaiknl.dll" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fedmqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papdfone.dll" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Flmqlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqffjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igjngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Johnamkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfbhfmf.dll" Ahenokjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijcjmmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmijq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckdjomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnaokmco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcjifm32.dll" Jgdhgmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhhc32.dll" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll" Lpqiemge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfjcdon.dll" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kodnmkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmnemcc.dll" Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll" Edihepnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfnbdecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpneegel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlephen.dll" Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfqnichl.dll" Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdfjifjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbpdblmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfnbdecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iogkekkb.dll" Cfnjpfcl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3924 2096 7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe 80 PID 2096 wrote to memory of 3924 2096 7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe 80 PID 2096 wrote to memory of 3924 2096 7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe 80 PID 3924 wrote to memory of 3728 3924 Ngcgcjnc.exe 81 PID 3924 wrote to memory of 3728 3924 Ngcgcjnc.exe 81 PID 3924 wrote to memory of 3728 3924 Ngcgcjnc.exe 81 PID 3728 wrote to memory of 2108 3728 Njacpf32.exe 82 PID 3728 wrote to memory of 2108 3728 Njacpf32.exe 82 PID 3728 wrote to memory of 2108 3728 Njacpf32.exe 82 PID 2108 wrote to memory of 1176 2108 Nbhkac32.exe 83 PID 2108 wrote to memory of 1176 2108 Nbhkac32.exe 83 PID 2108 wrote to memory of 1176 2108 Nbhkac32.exe 83 PID 1176 wrote to memory of 688 1176 Ndghmo32.exe 84 PID 1176 wrote to memory of 688 1176 Ndghmo32.exe 84 PID 1176 wrote to memory of 688 1176 Ndghmo32.exe 84 PID 688 wrote to memory of 3992 688 Okeieh32.exe 85 PID 688 wrote to memory of 3992 688 Okeieh32.exe 85 PID 688 wrote to memory of 3992 688 Okeieh32.exe 85 PID 3992 wrote to memory of 1468 3992 Ocqnij32.exe 87 PID 3992 wrote to memory of 1468 3992 Ocqnij32.exe 87 PID 3992 wrote to memory of 1468 3992 Ocqnij32.exe 87 PID 1468 wrote to memory of 2264 1468 Occkojkm.exe 89 PID 1468 wrote to memory of 2264 1468 Occkojkm.exe 89 PID 1468 wrote to memory of 2264 1468 Occkojkm.exe 89 PID 2264 wrote to memory of 3688 2264 Oqgkhnjf.exe 90 PID 2264 wrote to memory of 3688 2264 Oqgkhnjf.exe 90 PID 2264 wrote to memory of 3688 2264 Oqgkhnjf.exe 90 PID 3688 wrote to memory of 1400 3688 Ogaceh32.exe 92 PID 3688 wrote to memory of 1400 3688 Ogaceh32.exe 92 PID 3688 wrote to memory of 1400 3688 Ogaceh32.exe 92 PID 1400 wrote to memory of 1640 1400 Ocgdji32.exe 93 PID 1400 wrote to memory of 1640 1400 Ocgdji32.exe 93 PID 1400 wrote to memory of 1640 1400 Ocgdji32.exe 93 PID 1640 wrote to memory of 2472 1640 Pjdilcla.exe 94 PID 1640 wrote to memory of 2472 1640 Pjdilcla.exe 94 PID 1640 wrote to memory of 2472 1640 Pjdilcla.exe 94 PID 2472 wrote to memory of 1956 2472 Pghieg32.exe 95 PID 2472 wrote to memory of 1956 2472 Pghieg32.exe 95 PID 2472 wrote to memory of 1956 2472 Pghieg32.exe 95 PID 1956 wrote to memory of 3244 1956 Pqpnombl.exe 96 PID 1956 wrote to memory of 3244 1956 Pqpnombl.exe 96 PID 1956 wrote to memory of 3244 1956 Pqpnombl.exe 96 PID 3244 wrote to memory of 3988 3244 Pcagphom.exe 97 PID 3244 wrote to memory of 3988 3244 Pcagphom.exe 97 PID 3244 wrote to memory of 3988 3244 Pcagphom.exe 97 PID 3988 wrote to memory of 3788 3988 Pnihcq32.exe 98 PID 3988 wrote to memory of 3788 3988 Pnihcq32.exe 98 PID 3988 wrote to memory of 3788 3988 Pnihcq32.exe 98 PID 3788 wrote to memory of 3108 3788 Qbgqio32.exe 99 PID 3788 wrote to memory of 3108 3788 Qbgqio32.exe 99 PID 3788 wrote to memory of 3108 3788 Qbgqio32.exe 99 PID 3108 wrote to memory of 3172 3108 Qalnjkgo.exe 100 PID 3108 wrote to memory of 3172 3108 Qalnjkgo.exe 100 PID 3108 wrote to memory of 3172 3108 Qalnjkgo.exe 100 PID 3172 wrote to memory of 3136 3172 Abkjdnoa.exe 101 PID 3172 wrote to memory of 3136 3172 Abkjdnoa.exe 101 PID 3172 wrote to memory of 3136 3172 Abkjdnoa.exe 101 PID 3136 wrote to memory of 672 3136 Ahhblemi.exe 102 PID 3136 wrote to memory of 672 3136 Ahhblemi.exe 102 PID 3136 wrote to memory of 672 3136 Ahhblemi.exe 102 PID 672 wrote to memory of 1128 672 Ajiknpjj.exe 103 PID 672 wrote to memory of 1128 672 Ajiknpjj.exe 103 PID 672 wrote to memory of 1128 672 Ajiknpjj.exe 103 PID 1128 wrote to memory of 792 1128 Aacckjaf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe"C:\Users\Admin\AppData\Local\Temp\7c620e65acf14d83755013992fba4b094131b4982cf5790fe24d4f4da90d618c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe23⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe24⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe25⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe26⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe27⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe28⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe30⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe31⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe32⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe33⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe34⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe35⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe36⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe37⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe38⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe39⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe40⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe41⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe42⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe43⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe45⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe46⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe47⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe48⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe49⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe50⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe51⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe52⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe53⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe54⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe55⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe57⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe61⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe62⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe63⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe64⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe65⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe66⤵PID:4036
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe67⤵PID:4740
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe69⤵PID:3344
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe70⤵PID:2072
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe71⤵PID:3932
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe72⤵PID:4148
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe74⤵PID:3352
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe75⤵PID:1120
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe76⤵PID:2104
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4612 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe78⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe79⤵PID:3488
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe80⤵PID:2756
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe81⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe82⤵PID:4320
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe83⤵PID:224
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe84⤵PID:3748
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe85⤵PID:60
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe86⤵PID:2220
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe87⤵PID:2516
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe88⤵PID:4944
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe89⤵PID:4004
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe90⤵PID:3472
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe91⤵PID:1512
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe92⤵PID:4400
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe93⤵PID:1660
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe94⤵PID:5048
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe95⤵PID:1088
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe96⤵PID:1760
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe97⤵PID:4076
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe98⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe99⤵PID:4548
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe100⤵PID:4656
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe101⤵PID:4816
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe102⤵PID:4596
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe103⤵PID:4168
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe104⤵PID:1212
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe105⤵PID:2068
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe106⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe107⤵PID:2648
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe108⤵PID:1920
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe109⤵PID:5144
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe110⤵PID:5188
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe111⤵PID:5232
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe112⤵PID:5276
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe113⤵PID:5320
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe114⤵PID:5364
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe116⤵PID:5452
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe117⤵PID:5496
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe118⤵PID:5544
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe119⤵PID:5604
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe120⤵PID:5648
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe121⤵PID:5692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-