Analysis
-
max time kernel
134s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 01:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe
-
Size
320KB
-
MD5
00e3397740300d6bc9192beb6e58732b
-
SHA1
37b7f2d511c36e0b25ed449b7fc3a6619a185422
-
SHA256
afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8
-
SHA512
15cc2bb57281ebd238d0c8bb0415bc73eef085b85129e09795aa76858819157f8a25d236c27a64ecce607d7183aa4acb8247d5193a63a534881405df62a451e0
-
SSDEEP
6144:0K7DvlCY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:0mDvzm05XEvG6IveDVqvQ6IvP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaogfai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffbfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dofgklcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielfgmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicqja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaonmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfonnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbopcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgjhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhibgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhidaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongpeejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnkhoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqdal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkoiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbebdpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflpfcbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcaemdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncobabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqopeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaqdpjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagebknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhkkjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqhki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbeibo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlpklg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neoink32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdcom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qleahgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiknkco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfobfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechjib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpfokfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gighom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Headon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpqafba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maicmgoc.exe -
Executes dropped EXE 64 IoCs
pid Process 4488 Kiphjo32.exe 4784 Khlklj32.exe 5000 Lpepbgbd.exe 3484 Lhenai32.exe 3420 Mjggal32.exe 1968 Mlhqcgnk.exe 4304 Mhoahh32.exe 3520 Mfenglqf.exe 2056 Nmaciefp.exe 1568 Nbphglbe.exe 1564 Nmfmde32.exe 748 Ocdnln32.exe 2596 Omopjcjp.exe 1924 Ofjqihnn.exe 3580 Ppdbgncl.exe 720 Pbjddh32.exe 2744 Qcnjijoe.exe 5008 Adepji32.exe 4356 Bbhildae.exe 4924 Cdaile32.exe 3560 Daeifj32.exe 4744 Ddfbgelh.exe 3916 Dpmcmf32.exe 2684 Ddklbd32.exe 4984 Djgdkk32.exe 2076 Edoencdm.exe 4956 Eqkondfl.exe 3132 Fnalmh32.exe 1812 Fqbeoc32.exe 3828 Fgnjqm32.exe 4412 Fklcgk32.exe 1808 Gbhhieao.exe 1848 Gggmgk32.exe 3696 Hqdkkp32.exe 2404 Hqghqpnl.exe 1976 Hchqbkkm.exe 928 Hannao32.exe 412 Ielfgmnj.exe 4392 Ilhkigcd.exe 1116 Iloajfml.exe 3152 Jlanpfkj.exe 1004 Jjihfbno.exe 2328 Jhoeef32.exe 4480 Kbeibo32.exe 1444 Kbgfhnhi.exe 2032 Klbgfc32.exe 3584 Kbnlim32.exe 5060 Lbqinm32.exe 3724 Laffpi32.exe 876 Lojfin32.exe 4244 Mkepineo.exe 2664 Maoifh32.exe 3940 Moefdljc.exe 832 Mhpgca32.exe 4976 Mdghhb32.exe 2892 Ndlacapp.exe 4292 Napameoi.exe 4188 Nbbnbemf.exe 1520 Okmpqjad.exe 3564 Ocfdgg32.exe 4572 Odgqopeb.exe 3968 Omaeem32.exe 4068 Obnnnc32.exe 4316 Podkmgop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aljcip32.exe Qjijgead.exe File created C:\Windows\SysWOW64\Mkeeda32.exe Mekmgg32.exe File created C:\Windows\SysWOW64\Mjdghj32.dll Process not Found File created C:\Windows\SysWOW64\Headon32.exe Hklpaeno.exe File opened for modification C:\Windows\SysWOW64\Pelacg32.exe Ppmleagi.exe File created C:\Windows\SysWOW64\Qdpmij32.exe Qcppogqo.exe File created C:\Windows\SysWOW64\Cpfaao32.dll Pjpokm32.exe File created C:\Windows\SysWOW64\Peaokh32.exe Phnoac32.exe File created C:\Windows\SysWOW64\Daeoaboh.dll Ehddpdlc.exe File created C:\Windows\SysWOW64\Ojjoedfn.exe Ocmjcjad.exe File created C:\Windows\SysWOW64\Pgbijg32.exe Pjnipc32.exe File created C:\Windows\SysWOW64\Neobgf32.dll Fkqebg32.exe File created C:\Windows\SysWOW64\Pfmdgq32.exe Pihdnloc.exe File opened for modification C:\Windows\SysWOW64\Gohhik32.exe Gdcdlb32.exe File opened for modification C:\Windows\SysWOW64\Pnfiia32.exe Process not Found File created C:\Windows\SysWOW64\Khhmbdka.dll Piolkm32.exe File created C:\Windows\SysWOW64\Mnochl32.exe Mpkbohhd.exe File created C:\Windows\SysWOW64\Ddfbgelh.exe Daeifj32.exe File created C:\Windows\SysWOW64\Lbkmod32.dll Lcbngeqo.exe File opened for modification C:\Windows\SysWOW64\Kbedaand.exe Kilphk32.exe File opened for modification C:\Windows\SysWOW64\Fnhppa32.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Ldeonbkd.exe Kbebdpca.exe File created C:\Windows\SysWOW64\Afoqbkld.dll Fldeie32.exe File created C:\Windows\SysWOW64\Fokbbcmo.exe Fcdbmb32.exe File created C:\Windows\SysWOW64\Jekjfgje.dll Faemjl32.exe File created C:\Windows\SysWOW64\Pblcieig.dll Gdkffi32.exe File opened for modification C:\Windows\SysWOW64\Fecmjq32.exe Fojenfeg.exe File opened for modification C:\Windows\SysWOW64\Jliimf32.exe Iacepmik.exe File created C:\Windows\SysWOW64\Pnhqicgm.dll Jhocgqjj.exe File created C:\Windows\SysWOW64\Gcpcgfmi.exe Gdkffi32.exe File created C:\Windows\SysWOW64\Gllajf32.exe Fcaqka32.exe File created C:\Windows\SysWOW64\Pdooddpo.dll Hommhi32.exe File opened for modification C:\Windows\SysWOW64\Dememj32.exe Ddmhcg32.exe File opened for modification C:\Windows\SysWOW64\Eiaobjia.exe Epikid32.exe File created C:\Windows\SysWOW64\Ojbool32.dll Hbjonepq.exe File created C:\Windows\SysWOW64\Ekoofiod.dll Iliihipi.exe File created C:\Windows\SysWOW64\Pnldon32.dll Lkqliaki.exe File opened for modification C:\Windows\SysWOW64\Hjoeoo32.exe Hnhdjn32.exe File created C:\Windows\SysWOW64\Qnhkpgaj.dll Naaghoik.exe File created C:\Windows\SysWOW64\Opgloh32.exe Ongpeejj.exe File created C:\Windows\SysWOW64\Njdnmp32.dll Napjnfik.exe File created C:\Windows\SysWOW64\Pbfbkfaa.dll Eqkondfl.exe File created C:\Windows\SysWOW64\Gihfoi32.dll Fqbeoc32.exe File created C:\Windows\SysWOW64\Ojonogkn.dll Jcmkehcg.exe File created C:\Windows\SysWOW64\Higpgk32.dll Kfidgk32.exe File opened for modification C:\Windows\SysWOW64\Kdfmcobk.exe Khplnn32.exe File created C:\Windows\SysWOW64\Ibqpio32.dll Ndbefkjk.exe File created C:\Windows\SysWOW64\Onklkhnn.exe Oqgkadod.exe File created C:\Windows\SysWOW64\Hgjfklli.dll Edkddeag.exe File created C:\Windows\SysWOW64\Fpdggeba.dll Eeaqfo32.exe File opened for modification C:\Windows\SysWOW64\Iodjcnca.exe Ijgakgej.exe File opened for modification C:\Windows\SysWOW64\Afjemkbi.exe Agdhln32.exe File opened for modification C:\Windows\SysWOW64\Ljcejhnh.exe Process not Found File created C:\Windows\SysWOW64\Mmagah32.dll Process not Found File created C:\Windows\SysWOW64\Dfjpppbh.exe Dldlbgbb.exe File opened for modification C:\Windows\SysWOW64\Kjepcqnd.exe Kggcgeop.exe File created C:\Windows\SysWOW64\Gqcahm32.dll Jgkmap32.exe File created C:\Windows\SysWOW64\Bgmnooom.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Icoail32.dll Clknnf32.exe File created C:\Windows\SysWOW64\Dmdogpmq.exe Djcfee32.exe File opened for modification C:\Windows\SysWOW64\Ddmaia32.exe Dmcilgco.exe File created C:\Windows\SysWOW64\Bnffai32.dll Gkcbhgii.exe File created C:\Windows\SysWOW64\Odbpij32.exe Onhhmpoo.exe File opened for modification C:\Windows\SysWOW64\Bghddp32.exe Aeglbeea.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fojenfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaofb32.dll" Ccldebeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibqpio32.dll" Ndbefkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkhjngg.dll" Acicefid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmndb32.dll" Kqbdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnbgoib.dll" Gbhhieao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndaboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndjec32.dll" Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgkdmmh.dll" Nnpalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkimb32.dll" Fmejlcoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcnpgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmapcqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaikieh.dll" Gnlmai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqmicpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdnka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Headon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkbohhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhllo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheopk32.dll" Foqdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll" Clijablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbedaand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joalnp32.dll" Nlmdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgdqk32.dll" Aejfjocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmbimbb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjoeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjfegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchickeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fanigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbpecen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggicmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedcpnmi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaqlcep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faemjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknqhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gggmgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhklabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhenpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfceo32.dll" Kdcicipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbppaopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhpfp32.dll" Gkfnnjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidamcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenpnjke.dll" Jjoibadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfebfje.dll" Kjepcqnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifjjacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labdefjj.dll" Dmcilgco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll" Ocdnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmmbfem.dll" Ilhkigcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkdlkope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndonl32.dll" Lkenkhec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll" Bpbpecen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 4488 2252 afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe 91 PID 2252 wrote to memory of 4488 2252 afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe 91 PID 2252 wrote to memory of 4488 2252 afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe 91 PID 4488 wrote to memory of 4784 4488 Kiphjo32.exe 92 PID 4488 wrote to memory of 4784 4488 Kiphjo32.exe 92 PID 4488 wrote to memory of 4784 4488 Kiphjo32.exe 92 PID 4784 wrote to memory of 5000 4784 Khlklj32.exe 93 PID 4784 wrote to memory of 5000 4784 Khlklj32.exe 93 PID 4784 wrote to memory of 5000 4784 Khlklj32.exe 93 PID 5000 wrote to memory of 3484 5000 Lpepbgbd.exe 94 PID 5000 wrote to memory of 3484 5000 Lpepbgbd.exe 94 PID 5000 wrote to memory of 3484 5000 Lpepbgbd.exe 94 PID 3484 wrote to memory of 3420 3484 Lhenai32.exe 95 PID 3484 wrote to memory of 3420 3484 Lhenai32.exe 95 PID 3484 wrote to memory of 3420 3484 Lhenai32.exe 95 PID 3420 wrote to memory of 1968 3420 Mjggal32.exe 96 PID 3420 wrote to memory of 1968 3420 Mjggal32.exe 96 PID 3420 wrote to memory of 1968 3420 Mjggal32.exe 96 PID 1968 wrote to memory of 4304 1968 Mlhqcgnk.exe 97 PID 1968 wrote to memory of 4304 1968 Mlhqcgnk.exe 97 PID 1968 wrote to memory of 4304 1968 Mlhqcgnk.exe 97 PID 4304 wrote to memory of 3520 4304 Mhoahh32.exe 98 PID 4304 wrote to memory of 3520 4304 Mhoahh32.exe 98 PID 4304 wrote to memory of 3520 4304 Mhoahh32.exe 98 PID 3520 wrote to memory of 2056 3520 Mfenglqf.exe 99 PID 3520 wrote to memory of 2056 3520 Mfenglqf.exe 99 PID 3520 wrote to memory of 2056 3520 Mfenglqf.exe 99 PID 2056 wrote to memory of 1568 2056 Nmaciefp.exe 100 PID 2056 wrote to memory of 1568 2056 Nmaciefp.exe 100 PID 2056 wrote to memory of 1568 2056 Nmaciefp.exe 100 PID 1568 wrote to memory of 1564 1568 Nbphglbe.exe 101 PID 1568 wrote to memory of 1564 1568 Nbphglbe.exe 101 PID 1568 wrote to memory of 1564 1568 Nbphglbe.exe 101 PID 1564 wrote to memory of 748 1564 Nmfmde32.exe 102 PID 1564 wrote to memory of 748 1564 Nmfmde32.exe 102 PID 1564 wrote to memory of 748 1564 Nmfmde32.exe 102 PID 748 wrote to memory of 2596 748 Ocdnln32.exe 103 PID 748 wrote to memory of 2596 748 Ocdnln32.exe 103 PID 748 wrote to memory of 2596 748 Ocdnln32.exe 103 PID 2596 wrote to memory of 1924 2596 Omopjcjp.exe 104 PID 2596 wrote to memory of 1924 2596 Omopjcjp.exe 104 PID 2596 wrote to memory of 1924 2596 Omopjcjp.exe 104 PID 1924 wrote to memory of 3580 1924 Ofjqihnn.exe 105 PID 1924 wrote to memory of 3580 1924 Ofjqihnn.exe 105 PID 1924 wrote to memory of 3580 1924 Ofjqihnn.exe 105 PID 3580 wrote to memory of 720 3580 Ppdbgncl.exe 106 PID 3580 wrote to memory of 720 3580 Ppdbgncl.exe 106 PID 3580 wrote to memory of 720 3580 Ppdbgncl.exe 106 PID 720 wrote to memory of 2744 720 Pbjddh32.exe 107 PID 720 wrote to memory of 2744 720 Pbjddh32.exe 107 PID 720 wrote to memory of 2744 720 Pbjddh32.exe 107 PID 2744 wrote to memory of 5008 2744 Qcnjijoe.exe 108 PID 2744 wrote to memory of 5008 2744 Qcnjijoe.exe 108 PID 2744 wrote to memory of 5008 2744 Qcnjijoe.exe 108 PID 5008 wrote to memory of 4356 5008 Adepji32.exe 109 PID 5008 wrote to memory of 4356 5008 Adepji32.exe 109 PID 5008 wrote to memory of 4356 5008 Adepji32.exe 109 PID 4356 wrote to memory of 4924 4356 Bbhildae.exe 110 PID 4356 wrote to memory of 4924 4356 Bbhildae.exe 110 PID 4356 wrote to memory of 4924 4356 Bbhildae.exe 110 PID 4924 wrote to memory of 3560 4924 Cdaile32.exe 111 PID 4924 wrote to memory of 3560 4924 Cdaile32.exe 111 PID 4924 wrote to memory of 3560 4924 Cdaile32.exe 111 PID 3560 wrote to memory of 4744 3560 Daeifj32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe"C:\Users\Admin\AppData\Local\Temp\afcf20634a4dd58c9cff9b2c4eb0ea16c383ce1c39467697aa5b89c7a60c86b8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Nbphglbe.exeC:\Windows\system32\Nbphglbe.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe23⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe24⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe25⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe26⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe27⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe29⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe31⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe32⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe35⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe36⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe37⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe38⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe41⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe42⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe43⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe44⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe46⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe47⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe48⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe49⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe50⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe51⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe52⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe54⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe55⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe56⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe57⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe58⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe59⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe60⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe63⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe64⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe65⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe66⤵PID:2944
-
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe67⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe68⤵PID:5056
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe69⤵PID:4100
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe70⤵PID:5132
-
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe71⤵PID:5176
-
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe72⤵PID:5232
-
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe73⤵PID:5272
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe74⤵PID:5312
-
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe75⤵PID:5356
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe76⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe77⤵PID:5440
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe78⤵PID:5480
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe79⤵PID:5524
-
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe81⤵PID:5604
-
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe82⤵PID:5652
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe83⤵PID:5696
-
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe84⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe85⤵PID:5824
-
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe86⤵PID:5868
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe87⤵PID:5912
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe88⤵PID:5956
-
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe89⤵PID:6000
-
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe90⤵PID:6048
-
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe91⤵PID:6092
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe92⤵PID:6136
-
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe93⤵PID:5168
-
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe94⤵PID:5260
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe95⤵PID:5340
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe96⤵PID:5404
-
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe97⤵PID:5476
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe98⤵PID:5548
-
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe99⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe100⤵PID:5668
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe101⤵PID:5808
-
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe102⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe103⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe104⤵PID:6008
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe105⤵PID:6080
-
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe106⤵PID:5124
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe107⤵PID:5240
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe108⤵PID:5384
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe109⤵PID:5508
-
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe110⤵PID:5688
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe111⤵PID:5864
-
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe112⤵PID:5992
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe113⤵PID:5200
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe114⤵PID:5492
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe115⤵PID:5660
-
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe116⤵PID:5984
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe117⤵PID:5348
-
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe118⤵PID:5876
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe119⤵PID:5468
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe120⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe121⤵PID:5880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-