Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe
-
Size
2.7MB
-
MD5
b416747dad9dc25e626dbda39441d4ca
-
SHA1
0afe372295ba474bdb6b0ddc2757a319e2e91a22
-
SHA256
4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1
-
SHA512
2c4f6c403ad51e5e44206364e83a8a7f1391dec35b526dfeb4447fbedbc55dddca9e9ae49c2755d786cc3e6d325dfaa6d11087f5f2e370e1a5616b39ec63ee13
-
SSDEEP
12288:bKvzDVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:bC5hqEfAL8WJm8MoC7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblijebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhale32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oboijgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqipio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafkecel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfpcgpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdonfka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfnedho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe -
Executes dropped EXE 64 IoCs
pid Process 1560 Blpnib32.exe 1996 Balfaiil.exe 3820 Bkidenlg.exe 2812 Cliaoq32.exe 1660 Ckcgkldl.exe 184 Cehkhecb.exe 2360 Clbceo32.exe 2220 Dbllbibl.exe 4060 Dhidjpqc.exe 1436 Dboigi32.exe 1548 Dlgmpogj.exe 4828 Dbaemi32.exe 1236 Dhnnep32.exe 1064 Dohfbj32.exe 3016 Dddojq32.exe 1728 Dojcgi32.exe 2268 Ddgkpp32.exe 5004 Dlncan32.exe 1624 Echknh32.exe 4120 Edihepnm.exe 4072 Ekcpbj32.exe 3980 Ecjhcg32.exe 8 Edkdkplj.exe 4416 Ekemhj32.exe 2000 Eapedd32.exe 4556 Ednaqo32.exe 2040 Ekhjmiad.exe 4468 Eemnjbaj.exe 1888 Elgfgl32.exe 3644 Ecandfpd.exe 1544 Edbklofb.exe 4952 Fkmchi32.exe 2612 Fafkecel.exe 2224 Fhqcam32.exe 4432 Fcfhof32.exe 3248 Fdgdgnbm.exe 2380 Fomhdg32.exe 3988 Fdialn32.exe 1148 Fkciihgg.exe 3860 Fbnafb32.exe 1880 Flceckoj.exe 4100 Fbpnkama.exe 2168 Fdnjgmle.exe 2680 Gododflk.exe 4980 Gbbkaako.exe 4848 Glhonj32.exe 964 Gofkje32.exe 2352 Gfpcgpae.exe 5100 Gmjlcj32.exe 4676 Gcddpdpo.exe 2300 Gdeqhl32.exe 4632 Gkoiefmj.exe 3900 Gbiaapdf.exe 3876 Gicinj32.exe 4332 Gcimkc32.exe 3636 Gdjjckag.exe 4868 Hkdbpe32.exe 5084 Hckjacjg.exe 4440 Helfik32.exe 2712 Hobkfd32.exe 2408 Hflcbngh.exe 3212 Hmfkoh32.exe 1960 Hcpclbfa.exe 1908 Heapdjlp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lenamdem.exe Ldleel32.exe File created C:\Windows\SysWOW64\Manmoq32.exe Malpia32.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Nmnqjp32.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Jleijb32.exe File created C:\Windows\SysWOW64\Pjpobg32.exe Ophjiaql.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Domdjj32.exe File created C:\Windows\SysWOW64\Qdoacabq.exe Qmeigg32.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Akkffkhk.exe File created C:\Windows\SysWOW64\Djhgpa32.dll Eapedd32.exe File created C:\Windows\SysWOW64\Jlnnmb32.exe Jedeph32.exe File created C:\Windows\SysWOW64\Ghekgcil.dll Ageolo32.exe File created C:\Windows\SysWOW64\Cmnech32.dll Jgfdmlcm.exe File created C:\Windows\SysWOW64\Bdpkjpdi.dll Lcjcnoej.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Pejkmk32.exe File created C:\Windows\SysWOW64\Ghkogl32.dll Mmmqhl32.exe File created C:\Windows\SysWOW64\Hegaehem.dll Bdgged32.exe File created C:\Windows\SysWOW64\Pffgom32.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Fbnafb32.exe Fkciihgg.exe File opened for modification C:\Windows\SysWOW64\Mckemg32.exe Mlampmdo.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Jcllonma.exe Jmbdbd32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Gaagdbfm.dll Oaplqh32.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bhpofl32.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Imdgqfbd.exe File created C:\Windows\SysWOW64\Mlhbal32.exe Menjdbgj.exe File created C:\Windows\SysWOW64\Knbiofhg.exe Jblijebc.exe File created C:\Windows\SysWOW64\Bmeandma.exe Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Oneklm32.exe Ocpgod32.exe File created C:\Windows\SysWOW64\Ggebqoki.dll Fineoi32.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Kgnbdh32.exe File created C:\Windows\SysWOW64\Hqdeld32.dll Kimnbd32.exe File created C:\Windows\SysWOW64\Qdbiedpa.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Kdihjfbe.dll Fkmchi32.exe File opened for modification C:\Windows\SysWOW64\Qffbbldm.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Hckeoeno.exe Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Jleijb32.exe Joahqn32.exe File created C:\Windows\SysWOW64\Mnokgcbe.dll Onocomdo.exe File opened for modification C:\Windows\SysWOW64\Gofkje32.exe Glhonj32.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Hpmpnp32.exe Ggbook32.exe File opened for modification C:\Windows\SysWOW64\Cihclh32.exe Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Mbedga32.exe Mimpolee.exe File opened for modification C:\Windows\SysWOW64\Igedlh32.exe Iqipio32.exe File created C:\Windows\SysWOW64\Apjkcadp.exe Ahofoogd.exe File created C:\Windows\SysWOW64\Jphopllo.dll Llgjjnlj.exe File opened for modification C:\Windows\SysWOW64\Nfgmjqop.exe Npjebj32.exe File opened for modification C:\Windows\SysWOW64\Gkmdecbg.exe Gphphj32.exe File created C:\Windows\SysWOW64\Hhhbcf32.dll Fbpnkama.exe File created C:\Windows\SysWOW64\Jfihel32.dll Bnbmefbg.exe File created C:\Windows\SysWOW64\Gaeaha32.dll Leenhhdn.exe File created C:\Windows\SysWOW64\Cqhcce32.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Hbbhclmi.dll Gicinj32.exe File opened for modification C:\Windows\SysWOW64\Lphoelqn.exe Lebkhc32.exe File created C:\Windows\SysWOW64\Ocdqjceo.exe Onhhamgg.exe File opened for modification C:\Windows\SysWOW64\Lqhdbm32.exe Lfbped32.exe File created C:\Windows\SysWOW64\Pfhfan32.exe Pdfjifjo.exe File opened for modification C:\Windows\SysWOW64\Joahqn32.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Ijilflah.dll Caageq32.exe File created C:\Windows\SysWOW64\Gbbkaako.exe Gododflk.exe File created C:\Windows\SysWOW64\Nekfmb32.dll Hflcbngh.exe File created C:\Windows\SysWOW64\Cfcjfk32.exe Cjliajmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2176 8000 WerFault.exe 681 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgmcnhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boklbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehhlb32.dll" Iqipio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjjbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Menjdbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdgdn32.dll" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgko32.dll" Jcikgacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnafb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll" Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbinam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjmpfcl.dll" Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpcjeml.dll" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnjmbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfkfcja.dll" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhohnk32.dll" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmehkqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhlhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgebmil.dll" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoigd32.dll" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knegmo32.dll" Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgiimng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jcefno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Flngfn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1560 1288 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 83 PID 1288 wrote to memory of 1560 1288 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 83 PID 1288 wrote to memory of 1560 1288 4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe 83 PID 1560 wrote to memory of 1996 1560 Blpnib32.exe 84 PID 1560 wrote to memory of 1996 1560 Blpnib32.exe 84 PID 1560 wrote to memory of 1996 1560 Blpnib32.exe 84 PID 1996 wrote to memory of 3820 1996 Balfaiil.exe 87 PID 1996 wrote to memory of 3820 1996 Balfaiil.exe 87 PID 1996 wrote to memory of 3820 1996 Balfaiil.exe 87 PID 3820 wrote to memory of 2812 3820 Bkidenlg.exe 88 PID 3820 wrote to memory of 2812 3820 Bkidenlg.exe 88 PID 3820 wrote to memory of 2812 3820 Bkidenlg.exe 88 PID 2812 wrote to memory of 1660 2812 Cliaoq32.exe 89 PID 2812 wrote to memory of 1660 2812 Cliaoq32.exe 89 PID 2812 wrote to memory of 1660 2812 Cliaoq32.exe 89 PID 1660 wrote to memory of 184 1660 Ckcgkldl.exe 90 PID 1660 wrote to memory of 184 1660 Ckcgkldl.exe 90 PID 1660 wrote to memory of 184 1660 Ckcgkldl.exe 90 PID 184 wrote to memory of 2360 184 Cehkhecb.exe 91 PID 184 wrote to memory of 2360 184 Cehkhecb.exe 91 PID 184 wrote to memory of 2360 184 Cehkhecb.exe 91 PID 2360 wrote to memory of 2220 2360 Clbceo32.exe 92 PID 2360 wrote to memory of 2220 2360 Clbceo32.exe 92 PID 2360 wrote to memory of 2220 2360 Clbceo32.exe 92 PID 2220 wrote to memory of 4060 2220 Dbllbibl.exe 93 PID 2220 wrote to memory of 4060 2220 Dbllbibl.exe 93 PID 2220 wrote to memory of 4060 2220 Dbllbibl.exe 93 PID 4060 wrote to memory of 1436 4060 Dhidjpqc.exe 94 PID 4060 wrote to memory of 1436 4060 Dhidjpqc.exe 94 PID 4060 wrote to memory of 1436 4060 Dhidjpqc.exe 94 PID 1436 wrote to memory of 1548 1436 Dboigi32.exe 95 PID 1436 wrote to memory of 1548 1436 Dboigi32.exe 95 PID 1436 wrote to memory of 1548 1436 Dboigi32.exe 95 PID 1548 wrote to memory of 4828 1548 Dlgmpogj.exe 96 PID 1548 wrote to memory of 4828 1548 Dlgmpogj.exe 96 PID 1548 wrote to memory of 4828 1548 Dlgmpogj.exe 96 PID 4828 wrote to memory of 1236 4828 Dbaemi32.exe 97 PID 4828 wrote to memory of 1236 4828 Dbaemi32.exe 97 PID 4828 wrote to memory of 1236 4828 Dbaemi32.exe 97 PID 1236 wrote to memory of 1064 1236 Dhnnep32.exe 98 PID 1236 wrote to memory of 1064 1236 Dhnnep32.exe 98 PID 1236 wrote to memory of 1064 1236 Dhnnep32.exe 98 PID 1064 wrote to memory of 3016 1064 Dohfbj32.exe 99 PID 1064 wrote to memory of 3016 1064 Dohfbj32.exe 99 PID 1064 wrote to memory of 3016 1064 Dohfbj32.exe 99 PID 3016 wrote to memory of 1728 3016 Dddojq32.exe 100 PID 3016 wrote to memory of 1728 3016 Dddojq32.exe 100 PID 3016 wrote to memory of 1728 3016 Dddojq32.exe 100 PID 1728 wrote to memory of 2268 1728 Dojcgi32.exe 101 PID 1728 wrote to memory of 2268 1728 Dojcgi32.exe 101 PID 1728 wrote to memory of 2268 1728 Dojcgi32.exe 101 PID 2268 wrote to memory of 5004 2268 Ddgkpp32.exe 102 PID 2268 wrote to memory of 5004 2268 Ddgkpp32.exe 102 PID 2268 wrote to memory of 5004 2268 Ddgkpp32.exe 102 PID 5004 wrote to memory of 1624 5004 Dlncan32.exe 103 PID 5004 wrote to memory of 1624 5004 Dlncan32.exe 103 PID 5004 wrote to memory of 1624 5004 Dlncan32.exe 103 PID 1624 wrote to memory of 4120 1624 Echknh32.exe 104 PID 1624 wrote to memory of 4120 1624 Echknh32.exe 104 PID 1624 wrote to memory of 4120 1624 Echknh32.exe 104 PID 4120 wrote to memory of 4072 4120 Edihepnm.exe 105 PID 4120 wrote to memory of 4072 4120 Edihepnm.exe 105 PID 4120 wrote to memory of 4072 4120 Edihepnm.exe 105 PID 4072 wrote to memory of 3980 4072 Ekcpbj32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe"C:\Users\Admin\AppData\Local\Temp\4450246cc407725e9328326bee6dfb367af143e355fc209c9bd574665a4e8ad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe23⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe24⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe25⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe28⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe29⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe30⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe31⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe32⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe36⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe37⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe38⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe39⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe42⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe48⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe51⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe52⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe53⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe54⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe56⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe57⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe58⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe60⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe61⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe63⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe64⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe65⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe66⤵
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe67⤵PID:5088
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe68⤵PID:3256
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe69⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe70⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe71⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe73⤵PID:2312
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe74⤵PID:2484
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe75⤵PID:1876
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe76⤵PID:4544
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe78⤵PID:2044
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe79⤵
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe80⤵PID:5152
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe81⤵PID:5188
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5228 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe83⤵PID:5264
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe84⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe85⤵PID:5332
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe86⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe87⤵PID:5404
-
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe88⤵PID:5440
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe89⤵PID:5476
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe90⤵PID:5516
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe91⤵PID:5548
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe92⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe93⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe94⤵PID:5660
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe95⤵PID:5692
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe96⤵PID:5732
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe97⤵PID:5764
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe98⤵PID:5800
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe99⤵PID:5840
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe100⤵PID:5872
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe101⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe102⤵PID:5944
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016 -
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe105⤵PID:6052
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe106⤵PID:6088
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe107⤵PID:6124
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe108⤵PID:4476
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe109⤵PID:2972
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe110⤵PID:4508
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe111⤵PID:632
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe112⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe113⤵PID:5172
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe114⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe115⤵PID:5288
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe116⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe117⤵PID:5424
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe118⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe119⤵PID:5544
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe120⤵PID:5612
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe121⤵PID:5680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-