Analysis
-
max time kernel
140s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
-
Size
100KB
-
MD5
aff057120dd1d236fb1dbe2bf0813d5a
-
SHA1
c6dc48042c606fc0c4506f2bdb99d7862b4c0869
-
SHA256
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3
-
SHA512
15e60e489698bbd491d3477a4c197df4976f530c4c367c0c8f057fec398a61552ee0c9b7ec5d0c553e7fb5a519991ee2389416f9e0f55f80d2c96467a38dc306
-
SSDEEP
1536:wRiwE14IxDku2ON+sh150eL3lqTCCp1VLVkrG5OHnYYYYYYYYYYYYYYYYYYYYYYd:ISC3Q/hX0ilqTtP1ur27nuMFR8n5j8YD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcmom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epopgbia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dedkdcie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhhhcal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlnon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbfgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giofnacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkagbej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odbgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ickchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijmbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgciaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojaelm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onholckc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabpnlkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmhfhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaicfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedaheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Angddopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conclk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fakdpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijnqkp.exe -
Executes dropped EXE 64 IoCs
pid Process 3680 Cafpanem.exe 6060 Chphoh32.exe 3672 Cpgqpe32.exe 3020 Caimgncj.exe 6108 Cedihl32.exe 2416 Clnadfbp.exe 1384 Commqb32.exe 1304 Cakjmm32.exe 2492 Cibank32.exe 3624 Clqnjf32.exe 5256 Coojfa32.exe 712 Ccjfgphj.exe 448 Cidncj32.exe 4404 Cpofpdgd.exe 4260 Ccmclp32.exe 3708 Cekohk32.exe 396 Dhjkdg32.exe 3132 Dpacfd32.exe 1180 Dabpnlkp.exe 4880 Diihojkb.exe 2104 Dofpgqji.exe 1964 Dadlclim.exe 2628 Dhnepfpj.exe 6088 Dpemacql.exe 1888 Dcdimopp.exe 6028 Dllmfd32.exe 1676 Dphifcoi.exe 3136 Dcfebonm.exe 3520 Djpnohej.exe 5124 Dlojkddn.exe 4136 Domfgpca.exe 5496 Dakbckbe.exe 2768 Ejbkehcg.exe 1612 Epmcab32.exe 2320 Eckonn32.exe 4668 Ejegjh32.exe 5544 Ehhgfdho.exe 388 Epopgbia.exe 1872 Ecmlcmhe.exe 5440 Ebploj32.exe 928 Ehjdldfl.exe 1148 Eqalmafo.exe 1496 Ebbidj32.exe 4856 Efneehef.exe 1976 Ejjqeg32.exe 628 Elhmablc.exe 3496 Ecbenm32.exe 5688 Efpajh32.exe 3668 Ehonfc32.exe 1576 Eqfeha32.exe 2408 Fbgbpihg.exe 1796 Fhajlc32.exe 5980 Fokbim32.exe 4920 Fbioei32.exe 1096 Fjqgff32.exe 4384 Fmocba32.exe 3476 Fomonm32.exe 2616 Fbllkh32.exe 3560 Fifdgblo.exe 1488 Fqmlhpla.exe 1144 Fckhdk32.exe 5752 Fjepaecb.exe 5716 Fmclmabe.exe 5384 Fbqefhpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbllkh32.exe Fomonm32.exe File created C:\Windows\SysWOW64\Kinemkko.exe Kkkdan32.exe File created C:\Windows\SysWOW64\Cakjmm32.exe Commqb32.exe File created C:\Windows\SysWOW64\Ghkebndc.dll Hcpclbfa.exe File created C:\Windows\SysWOW64\Omfnojog.dll Jjpeepnb.exe File opened for modification C:\Windows\SysWOW64\Jagqlj32.exe Jmkdlkph.exe File opened for modification C:\Windows\SysWOW64\Cbefaj32.exe Cknnpm32.exe File created C:\Windows\SysWOW64\Ikbnacmd.exe Iicbehnq.exe File created C:\Windows\SysWOW64\Jfaedkdp.exe Jcbihpel.exe File created C:\Windows\SysWOW64\Dpemacql.exe Dhnepfpj.exe File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Dndgjk32.dll Iikhfg32.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Ncjcpe32.dll Ccjfgphj.exe File opened for modification C:\Windows\SysWOW64\Obidhaog.exe Ojalgcnd.exe File created C:\Windows\SysWOW64\Acjjfggb.exe Qalnjkgo.exe File created C:\Windows\SysWOW64\Nekfmb32.dll Hflcbngh.exe File opened for modification C:\Windows\SysWOW64\Qceiaa32.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Gkebcqkl.dll Commqb32.exe File created C:\Windows\SysWOW64\Cilkoi32.dll Boepel32.exe File created C:\Windows\SysWOW64\Gncoccha.dll Kinemkko.exe File created C:\Windows\SysWOW64\Laopdgcg.exe Lkdggmlj.exe File created C:\Windows\SysWOW64\Lfjehk32.dll Eocenh32.exe File created C:\Windows\SysWOW64\Fomonm32.exe Fmocba32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Ifjodl32.exe Ickchq32.exe File created C:\Windows\SysWOW64\Jpgmha32.exe Jlkagbej.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bmkjkd32.exe File created C:\Windows\SysWOW64\Caimgncj.exe Cpgqpe32.exe File created C:\Windows\SysWOW64\Dpacfd32.exe Dhjkdg32.exe File created C:\Windows\SysWOW64\Hfjmgdlf.exe Hboagf32.exe File created C:\Windows\SysWOW64\Eodpoobg.dll Bhaebcen.exe File opened for modification C:\Windows\SysWOW64\Jcefno32.exe Jpijnqkp.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bcebhoii.exe File created C:\Windows\SysWOW64\Fneiph32.dll Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Bejogg32.exe Baocghgi.exe File opened for modification C:\Windows\SysWOW64\Ippggbck.exe Ildkgc32.exe File created C:\Windows\SysWOW64\Mdjagjco.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Lplhdc32.dll Mdjagjco.exe File created C:\Windows\SysWOW64\Beglgani.exe Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Cklaknjd.exe Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Ipbdmaah.exe Imdgqfbd.exe File created C:\Windows\SysWOW64\Hfbcpl32.dll Cdfbibnb.exe File created C:\Windows\SysWOW64\Docmgjhp.exe Doqpak32.exe File opened for modification C:\Windows\SysWOW64\Fbioei32.exe Fokbim32.exe File created C:\Windows\SysWOW64\Ogijli32.dll Lcpllo32.exe File created C:\Windows\SysWOW64\Higchddh.dll Dceohhja.exe File created C:\Windows\SysWOW64\Ojoign32.exe Ofqpqo32.exe File created C:\Windows\SysWOW64\Jfhbppbc.exe Jpojcf32.exe File created C:\Windows\SysWOW64\Liekmj32.exe Kkbkamnl.exe File created C:\Windows\SysWOW64\Ajneip32.exe Ahoimd32.exe File created C:\Windows\SysWOW64\Megkhf32.dll Bjbndobo.exe File created C:\Windows\SysWOW64\Pkfhoiaf.dll Ojgbfocc.exe File created C:\Windows\SysWOW64\Clnadfbp.exe Cedihl32.exe File opened for modification C:\Windows\SysWOW64\Epopgbia.exe Ehhgfdho.exe File created C:\Windows\SysWOW64\Gbenqg32.exe Gogbdl32.exe File created C:\Windows\SysWOW64\Hipnbb32.dll Nqpego32.exe File created C:\Windows\SysWOW64\Blpnib32.exe Bdhfhe32.exe File created C:\Windows\SysWOW64\Bjmjdbam.dll Pmfhig32.exe File created C:\Windows\SysWOW64\Diihojkb.exe Dabpnlkp.exe File created C:\Windows\SysWOW64\Gqkhjn32.exe Gjapmdid.exe File created C:\Windows\SysWOW64\Pgopffec.exe Peqcjkfp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12512 12428 WerFault.exe 620 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlaegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll" Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll" Mdjagjco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncianepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalchnkg.dll" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaddm32.dll" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmmocpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll" Mkpgck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll" Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheiojpj.dll" Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odgqdlnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Behbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll" Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmbieme.dll" Ekemhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jdmcidam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll" Fbioei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfhgi32.dll" Pabkdmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjqgff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll" Jmknaell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll" Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgemphmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" Fbllkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onfbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpacfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlojkddn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiglalpk.dll" Aaepqjpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll" Chphoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chphoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahoimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecmeig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfofbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnopdeh.dll" Fckajehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5348 wrote to memory of 3680 5348 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 82 PID 5348 wrote to memory of 3680 5348 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 82 PID 5348 wrote to memory of 3680 5348 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 82 PID 3680 wrote to memory of 6060 3680 Cafpanem.exe 83 PID 3680 wrote to memory of 6060 3680 Cafpanem.exe 83 PID 3680 wrote to memory of 6060 3680 Cafpanem.exe 83 PID 6060 wrote to memory of 3672 6060 Chphoh32.exe 84 PID 6060 wrote to memory of 3672 6060 Chphoh32.exe 84 PID 6060 wrote to memory of 3672 6060 Chphoh32.exe 84 PID 3672 wrote to memory of 3020 3672 Cpgqpe32.exe 85 PID 3672 wrote to memory of 3020 3672 Cpgqpe32.exe 85 PID 3672 wrote to memory of 3020 3672 Cpgqpe32.exe 85 PID 3020 wrote to memory of 6108 3020 Caimgncj.exe 86 PID 3020 wrote to memory of 6108 3020 Caimgncj.exe 86 PID 3020 wrote to memory of 6108 3020 Caimgncj.exe 86 PID 6108 wrote to memory of 2416 6108 Cedihl32.exe 87 PID 6108 wrote to memory of 2416 6108 Cedihl32.exe 87 PID 6108 wrote to memory of 2416 6108 Cedihl32.exe 87 PID 2416 wrote to memory of 1384 2416 Clnadfbp.exe 88 PID 2416 wrote to memory of 1384 2416 Clnadfbp.exe 88 PID 2416 wrote to memory of 1384 2416 Clnadfbp.exe 88 PID 1384 wrote to memory of 1304 1384 Commqb32.exe 89 PID 1384 wrote to memory of 1304 1384 Commqb32.exe 89 PID 1384 wrote to memory of 1304 1384 Commqb32.exe 89 PID 1304 wrote to memory of 2492 1304 Cakjmm32.exe 90 PID 1304 wrote to memory of 2492 1304 Cakjmm32.exe 90 PID 1304 wrote to memory of 2492 1304 Cakjmm32.exe 90 PID 2492 wrote to memory of 3624 2492 Cibank32.exe 91 PID 2492 wrote to memory of 3624 2492 Cibank32.exe 91 PID 2492 wrote to memory of 3624 2492 Cibank32.exe 91 PID 3624 wrote to memory of 5256 3624 Clqnjf32.exe 92 PID 3624 wrote to memory of 5256 3624 Clqnjf32.exe 92 PID 3624 wrote to memory of 5256 3624 Clqnjf32.exe 92 PID 5256 wrote to memory of 712 5256 Coojfa32.exe 93 PID 5256 wrote to memory of 712 5256 Coojfa32.exe 93 PID 5256 wrote to memory of 712 5256 Coojfa32.exe 93 PID 712 wrote to memory of 448 712 Ccjfgphj.exe 94 PID 712 wrote to memory of 448 712 Ccjfgphj.exe 94 PID 712 wrote to memory of 448 712 Ccjfgphj.exe 94 PID 448 wrote to memory of 4404 448 Cidncj32.exe 95 PID 448 wrote to memory of 4404 448 Cidncj32.exe 95 PID 448 wrote to memory of 4404 448 Cidncj32.exe 95 PID 4404 wrote to memory of 4260 4404 Cpofpdgd.exe 96 PID 4404 wrote to memory of 4260 4404 Cpofpdgd.exe 96 PID 4404 wrote to memory of 4260 4404 Cpofpdgd.exe 96 PID 4260 wrote to memory of 3708 4260 Ccmclp32.exe 97 PID 4260 wrote to memory of 3708 4260 Ccmclp32.exe 97 PID 4260 wrote to memory of 3708 4260 Ccmclp32.exe 97 PID 3708 wrote to memory of 396 3708 Cekohk32.exe 98 PID 3708 wrote to memory of 396 3708 Cekohk32.exe 98 PID 3708 wrote to memory of 396 3708 Cekohk32.exe 98 PID 396 wrote to memory of 3132 396 Dhjkdg32.exe 99 PID 396 wrote to memory of 3132 396 Dhjkdg32.exe 99 PID 396 wrote to memory of 3132 396 Dhjkdg32.exe 99 PID 3132 wrote to memory of 1180 3132 Dpacfd32.exe 100 PID 3132 wrote to memory of 1180 3132 Dpacfd32.exe 100 PID 3132 wrote to memory of 1180 3132 Dpacfd32.exe 100 PID 1180 wrote to memory of 4880 1180 Dabpnlkp.exe 101 PID 1180 wrote to memory of 4880 1180 Dabpnlkp.exe 101 PID 1180 wrote to memory of 4880 1180 Dabpnlkp.exe 101 PID 4880 wrote to memory of 2104 4880 Diihojkb.exe 102 PID 4880 wrote to memory of 2104 4880 Diihojkb.exe 102 PID 4880 wrote to memory of 2104 4880 Diihojkb.exe 102 PID 2104 wrote to memory of 1964 2104 Dofpgqji.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe"C:\Users\Admin\AppData\Local\Temp\a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6060 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6108 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5256 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe23⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe25⤵
- Executes dropped EXE
PID:6088 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe26⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe27⤵
- Executes dropped EXE
PID:6028 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe28⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe29⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe30⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe32⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe33⤵
- Executes dropped EXE
PID:5496 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe35⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe36⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe37⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe41⤵
- Executes dropped EXE
PID:5440 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe42⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe43⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe44⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe45⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe46⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe47⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe48⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5688 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe50⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe51⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe52⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe53⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe60⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe61⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe62⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5752 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe64⤵
- Executes dropped EXE
PID:5716 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe65⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4968 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe67⤵PID:3980
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe68⤵PID:5116
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe70⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe71⤵PID:3712
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe73⤵PID:5560
-
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe74⤵PID:5628
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe75⤵PID:5324
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe76⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe77⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe78⤵
- Drops file in System32 directory
PID:4708 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe79⤵PID:4520
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe80⤵PID:4240
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe81⤵PID:2008
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe82⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe83⤵PID:1848
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe85⤵PID:5064
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe86⤵PID:3592
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe87⤵PID:6140
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe88⤵PID:4400
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe89⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe90⤵PID:1648
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe91⤵PID:3764
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe92⤵PID:1400
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe93⤵PID:1380
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe95⤵PID:2092
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe96⤵PID:5008
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe97⤵PID:4460
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe98⤵PID:5132
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe99⤵PID:4604
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe100⤵PID:3344
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe101⤵
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe102⤵PID:5308
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe103⤵PID:4640
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe104⤵PID:3456
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe105⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe106⤵PID:3436
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe107⤵PID:4292
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe108⤵PID:724
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe109⤵PID:2484
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe110⤵PID:4636
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe111⤵PID:5584
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe112⤵PID:5020
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe113⤵PID:1220
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe114⤵PID:4168
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe115⤵PID:1332
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe116⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe117⤵
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe118⤵PID:5800
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe119⤵PID:5676
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe120⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe121⤵PID:5748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-