Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 18:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe
-
Size
96KB
-
MD5
123fa30204550980c6c33975370d91b0
-
SHA1
f106e83de1cc8fa6cb955108bd29da226177cbf7
-
SHA256
31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537
-
SHA512
49d501e4b419efd1bfe9f553832105b3ac358bd24b44c1dca8f9eeb4415fb4774aa6f5b8205225c7188ac93cb694a1de13283abab673e8ca89c08a69f0eaab25
-
SSDEEP
1536:aAelgVnWa4ne4bQ/m6e8IM4rVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWzRAf:aAeloW860m6e8IM4rVqZ2fQkbn1vVAv7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohjgpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpoagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqknkedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipaeedpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iencmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciefek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhglopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklomnmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jopaejlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfjbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhekaejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifele32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipqibmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficlmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefgak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnphag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acccdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipaeedpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okceaikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbokjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjobedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbjdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdloelpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqccbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhklabb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhkkfod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knchpiom.exe -
Executes dropped EXE 64 IoCs
pid Process 3824 Empoiimf.exe 2528 Eiildjag.exe 2916 Efmmmn32.exe 1344 Ffpicn32.exe 1484 Fipbdikp.exe 4852 Fibojhim.exe 3984 Iqbbpm32.exe 1956 Jbdlop32.exe 3848 Jhpqaiji.exe 4136 Kjhcjq32.exe 4756 Kilpmh32.exe 1292 Kbddfmgl.exe 4360 Lajagj32.exe 3748 Legjmh32.exe 4456 Lejgch32.exe 2688 Lnbklm32.exe 2232 Lndham32.exe 3584 Lijlof32.exe 3296 Mjneln32.exe 1372 Neoieenp.exe 2404 Oondnini.exe 4188 Ooqqdi32.exe 1504 Oohgdhfn.exe 940 Pkadoiip.exe 32 Pekbga32.exe 4060 Qofcff32.exe 452 Qohpkf32.exe 1132 Ahcajk32.exe 4876 Ahenokjf.exe 3492 Ajdjin32.exe 4140 Ajggomog.exe 3204 Boflmdkk.exe 2804 Bjnmpl32.exe 3864 Bmabggdm.exe 3660 Ccmgiaig.exe 1444 Ccpdoqgd.exe 2004 Cofecami.exe 4508 Cfcjfk32.exe 4416 Dpnkdq32.exe 464 Dmalne32.exe 2000 Efafgifc.exe 1288 Eplgeokq.exe 3400 Elbhjp32.exe 4492 Emdajb32.exe 3180 Fmfnpa32.exe 2156 Fmikeaap.exe 4476 Flngfn32.exe 2320 Fdglmkeg.exe 1352 Gjdaodja.exe 3164 Glengm32.exe 3636 Gbabigfj.exe 5088 Gkkgpc32.exe 2376 Gkmdecbg.exe 4928 Hdehni32.exe 1864 Hdhedh32.exe 1400 Hmpjmn32.exe 1820 Hmbfbn32.exe 3484 Hgkkkcbc.exe 1652 Idcepgmg.exe 3924 Iloidijb.exe 2808 Icknfcol.exe 4000 Inqbclob.exe 416 Jpaleglc.exe 2248 Jkgpbp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mnokgcbe.dll Ojfcdnjc.exe File created C:\Windows\SysWOW64\Jmafec32.dll Jjfdfl32.exe File opened for modification C:\Windows\SysWOW64\Kdmeqo32.exe Kfidgk32.exe File opened for modification C:\Windows\SysWOW64\Gjdknjep.exe Gpjjpe32.exe File created C:\Windows\SysWOW64\Kkaljpmd.exe Knmkak32.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Nclikl32.exe File created C:\Windows\SysWOW64\Ejhdfi32.dll Iebngial.exe File created C:\Windows\SysWOW64\Pjkakfla.dll Kngkqbgl.exe File opened for modification C:\Windows\SysWOW64\Gmimll32.exe Gcqhcgqi.exe File opened for modification C:\Windows\SysWOW64\Blkgen32.exe Bbbblhnc.exe File created C:\Windows\SysWOW64\Mpmqae32.dll Kafcadej.exe File created C:\Windows\SysWOW64\Hejqldci.exe Hicpgc32.exe File opened for modification C:\Windows\SysWOW64\Fkgillpj.exe Fjhmbihg.exe File created C:\Windows\SysWOW64\Kcblbn32.dll Igqbiacj.exe File opened for modification C:\Windows\SysWOW64\Ihmfco32.exe Ipbaol32.exe File opened for modification C:\Windows\SysWOW64\Ojhiogdd.exe Oqoefand.exe File created C:\Windows\SysWOW64\Ofdnkcof.dll Pgcbbc32.exe File opened for modification C:\Windows\SysWOW64\Gekeie32.exe Giddddad.exe File opened for modification C:\Windows\SysWOW64\Kfpqap32.exe Kfndlphp.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jpfepf32.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Cdimqm32.exe File opened for modification C:\Windows\SysWOW64\Qibfdkgh.exe Qlnfkgho.exe File created C:\Windows\SysWOW64\Aablof32.dll Klcekpdo.exe File created C:\Windows\SysWOW64\Pimfpc32.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Oljoen32.exe Nfpghccm.exe File created C:\Windows\SysWOW64\Enccibdi.dll Pohnnqgo.exe File created C:\Windows\SysWOW64\Jihngboe.exe Jckeokan.exe File created C:\Windows\SysWOW64\Hjfcen32.dll Qohpkf32.exe File created C:\Windows\SysWOW64\Gfodeohd.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Fmggcl32.dll Jlolpq32.exe File created C:\Windows\SysWOW64\Ebnddn32.exe Eejcki32.exe File created C:\Windows\SysWOW64\Fccigg32.dll Pbcelacq.exe File created C:\Windows\SysWOW64\Ddplkbaa.dll Jpaleglc.exe File opened for modification C:\Windows\SysWOW64\Klcekpdo.exe Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Dpalgenf.exe Dpopbepi.exe File created C:\Windows\SysWOW64\Emldnf32.dll Ckfofe32.exe File created C:\Windows\SysWOW64\Aploae32.exe Qibfdkgh.exe File created C:\Windows\SysWOW64\Meknelcg.dll Clohhbli.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Ndnnianm.exe Noaeqjpe.exe File created C:\Windows\SysWOW64\Fghcqq32.exe Fpnkdfko.exe File opened for modification C:\Windows\SysWOW64\Boflmdkk.exe Ajggomog.exe File created C:\Windows\SysWOW64\Lmjhab32.dll Jleijb32.exe File created C:\Windows\SysWOW64\Dnpiedch.dll Hjfplo32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Ebnfbcbc.exe File created C:\Windows\SysWOW64\Ajjokd32.exe Aabkbono.exe File created C:\Windows\SysWOW64\Ffpcbchm.exe Fpckjlje.exe File opened for modification C:\Windows\SysWOW64\Hkaeih32.exe Hnmeodjc.exe File opened for modification C:\Windows\SysWOW64\Bllble32.exe Aohbbqme.exe File created C:\Windows\SysWOW64\Jajdff32.exe Jpjhlche.exe File opened for modification C:\Windows\SysWOW64\Fipbdikp.exe Ffpicn32.exe File opened for modification C:\Windows\SysWOW64\Mjneln32.exe Lijlof32.exe File created C:\Windows\SysWOW64\Ajdjin32.exe Ahenokjf.exe File created C:\Windows\SysWOW64\Qnbhhd32.dll Gmnmbbgp.exe File created C:\Windows\SysWOW64\Iajkohmj.exe Ihagfb32.exe File created C:\Windows\SysWOW64\Oghgbe32.exe Ngekmf32.exe File opened for modification C:\Windows\SysWOW64\Kfhnme32.exe Kmpido32.exe File created C:\Windows\SysWOW64\Gafnik32.dll Aamipe32.exe File created C:\Windows\SysWOW64\Qjdakijh.dll Gkdjaf32.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jklinohd.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Ogjdmbil.exe File opened for modification C:\Windows\SysWOW64\Ocdgahag.exe Oljoen32.exe File created C:\Windows\SysWOW64\Aehojk32.dll Ephbhd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6316 5932 WerFault.exe 1023 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkadoiip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgffka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnahbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldlmieaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpkcp32.dll" Aploae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhlpnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjlkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qibfdkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fechomko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecoaijio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpdkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjlgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfcen32.dll" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjpoelb.dll" Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfegnkqm.dll" Chqogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjmpege.dll" Bbbblhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlblcdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddnfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eghkjdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afboah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpfbahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiejda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbpaipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmfco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbppknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjfgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifffoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkdjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jkgpbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnijbocc.dll" Didqkeeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohbbqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnofpqff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Kedlip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okcogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qednnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehagi32.dll" Fipbdikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dijgjpip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfjmg32.dll" Fjoadbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfdklllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kallod32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 3824 1380 31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe 91 PID 1380 wrote to memory of 3824 1380 31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe 91 PID 1380 wrote to memory of 3824 1380 31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe 91 PID 3824 wrote to memory of 2528 3824 Empoiimf.exe 92 PID 3824 wrote to memory of 2528 3824 Empoiimf.exe 92 PID 3824 wrote to memory of 2528 3824 Empoiimf.exe 92 PID 2528 wrote to memory of 2916 2528 Eiildjag.exe 93 PID 2528 wrote to memory of 2916 2528 Eiildjag.exe 93 PID 2528 wrote to memory of 2916 2528 Eiildjag.exe 93 PID 2916 wrote to memory of 1344 2916 Efmmmn32.exe 94 PID 2916 wrote to memory of 1344 2916 Efmmmn32.exe 94 PID 2916 wrote to memory of 1344 2916 Efmmmn32.exe 94 PID 1344 wrote to memory of 1484 1344 Ffpicn32.exe 95 PID 1344 wrote to memory of 1484 1344 Ffpicn32.exe 95 PID 1344 wrote to memory of 1484 1344 Ffpicn32.exe 95 PID 1484 wrote to memory of 4852 1484 Fipbdikp.exe 96 PID 1484 wrote to memory of 4852 1484 Fipbdikp.exe 96 PID 1484 wrote to memory of 4852 1484 Fipbdikp.exe 96 PID 4852 wrote to memory of 3984 4852 Fibojhim.exe 97 PID 4852 wrote to memory of 3984 4852 Fibojhim.exe 97 PID 4852 wrote to memory of 3984 4852 Fibojhim.exe 97 PID 3984 wrote to memory of 1956 3984 Iqbbpm32.exe 98 PID 3984 wrote to memory of 1956 3984 Iqbbpm32.exe 98 PID 3984 wrote to memory of 1956 3984 Iqbbpm32.exe 98 PID 1956 wrote to memory of 3848 1956 Jbdlop32.exe 99 PID 1956 wrote to memory of 3848 1956 Jbdlop32.exe 99 PID 1956 wrote to memory of 3848 1956 Jbdlop32.exe 99 PID 3848 wrote to memory of 4136 3848 Jhpqaiji.exe 100 PID 3848 wrote to memory of 4136 3848 Jhpqaiji.exe 100 PID 3848 wrote to memory of 4136 3848 Jhpqaiji.exe 100 PID 4136 wrote to memory of 4756 4136 Kjhcjq32.exe 101 PID 4136 wrote to memory of 4756 4136 Kjhcjq32.exe 101 PID 4136 wrote to memory of 4756 4136 Kjhcjq32.exe 101 PID 4756 wrote to memory of 1292 4756 Kilpmh32.exe 102 PID 4756 wrote to memory of 1292 4756 Kilpmh32.exe 102 PID 4756 wrote to memory of 1292 4756 Kilpmh32.exe 102 PID 1292 wrote to memory of 4360 1292 Kbddfmgl.exe 103 PID 1292 wrote to memory of 4360 1292 Kbddfmgl.exe 103 PID 1292 wrote to memory of 4360 1292 Kbddfmgl.exe 103 PID 4360 wrote to memory of 3748 4360 Lajagj32.exe 104 PID 4360 wrote to memory of 3748 4360 Lajagj32.exe 104 PID 4360 wrote to memory of 3748 4360 Lajagj32.exe 104 PID 3748 wrote to memory of 4456 3748 Legjmh32.exe 105 PID 3748 wrote to memory of 4456 3748 Legjmh32.exe 105 PID 3748 wrote to memory of 4456 3748 Legjmh32.exe 105 PID 4456 wrote to memory of 2688 4456 Lejgch32.exe 106 PID 4456 wrote to memory of 2688 4456 Lejgch32.exe 106 PID 4456 wrote to memory of 2688 4456 Lejgch32.exe 106 PID 2688 wrote to memory of 2232 2688 Lnbklm32.exe 107 PID 2688 wrote to memory of 2232 2688 Lnbklm32.exe 107 PID 2688 wrote to memory of 2232 2688 Lnbklm32.exe 107 PID 2232 wrote to memory of 3584 2232 Lndham32.exe 108 PID 2232 wrote to memory of 3584 2232 Lndham32.exe 108 PID 2232 wrote to memory of 3584 2232 Lndham32.exe 108 PID 3584 wrote to memory of 3296 3584 Lijlof32.exe 109 PID 3584 wrote to memory of 3296 3584 Lijlof32.exe 109 PID 3584 wrote to memory of 3296 3584 Lijlof32.exe 109 PID 3296 wrote to memory of 1372 3296 Mjneln32.exe 110 PID 3296 wrote to memory of 1372 3296 Mjneln32.exe 110 PID 3296 wrote to memory of 1372 3296 Mjneln32.exe 110 PID 1372 wrote to memory of 2404 1372 Neoieenp.exe 111 PID 1372 wrote to memory of 2404 1372 Neoieenp.exe 111 PID 1372 wrote to memory of 2404 1372 Neoieenp.exe 111 PID 2404 wrote to memory of 4188 2404 Oondnini.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe"C:\Users\Admin\AppData\Local\Temp\31a80f58e6992f8e917208394c1c6428df32c0597c32856aad10f97bb7fef537.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe23⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe24⤵PID:4284
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe25⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe27⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe28⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe30⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe32⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe34⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe35⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe37⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe38⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe40⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe41⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe42⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe44⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe45⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe47⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe48⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe49⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe51⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe52⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe53⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe54⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe55⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe57⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe59⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe61⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe62⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe64⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:416 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe67⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe68⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe69⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe71⤵PID:3320
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe72⤵PID:3556
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe73⤵PID:4144
-
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4496 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe76⤵PID:2180
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe77⤵PID:3880
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe78⤵PID:1696
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe79⤵PID:3996
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe80⤵PID:3956
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe81⤵PID:4076
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe82⤵PID:4700
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe83⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe84⤵PID:3036
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe85⤵PID:4892
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe86⤵PID:5132
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe87⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe88⤵PID:5220
-
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe89⤵PID:5264
-
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe90⤵PID:5308
-
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe91⤵PID:5356
-
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe92⤵PID:5400
-
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe94⤵PID:5488
-
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe95⤵PID:5532
-
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe96⤵PID:5576
-
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe97⤵PID:5620
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe98⤵PID:5652
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe99⤵PID:5708
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe100⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe101⤵PID:5800
-
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe103⤵PID:5888
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe104⤵PID:5932
-
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe105⤵PID:5976
-
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe106⤵PID:6020
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe107⤵PID:6068
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe108⤵PID:6108
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe109⤵PID:5144
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe110⤵PID:5208
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe111⤵PID:5280
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe112⤵PID:5352
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe113⤵PID:5440
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe114⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe115⤵PID:5564
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe116⤵PID:5648
-
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe118⤵PID:5792
-
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe119⤵PID:5856
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe120⤵PID:5924
-
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe121⤵PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-