Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe
Resource
win10v2004-20240508-en
General
-
Target
8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe
-
Size
55KB
-
MD5
8726eafa6a19a4b3548b1e33936c530a
-
SHA1
4b88039b88ec76e28719a8c2edc3b4f6cf627c14
-
SHA256
8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75
-
SHA512
0166e5cb9b0dd83486fed72ebb85a91408c3ea7b62fae19e27a93c3cc8e08cc724edaa1675a34c626c0aa98a4316a0b76b4cb5db62b104705f48ae19b570434f
-
SSDEEP
1536:kYPAsmKVmShkW1C+YXl4bHv2Ax6XZAQpP82Lw:X7mShkW1C+GSbyAQpP1w
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjdjgjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhemmlhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnccmbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgmjqop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbiaapdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijooifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoangbg.exe -
Executes dropped EXE 64 IoCs
pid Process 2568 Eoolbinc.exe 2028 Edkdkplj.exe 3940 Ekemhj32.exe 5108 Ecmeig32.exe 1788 Eekaebcm.exe 1796 Eleiam32.exe 3592 Ecoangbg.exe 5032 Edpnfo32.exe 2428 Elgfgl32.exe 3496 Ecandfpd.exe 3312 Eepjpb32.exe 2124 Ehnglm32.exe 1568 Fkmchi32.exe 4212 Fcckif32.exe 4308 Fdegandp.exe 3588 Fllpbldb.exe 4504 Fcfhof32.exe 468 Fdgdgnbm.exe 1584 Flnlhk32.exe 2600 Fakdpb32.exe 4364 Fhemmlhc.exe 880 Fooeif32.exe 4748 Ffimfqgm.exe 3608 Flceckoj.exe 5072 Fkffog32.exe 1764 Fbpnkama.exe 1016 Ffkjlp32.exe 1244 Glebhjlg.exe 1184 Gcojed32.exe 4412 Gfngap32.exe 3596 Ghlcnk32.exe 3784 Gofkje32.exe 4220 Gbdgfa32.exe 4704 Gdcdbl32.exe 4596 Gkmlofol.exe 3300 Gohhpe32.exe 4256 Gbgdlq32.exe 4488 Gdeqhl32.exe 1804 Gkoiefmj.exe 1084 Gbiaapdf.exe 1760 Gdhmnlcj.exe 3028 Gkaejf32.exe 228 Gblngpbd.exe 452 Gdjjckag.exe 1876 Hmabdibj.exe 1192 Hopnqdan.exe 1272 Hfifmnij.exe 3568 Hmcojh32.exe 3880 Hobkfd32.exe 644 Hcmgfbhd.exe 1056 Hijooifk.exe 1076 Hmfkoh32.exe 3304 Hcpclbfa.exe 4980 Hfnphn32.exe 628 Himldi32.exe 1652 Hmhhehlb.exe 4452 Hofdacke.exe 1988 Hbeqmoji.exe 2724 Hioiji32.exe 1968 Hmjdjgjo.exe 2620 Hcdmga32.exe 4948 Hfcicmqp.exe 2384 Iiaephpc.exe 4972 Ipknlb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jijjfldq.dll Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Ajanck32.exe Qgcbgo32.exe File opened for modification C:\Windows\SysWOW64\Fhemmlhc.exe Fakdpb32.exe File created C:\Windows\SysWOW64\Fooeif32.exe Fhemmlhc.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Hfifmnij.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jmhale32.exe File opened for modification C:\Windows\SysWOW64\Ldanqkki.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Hfnphn32.exe Hcpclbfa.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Jlednamo.exe Jifhaenk.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Ecandfpd.exe Elgfgl32.exe File created C:\Windows\SysWOW64\Enoogcin.dll Hcpclbfa.exe File created C:\Windows\SysWOW64\Jpphah32.dll Jbjcolha.exe File opened for modification C:\Windows\SysWOW64\Pjcbbmif.exe Pgefeajb.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Ibnccmbo.exe Ippggbck.exe File created C:\Windows\SysWOW64\Imbajm32.dll Bcoenmao.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File created C:\Windows\SysWOW64\Keajjc32.dll Hmjdjgjo.exe File created C:\Windows\SysWOW64\Cibifp32.dll Hcdmga32.exe File opened for modification C:\Windows\SysWOW64\Mlopkm32.exe Mipcob32.exe File created C:\Windows\SysWOW64\Pcppfaka.exe Pqbdjfln.exe File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Omocan32.dll Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Kdcbom32.exe Klljnp32.exe File created C:\Windows\SysWOW64\Neimdg32.dll Mlopkm32.exe File created C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File opened for modification C:\Windows\SysWOW64\Aminee32.exe Anfmjhmd.exe File created C:\Windows\SysWOW64\Cagobalc.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Lejfpelg.dll Hopnqdan.exe File created C:\Windows\SysWOW64\Nenqea32.dll Nljofl32.exe File created C:\Windows\SysWOW64\Aabmqd32.exe Andqdh32.exe File created C:\Windows\SysWOW64\Dbagnedl.dll Pncgmkmj.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File opened for modification C:\Windows\SysWOW64\Fllpbldb.exe Fdegandp.exe File opened for modification C:\Windows\SysWOW64\Iiaephpc.exe Hfcicmqp.exe File opened for modification C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cfbkeh32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Icnpmp32.exe Ilghlc32.exe File opened for modification C:\Windows\SysWOW64\Ldoaklml.exe Llgjjnlj.exe File created C:\Windows\SysWOW64\Mgimcebb.exe Mpoefk32.exe File opened for modification C:\Windows\SysWOW64\Opakbi32.exe Oncofm32.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Ilghlc32.exe File created C:\Windows\SysWOW64\Lfhdlh32.exe Ldjhpl32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File created C:\Windows\SysWOW64\Nngndc32.dll Gbiaapdf.exe File created C:\Windows\SysWOW64\Ogibpb32.dll Likjcbkc.exe File created C:\Windows\SysWOW64\Mlopkm32.exe Mipcob32.exe File created C:\Windows\SysWOW64\Pqknig32.exe Pnlaml32.exe File opened for modification C:\Windows\SysWOW64\Jcioiood.exe Jlbgha32.exe File created C:\Windows\SysWOW64\Oolpjdob.dll Lfkaag32.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cfbkeh32.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Dndgjk32.dll Ieolehop.exe File created C:\Windows\SysWOW64\Namdcd32.dll Kmncnb32.exe File created C:\Windows\SysWOW64\Mcpnhfhf.exe Mpablkhc.exe File opened for modification C:\Windows\SysWOW64\Qceiaa32.exe Qqfmde32.exe File created C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File created C:\Windows\SysWOW64\Gkmlofol.exe Gdcdbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8968 8808 WerFault.exe 383 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eleiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfmb32.dll" Hijooifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieolehop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljfpnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgmjqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqfdnhfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapiabak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldanqkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njefqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbgk32.dll" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mibpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfaigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjhkjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll" Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" Pcppfaka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll" Iejcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll" Llgjjnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjlcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" Mmnldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlaegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oncofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqcqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll" Qqfmde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 2568 4040 8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe 82 PID 4040 wrote to memory of 2568 4040 8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe 82 PID 4040 wrote to memory of 2568 4040 8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe 82 PID 2568 wrote to memory of 2028 2568 Eoolbinc.exe 83 PID 2568 wrote to memory of 2028 2568 Eoolbinc.exe 83 PID 2568 wrote to memory of 2028 2568 Eoolbinc.exe 83 PID 2028 wrote to memory of 3940 2028 Edkdkplj.exe 84 PID 2028 wrote to memory of 3940 2028 Edkdkplj.exe 84 PID 2028 wrote to memory of 3940 2028 Edkdkplj.exe 84 PID 3940 wrote to memory of 5108 3940 Ekemhj32.exe 85 PID 3940 wrote to memory of 5108 3940 Ekemhj32.exe 85 PID 3940 wrote to memory of 5108 3940 Ekemhj32.exe 85 PID 5108 wrote to memory of 1788 5108 Ecmeig32.exe 86 PID 5108 wrote to memory of 1788 5108 Ecmeig32.exe 86 PID 5108 wrote to memory of 1788 5108 Ecmeig32.exe 86 PID 1788 wrote to memory of 1796 1788 Eekaebcm.exe 87 PID 1788 wrote to memory of 1796 1788 Eekaebcm.exe 87 PID 1788 wrote to memory of 1796 1788 Eekaebcm.exe 87 PID 1796 wrote to memory of 3592 1796 Eleiam32.exe 88 PID 1796 wrote to memory of 3592 1796 Eleiam32.exe 88 PID 1796 wrote to memory of 3592 1796 Eleiam32.exe 88 PID 3592 wrote to memory of 5032 3592 Ecoangbg.exe 89 PID 3592 wrote to memory of 5032 3592 Ecoangbg.exe 89 PID 3592 wrote to memory of 5032 3592 Ecoangbg.exe 89 PID 5032 wrote to memory of 2428 5032 Edpnfo32.exe 90 PID 5032 wrote to memory of 2428 5032 Edpnfo32.exe 90 PID 5032 wrote to memory of 2428 5032 Edpnfo32.exe 90 PID 2428 wrote to memory of 3496 2428 Elgfgl32.exe 91 PID 2428 wrote to memory of 3496 2428 Elgfgl32.exe 91 PID 2428 wrote to memory of 3496 2428 Elgfgl32.exe 91 PID 3496 wrote to memory of 3312 3496 Ecandfpd.exe 92 PID 3496 wrote to memory of 3312 3496 Ecandfpd.exe 92 PID 3496 wrote to memory of 3312 3496 Ecandfpd.exe 92 PID 3312 wrote to memory of 2124 3312 Eepjpb32.exe 93 PID 3312 wrote to memory of 2124 3312 Eepjpb32.exe 93 PID 3312 wrote to memory of 2124 3312 Eepjpb32.exe 93 PID 2124 wrote to memory of 1568 2124 Ehnglm32.exe 94 PID 2124 wrote to memory of 1568 2124 Ehnglm32.exe 94 PID 2124 wrote to memory of 1568 2124 Ehnglm32.exe 94 PID 1568 wrote to memory of 4212 1568 Fkmchi32.exe 95 PID 1568 wrote to memory of 4212 1568 Fkmchi32.exe 95 PID 1568 wrote to memory of 4212 1568 Fkmchi32.exe 95 PID 4212 wrote to memory of 4308 4212 Fcckif32.exe 96 PID 4212 wrote to memory of 4308 4212 Fcckif32.exe 96 PID 4212 wrote to memory of 4308 4212 Fcckif32.exe 96 PID 4308 wrote to memory of 3588 4308 Fdegandp.exe 97 PID 4308 wrote to memory of 3588 4308 Fdegandp.exe 97 PID 4308 wrote to memory of 3588 4308 Fdegandp.exe 97 PID 3588 wrote to memory of 4504 3588 Fllpbldb.exe 98 PID 3588 wrote to memory of 4504 3588 Fllpbldb.exe 98 PID 3588 wrote to memory of 4504 3588 Fllpbldb.exe 98 PID 4504 wrote to memory of 468 4504 Fcfhof32.exe 99 PID 4504 wrote to memory of 468 4504 Fcfhof32.exe 99 PID 4504 wrote to memory of 468 4504 Fcfhof32.exe 99 PID 468 wrote to memory of 1584 468 Fdgdgnbm.exe 100 PID 468 wrote to memory of 1584 468 Fdgdgnbm.exe 100 PID 468 wrote to memory of 1584 468 Fdgdgnbm.exe 100 PID 1584 wrote to memory of 2600 1584 Flnlhk32.exe 101 PID 1584 wrote to memory of 2600 1584 Flnlhk32.exe 101 PID 1584 wrote to memory of 2600 1584 Flnlhk32.exe 101 PID 2600 wrote to memory of 4364 2600 Fakdpb32.exe 102 PID 2600 wrote to memory of 4364 2600 Fakdpb32.exe 102 PID 2600 wrote to memory of 4364 2600 Fakdpb32.exe 102 PID 4364 wrote to memory of 880 4364 Fhemmlhc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe"C:\Users\Admin\AppData\Local\Temp\8dc5187efd9cd02b680046960da17280318ba83e91210962eda86a1e6ba8bf75.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe23⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe24⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe25⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe26⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe28⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe29⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe30⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe32⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe36⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe37⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe40⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe44⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe46⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe49⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe50⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe51⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe53⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe55⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe56⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe57⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe59⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe60⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe65⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe66⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe67⤵PID:3916
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe68⤵PID:4228
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe69⤵PID:4396
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe70⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe75⤵
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe76⤵PID:3864
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe78⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe79⤵PID:4460
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe80⤵PID:3016
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe81⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe82⤵PID:2012
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe83⤵PID:4408
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe84⤵PID:2068
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe86⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe87⤵
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe88⤵PID:5060
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe90⤵PID:3280
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe91⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe94⤵PID:5176
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe95⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe96⤵PID:5268
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe97⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe98⤵PID:5360
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe99⤵PID:5404
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe100⤵PID:5452
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe101⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe102⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe103⤵PID:5584
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe104⤵PID:5624
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe105⤵PID:5672
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe106⤵PID:5712
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe107⤵PID:5752
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe108⤵PID:5796
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe109⤵PID:5840
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe110⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe111⤵PID:5924
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe112⤵PID:5968
-
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe113⤵PID:6012
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe114⤵PID:6056
-
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe116⤵PID:1636
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe118⤵PID:5324
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe119⤵PID:5384
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe120⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe121⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe122⤵PID:5660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-