Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe
-
Size
63KB
-
MD5
dd515a8062f2651eceeecd5cb1a1e55f
-
SHA1
fdf18098bb5b0ba3b2a557efacf367cec3c65133
-
SHA256
5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33
-
SHA512
d11847badd6d4fa309a182f34e7d7c5886608c414c716370893b833284523eea75ebd61479bcfc978e5a1c6e6c8792c9be93ca19cad7a8bc4dea0332e353297e
-
SSDEEP
1536:zbHkDLV79Pj59Of5nn0vxqB73sH1juIZo:zbHkDLV79Pj59y6vxq13sH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggqida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goedpofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpnhfhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcccfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbnbhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejnmncd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colffknh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmconhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdhjknm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmofolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnbdecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfjapcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epndknin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfmlhna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlleaeff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefped32.exe -
Executes dropped EXE 64 IoCs
pid Process 2924 Lpocjdld.exe 4228 Lcmofolg.exe 1692 Lkdggmlj.exe 3432 Lmccchkn.exe 4660 Laopdgcg.exe 4788 Ldmlpbbj.exe 3276 Lgkhlnbn.exe 2684 Lijdhiaa.exe 1976 Laalifad.exe 2032 Ldohebqh.exe 4180 Lcbiao32.exe 1204 Lkiqbl32.exe 564 Lnhmng32.exe 3504 Lpfijcfl.exe 2388 Ldaeka32.exe 4916 Lklnhlfb.exe 2204 Lnjjdgee.exe 2400 Lphfpbdi.exe 4708 Lcgblncm.exe 4092 Lknjmkdo.exe 3136 Mahbje32.exe 3112 Mciobn32.exe 1544 Mkpgck32.exe 744 Mnocof32.exe 3476 Mdiklqhm.exe 2088 Mgghhlhq.exe 1156 Mnapdf32.exe 2020 Mpolqa32.exe 1904 Mgidml32.exe 2260 Mjhqjg32.exe 3508 Mpaifalo.exe 2532 Mglack32.exe 3300 Mjjmog32.exe 4800 Maaepd32.exe 5000 Mgnnhk32.exe 4664 Nacbfdao.exe 4752 Nceonl32.exe 4364 Nklfoi32.exe 2664 Nqiogp32.exe 4844 Ngcgcjnc.exe 696 Njacpf32.exe 1408 Nqklmpdd.exe 1340 Ndghmo32.exe 3320 Nkqpjidj.exe 1072 Nnolfdcn.exe 364 Nqmhbpba.exe 544 Ncldnkae.exe 4464 Nbmelbid.exe 1652 Ncnadk32.exe 3020 Ojhiqefo.exe 4148 Odnnnnfe.exe 4056 Ogljjiei.exe 3264 Onfbfc32.exe 4640 Ogogoi32.exe 3464 Obdkma32.exe 3328 Obfhba32.exe 2304 Okolkg32.exe 4920 Pcjapi32.exe 4144 Pjdilcla.exe 3916 Pkceffcd.exe 4556 Pqpnombl.exe 2300 Pkfblfab.exe 4576 Pkhoae32.exe 1932 Pbbgnpgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mlmbfqoj.exe Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Aoalgn32.exe Process not Found File created C:\Windows\SysWOW64\Amjbbfgo.exe Process not Found File created C:\Windows\SysWOW64\Nceonl32.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Qqhcpo32.exe Qjnkcekm.exe File created C:\Windows\SysWOW64\Kmieae32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Process not Found File created C:\Windows\SysWOW64\Dcmann32.dll Oidofh32.exe File created C:\Windows\SysWOW64\Llflea32.exe Lihpif32.exe File opened for modification C:\Windows\SysWOW64\Kfjapcii.exe Knbiofhg.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Joahqn32.exe Process not Found File created C:\Windows\SysWOW64\Iblhpckf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Chdialdl.exe Process not Found File created C:\Windows\SysWOW64\Ojhiqefo.exe Ncnadk32.exe File opened for modification C:\Windows\SysWOW64\Andgoobc.exe Ahkobekf.exe File opened for modification C:\Windows\SysWOW64\Oncofm32.exe Oflgep32.exe File opened for modification C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Moobbb32.exe Mplafeil.exe File created C:\Windows\SysWOW64\Kalhafbk.dll Okchnk32.exe File created C:\Windows\SysWOW64\Palbgl32.exe Process not Found File created C:\Windows\SysWOW64\Aijqqd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cecbmf32.exe Cbefaj32.exe File opened for modification C:\Windows\SysWOW64\Hopnqdan.exe Hiefcj32.exe File opened for modification C:\Windows\SysWOW64\Malgcg32.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Npodfe32.dll Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Mmnhcb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe Process not Found File created C:\Windows\SysWOW64\Lgpoihnl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ifgbnlmj.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Agdgdlac.dll Mbhamajc.exe File created C:\Windows\SysWOW64\Mibime32.dll Giqkkf32.exe File created C:\Windows\SysWOW64\Cffpglpg.dll Ljdceo32.exe File opened for modification C:\Windows\SysWOW64\Olbdhn32.exe Oidhlb32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Process not Found File created C:\Windows\SysWOW64\Pcbdco32.dll Cecbmf32.exe File created C:\Windows\SysWOW64\Dhkehk32.dll Idebdcdo.exe File created C:\Windows\SysWOW64\Bjlpjm32.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Dcbknkol.dll Lhncdi32.exe File created C:\Windows\SysWOW64\Bfjnjcni.exe Bqmeal32.exe File created C:\Windows\SysWOW64\Leihbeib.exe Kdgljmcd.exe File opened for modification C:\Windows\SysWOW64\Pgbbek32.exe Ocffempp.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Process not Found File created C:\Windows\SysWOW64\Daekdooc.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Kijchhbo.exe Kenggi32.exe File created C:\Windows\SysWOW64\Lihfcm32.exe Lfjjga32.exe File opened for modification C:\Windows\SysWOW64\Gddbcp32.exe Gaefgd32.exe File opened for modification C:\Windows\SysWOW64\Hpjmnjqn.exe Process not Found File created C:\Windows\SysWOW64\Pdfehh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Nabqkgan.dll Ieolehop.exe File opened for modification C:\Windows\SysWOW64\Iohjlmeg.exe Hdbfodfa.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bfjnjcni.exe File created C:\Windows\SysWOW64\Idieem32.exe Iakiia32.exe File opened for modification C:\Windows\SysWOW64\Gbeejp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clpgpp32.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Mhfppabl.exe Micoed32.exe File created C:\Windows\SysWOW64\Gbmingjo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Process not Found File created C:\Windows\SysWOW64\Ibdlakbf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Ljilqnlm.exe Llflea32.exe File created C:\Windows\SysWOW64\Didmdo32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 13640 14808 Process not Found 1658 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjinodke.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbjqh32.dll" Ceaehfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdnejf.dll" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfcen32.dll" Aeddnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Ffddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlpfgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Bjghpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkjpimd.dll" Ikfabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlfehjp.dll" Iomcgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjggbdl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhji32.dll" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Knlleepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebooppnl.dll" Ogogoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleqgfim.dll" Ieliebnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddmhpl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehimanbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdgfce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhbn32.dll" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpcgbim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcmlpl.dll" Eajeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmgcgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfmno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2924 4244 5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe 80 PID 4244 wrote to memory of 2924 4244 5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe 80 PID 4244 wrote to memory of 2924 4244 5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe 80 PID 2924 wrote to memory of 4228 2924 Lpocjdld.exe 81 PID 2924 wrote to memory of 4228 2924 Lpocjdld.exe 81 PID 2924 wrote to memory of 4228 2924 Lpocjdld.exe 81 PID 4228 wrote to memory of 1692 4228 Lcmofolg.exe 82 PID 4228 wrote to memory of 1692 4228 Lcmofolg.exe 82 PID 4228 wrote to memory of 1692 4228 Lcmofolg.exe 82 PID 1692 wrote to memory of 3432 1692 Lkdggmlj.exe 83 PID 1692 wrote to memory of 3432 1692 Lkdggmlj.exe 83 PID 1692 wrote to memory of 3432 1692 Lkdggmlj.exe 83 PID 3432 wrote to memory of 4660 3432 Lmccchkn.exe 84 PID 3432 wrote to memory of 4660 3432 Lmccchkn.exe 84 PID 3432 wrote to memory of 4660 3432 Lmccchkn.exe 84 PID 4660 wrote to memory of 4788 4660 Laopdgcg.exe 85 PID 4660 wrote to memory of 4788 4660 Laopdgcg.exe 85 PID 4660 wrote to memory of 4788 4660 Laopdgcg.exe 85 PID 4788 wrote to memory of 3276 4788 Ldmlpbbj.exe 86 PID 4788 wrote to memory of 3276 4788 Ldmlpbbj.exe 86 PID 4788 wrote to memory of 3276 4788 Ldmlpbbj.exe 86 PID 3276 wrote to memory of 2684 3276 Lgkhlnbn.exe 87 PID 3276 wrote to memory of 2684 3276 Lgkhlnbn.exe 87 PID 3276 wrote to memory of 2684 3276 Lgkhlnbn.exe 87 PID 2684 wrote to memory of 1976 2684 Lijdhiaa.exe 88 PID 2684 wrote to memory of 1976 2684 Lijdhiaa.exe 88 PID 2684 wrote to memory of 1976 2684 Lijdhiaa.exe 88 PID 1976 wrote to memory of 2032 1976 Laalifad.exe 89 PID 1976 wrote to memory of 2032 1976 Laalifad.exe 89 PID 1976 wrote to memory of 2032 1976 Laalifad.exe 89 PID 2032 wrote to memory of 4180 2032 Ldohebqh.exe 90 PID 2032 wrote to memory of 4180 2032 Ldohebqh.exe 90 PID 2032 wrote to memory of 4180 2032 Ldohebqh.exe 90 PID 4180 wrote to memory of 1204 4180 Lcbiao32.exe 91 PID 4180 wrote to memory of 1204 4180 Lcbiao32.exe 91 PID 4180 wrote to memory of 1204 4180 Lcbiao32.exe 91 PID 1204 wrote to memory of 564 1204 Lkiqbl32.exe 92 PID 1204 wrote to memory of 564 1204 Lkiqbl32.exe 92 PID 1204 wrote to memory of 564 1204 Lkiqbl32.exe 92 PID 564 wrote to memory of 3504 564 Lnhmng32.exe 93 PID 564 wrote to memory of 3504 564 Lnhmng32.exe 93 PID 564 wrote to memory of 3504 564 Lnhmng32.exe 93 PID 3504 wrote to memory of 2388 3504 Lpfijcfl.exe 94 PID 3504 wrote to memory of 2388 3504 Lpfijcfl.exe 94 PID 3504 wrote to memory of 2388 3504 Lpfijcfl.exe 94 PID 2388 wrote to memory of 4916 2388 Ldaeka32.exe 95 PID 2388 wrote to memory of 4916 2388 Ldaeka32.exe 95 PID 2388 wrote to memory of 4916 2388 Ldaeka32.exe 95 PID 4916 wrote to memory of 2204 4916 Lklnhlfb.exe 96 PID 4916 wrote to memory of 2204 4916 Lklnhlfb.exe 96 PID 4916 wrote to memory of 2204 4916 Lklnhlfb.exe 96 PID 2204 wrote to memory of 2400 2204 Lnjjdgee.exe 97 PID 2204 wrote to memory of 2400 2204 Lnjjdgee.exe 97 PID 2204 wrote to memory of 2400 2204 Lnjjdgee.exe 97 PID 2400 wrote to memory of 4708 2400 Lphfpbdi.exe 98 PID 2400 wrote to memory of 4708 2400 Lphfpbdi.exe 98 PID 2400 wrote to memory of 4708 2400 Lphfpbdi.exe 98 PID 4708 wrote to memory of 4092 4708 Lcgblncm.exe 99 PID 4708 wrote to memory of 4092 4708 Lcgblncm.exe 99 PID 4708 wrote to memory of 4092 4708 Lcgblncm.exe 99 PID 4092 wrote to memory of 3136 4092 Lknjmkdo.exe 100 PID 4092 wrote to memory of 3136 4092 Lknjmkdo.exe 100 PID 4092 wrote to memory of 3136 4092 Lknjmkdo.exe 100 PID 3136 wrote to memory of 3112 3136 Mahbje32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe"C:\Users\Admin\AppData\Local\Temp\5ac0ae7ac3222e8b9c8003623629f95b0afdeef1d89652ece8f4d31be7289c33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe23⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe24⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe25⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe26⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe27⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe28⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe29⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe30⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe31⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe32⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe34⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe36⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe38⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe39⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe40⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe42⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe43⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe44⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe45⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe46⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe47⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe48⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe49⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe51⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe52⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe53⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe54⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe56⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe57⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe58⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe59⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe60⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe61⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe62⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe63⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe65⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe67⤵PID:4312
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe68⤵PID:2420
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe69⤵PID:1668
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe71⤵PID:1336
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe72⤵PID:4524
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe73⤵PID:4536
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe74⤵PID:1988
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe75⤵PID:3700
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe76⤵PID:2016
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe77⤵PID:2752
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe78⤵PID:4288
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe79⤵
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe81⤵PID:4516
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe82⤵PID:4896
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe83⤵PID:4316
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe84⤵PID:3796
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe85⤵PID:4568
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe86⤵PID:5012
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe87⤵PID:4424
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe88⤵PID:5064
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe89⤵PID:1792
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe90⤵PID:4596
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe91⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe92⤵PID:4012
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe93⤵PID:4824
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe94⤵PID:2536
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe95⤵PID:4952
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe96⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe97⤵PID:2768
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe98⤵PID:540
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe99⤵PID:4812
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe100⤵PID:4280
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe101⤵PID:2484
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe102⤵PID:2616
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe103⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe104⤵PID:4892
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe105⤵PID:448
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe106⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe107⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe108⤵PID:1840
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe111⤵PID:5164
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe112⤵PID:5208
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe113⤵PID:5260
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe114⤵PID:5328
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe115⤵PID:5376
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe116⤵PID:5436
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe117⤵PID:5484
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe118⤵PID:5524
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe119⤵PID:5572
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe120⤵PID:5628
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe121⤵PID:5680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-