Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 22:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe
-
Size
128KB
-
MD5
dccb4cbbf41b987e408ada46c98454ac
-
SHA1
7ccb03b98ff3f4a6f247c501676ece153c94240f
-
SHA256
66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6
-
SHA512
2c3c2f86fee03cb31d125b673235f68e4fab0ae74b0b981ccdf99e98ad29aff049d92c5328ca676522363845ed49c929ff8852267b750d93ee4e038a435109ba
-
SSDEEP
3072:TpvI6aHLYZUv6+ym/PwidSX3ReDrFDHZtOgxBOXXH:W3Lm46KP7dSX3RO5tTDUX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooejohhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdicienl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfdnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjlpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgiepjga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhgloc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocffempp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaakpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe -
Executes dropped EXE 64 IoCs
pid Process 3344 Gokdeeec.exe 3836 Gfembo32.exe 2604 Gdhmnlcj.exe 1288 Gmoeoidl.exe 2752 Gcimkc32.exe 3512 Gdjjckag.exe 5036 Hmabdibj.exe 1680 Hckjacjg.exe 3504 Hihbijhn.exe 828 Hkfoeega.exe 4252 Hcmgfbhd.exe 1196 Heocnk32.exe 1032 Hkikkeeo.exe 60 Hbbdholl.exe 4144 Heapdjlp.exe 4608 Hkkhqd32.exe 216 Hbeqmoji.exe 4264 Hioiji32.exe 4220 Hcdmga32.exe 3996 Hfcicmqp.exe 2928 Immapg32.exe 3540 Icgjmapi.exe 4628 Ifefimom.exe 3032 Imoneg32.exe 2948 Iblfnn32.exe 944 Iejcji32.exe 3764 Iifokh32.exe 2828 Ildkgc32.exe 2592 Ibnccmbo.exe 1612 Ifjodl32.exe 3696 Imdgqfbd.exe 4592 Ifllil32.exe 3716 Iikhfg32.exe 4344 Ilidbbgl.exe 3324 Icplcpgo.exe 4444 Jfoiokfb.exe 3340 Jlkagbej.exe 1796 Jfaedkdp.exe 1496 Jmknaell.exe 1868 Jpijnqkp.exe 1248 Jefbfgig.exe 5004 Jmmjgejj.exe 3964 Jplfcpin.exe 664 Jfeopj32.exe 1316 Jmpgldhg.exe 452 Jcioiood.exe 1684 Jeklag32.exe 3200 Jifhaenk.exe 4840 Jpppnp32.exe 3016 Kboljk32.exe 4716 Kiidgeki.exe 3808 Kmdqgd32.exe 3740 Kpbmco32.exe 1276 Kbaipkbi.exe 772 Kikame32.exe 788 Kmfmmcbo.exe 3292 Kdqejn32.exe 4636 Kfoafi32.exe 1148 Kimnbd32.exe 2924 Klljnp32.exe 2572 Kdcbom32.exe 3804 Kfankifm.exe 2720 Kmkfhc32.exe 3880 Kpjcdn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lehaho32.exe Lpkiph32.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jbfheo32.exe File created C:\Windows\SysWOW64\Nijeec32.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Fedbbjgh.dll Mnhkbfme.exe File created C:\Windows\SysWOW64\Blfiei32.dll Pcppfaka.exe File opened for modification C:\Windows\SysWOW64\Dkahilkl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hipmfjee.exe Process not Found File created C:\Windows\SysWOW64\Baiinofi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dcpmen32.exe Dmfeidbe.exe File created C:\Windows\SysWOW64\Cfidbo32.dll Process not Found File created C:\Windows\SysWOW64\Ippohl32.dll Jmmjgejj.exe File created C:\Windows\SysWOW64\Ligqhc32.exe Lbmhlihl.exe File created C:\Windows\SysWOW64\Gbdhjm32.dll Ncfdie32.exe File created C:\Windows\SysWOW64\Qdbiedpa.exe Qmkadgpo.exe File created C:\Windows\SysWOW64\Opcefi32.dll Process not Found File created C:\Windows\SysWOW64\Lehagi32.dll Fpjjac32.exe File opened for modification C:\Windows\SysWOW64\Jjopcb32.exe Jhndljll.exe File created C:\Windows\SysWOW64\Dnbokg32.dll Hginecde.exe File created C:\Windows\SysWOW64\Balenlhn.dll Oejbfmpg.exe File opened for modification C:\Windows\SysWOW64\Iiehpahb.exe Idjlpc32.exe File created C:\Windows\SysWOW64\Lehhlb32.dll Idghpmnp.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Jbkbpoog.exe File opened for modification C:\Windows\SysWOW64\Kkfcndce.exe Kiggbhda.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nnfgcd32.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Process not Found File created C:\Windows\SysWOW64\Ibicnh32.exe Iokgal32.exe File opened for modification C:\Windows\SysWOW64\Oifeab32.exe Oaompd32.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lgjijmin.exe File created C:\Windows\SysWOW64\Bldqfd32.dll Omcjep32.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Process not Found File created C:\Windows\SysWOW64\Dpiplm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfpojead.exe Jbdbjf32.exe File opened for modification C:\Windows\SysWOW64\Bogkmgba.exe Process not Found File created C:\Windows\SysWOW64\Bmjkic32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ifjodl32.exe Ibnccmbo.exe File opened for modification C:\Windows\SysWOW64\Kboljk32.exe Jpppnp32.exe File opened for modification C:\Windows\SysWOW64\Lcjcnoej.exe Ldgccb32.exe File opened for modification C:\Windows\SysWOW64\Mjmoag32.exe Mgobel32.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Process not Found File created C:\Windows\SysWOW64\Llipehgk.exe Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Cgjjdf32.exe Cqpbglno.exe File created C:\Windows\SysWOW64\Adfonlkp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe Process not Found File created C:\Windows\SysWOW64\Cgifbhid.exe Process not Found File created C:\Windows\SysWOW64\Immapg32.exe Hfcicmqp.exe File created C:\Windows\SysWOW64\Lfbped32.exe Process not Found File created C:\Windows\SysWOW64\Mmfkhmdi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kmkfhc32.exe Kfankifm.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bfkedibe.exe File created C:\Windows\SysWOW64\Feoodn32.exe Process not Found File created C:\Windows\SysWOW64\Bchomn32.exe Baicac32.exe File created C:\Windows\SysWOW64\Knnckk32.dll Ghipne32.exe File opened for modification C:\Windows\SysWOW64\Jbkbpoog.exe Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bfkedibe.exe File opened for modification C:\Windows\SysWOW64\Ifleoe32.exe Indmnh32.exe File opened for modification C:\Windows\SysWOW64\Emhkdmlg.exe Process not Found File created C:\Windows\SysWOW64\Chflphjh.dll Process not Found File created C:\Windows\SysWOW64\Mipcob32.exe Mbfkbhpa.exe File created C:\Windows\SysWOW64\Ebhcbe32.dll Hhgloc32.exe File created C:\Windows\SysWOW64\Cpagaq32.dll Hoadkn32.exe File created C:\Windows\SysWOW64\Qeapfm32.dll Aihaoqlp.exe File created C:\Windows\SysWOW64\Dlmmaqlm.dll Ingpmmgm.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lknojl32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 10904 19576 Process not Found 1570 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfningai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filiii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalnmiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbileede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnpml32.dll" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkpophj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll" Jpppnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjfngdm.dll" Lnadagbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgeaiknl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfameb32.dll" Mhicpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmgblok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll" Ibnccmbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdpleo.dll" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnndm32.dll" Hkckeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcijdmpm.dll" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajaoo32.dll" Fllkqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll" Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehfljca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmnhcb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 3344 4480 66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe 82 PID 4480 wrote to memory of 3344 4480 66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe 82 PID 4480 wrote to memory of 3344 4480 66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe 82 PID 3344 wrote to memory of 3836 3344 Gokdeeec.exe 83 PID 3344 wrote to memory of 3836 3344 Gokdeeec.exe 83 PID 3344 wrote to memory of 3836 3344 Gokdeeec.exe 83 PID 3836 wrote to memory of 2604 3836 Gfembo32.exe 84 PID 3836 wrote to memory of 2604 3836 Gfembo32.exe 84 PID 3836 wrote to memory of 2604 3836 Gfembo32.exe 84 PID 2604 wrote to memory of 1288 2604 Gdhmnlcj.exe 85 PID 2604 wrote to memory of 1288 2604 Gdhmnlcj.exe 85 PID 2604 wrote to memory of 1288 2604 Gdhmnlcj.exe 85 PID 1288 wrote to memory of 2752 1288 Gmoeoidl.exe 86 PID 1288 wrote to memory of 2752 1288 Gmoeoidl.exe 86 PID 1288 wrote to memory of 2752 1288 Gmoeoidl.exe 86 PID 2752 wrote to memory of 3512 2752 Gcimkc32.exe 87 PID 2752 wrote to memory of 3512 2752 Gcimkc32.exe 87 PID 2752 wrote to memory of 3512 2752 Gcimkc32.exe 87 PID 3512 wrote to memory of 5036 3512 Gdjjckag.exe 88 PID 3512 wrote to memory of 5036 3512 Gdjjckag.exe 88 PID 3512 wrote to memory of 5036 3512 Gdjjckag.exe 88 PID 5036 wrote to memory of 1680 5036 Hmabdibj.exe 89 PID 5036 wrote to memory of 1680 5036 Hmabdibj.exe 89 PID 5036 wrote to memory of 1680 5036 Hmabdibj.exe 89 PID 1680 wrote to memory of 3504 1680 Hckjacjg.exe 90 PID 1680 wrote to memory of 3504 1680 Hckjacjg.exe 90 PID 1680 wrote to memory of 3504 1680 Hckjacjg.exe 90 PID 3504 wrote to memory of 828 3504 Hihbijhn.exe 91 PID 3504 wrote to memory of 828 3504 Hihbijhn.exe 91 PID 3504 wrote to memory of 828 3504 Hihbijhn.exe 91 PID 828 wrote to memory of 4252 828 Hkfoeega.exe 92 PID 828 wrote to memory of 4252 828 Hkfoeega.exe 92 PID 828 wrote to memory of 4252 828 Hkfoeega.exe 92 PID 4252 wrote to memory of 1196 4252 Hcmgfbhd.exe 93 PID 4252 wrote to memory of 1196 4252 Hcmgfbhd.exe 93 PID 4252 wrote to memory of 1196 4252 Hcmgfbhd.exe 93 PID 1196 wrote to memory of 1032 1196 Heocnk32.exe 94 PID 1196 wrote to memory of 1032 1196 Heocnk32.exe 94 PID 1196 wrote to memory of 1032 1196 Heocnk32.exe 94 PID 1032 wrote to memory of 60 1032 Hkikkeeo.exe 95 PID 1032 wrote to memory of 60 1032 Hkikkeeo.exe 95 PID 1032 wrote to memory of 60 1032 Hkikkeeo.exe 95 PID 60 wrote to memory of 4144 60 Hbbdholl.exe 96 PID 60 wrote to memory of 4144 60 Hbbdholl.exe 96 PID 60 wrote to memory of 4144 60 Hbbdholl.exe 96 PID 4144 wrote to memory of 4608 4144 Heapdjlp.exe 97 PID 4144 wrote to memory of 4608 4144 Heapdjlp.exe 97 PID 4144 wrote to memory of 4608 4144 Heapdjlp.exe 97 PID 4608 wrote to memory of 216 4608 Hkkhqd32.exe 98 PID 4608 wrote to memory of 216 4608 Hkkhqd32.exe 98 PID 4608 wrote to memory of 216 4608 Hkkhqd32.exe 98 PID 216 wrote to memory of 4264 216 Hbeqmoji.exe 99 PID 216 wrote to memory of 4264 216 Hbeqmoji.exe 99 PID 216 wrote to memory of 4264 216 Hbeqmoji.exe 99 PID 4264 wrote to memory of 4220 4264 Hioiji32.exe 100 PID 4264 wrote to memory of 4220 4264 Hioiji32.exe 100 PID 4264 wrote to memory of 4220 4264 Hioiji32.exe 100 PID 4220 wrote to memory of 3996 4220 Hcdmga32.exe 101 PID 4220 wrote to memory of 3996 4220 Hcdmga32.exe 101 PID 4220 wrote to memory of 3996 4220 Hcdmga32.exe 101 PID 3996 wrote to memory of 2928 3996 Hfcicmqp.exe 102 PID 3996 wrote to memory of 2928 3996 Hfcicmqp.exe 102 PID 3996 wrote to memory of 2928 3996 Hfcicmqp.exe 102 PID 2928 wrote to memory of 3540 2928 Immapg32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe"C:\Users\Admin\AppData\Local\Temp\66f3d3ab3b81fc7fcbc3b8c886c35923a8a5736c89f4f1972b5aa1147b96d6b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe23⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe24⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe27⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe28⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe29⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe31⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe32⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe33⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe34⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe35⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe36⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe37⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe38⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe39⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe40⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe41⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe42⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe44⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe45⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe47⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe48⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe49⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe51⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe52⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe53⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe54⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe55⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe56⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe57⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe58⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe59⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe60⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe62⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe64⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe65⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe66⤵PID:3060
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe67⤵PID:1608
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe68⤵PID:4540
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe69⤵PID:4756
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe70⤵PID:3592
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4764 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe72⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe73⤵PID:3980
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe74⤵PID:4556
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe75⤵PID:4284
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe76⤵PID:1332
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe77⤵PID:3216
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe78⤵PID:2468
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe79⤵PID:1092
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe80⤵PID:4068
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe81⤵PID:4872
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe82⤵PID:2228
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe83⤵PID:4576
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe84⤵PID:1284
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe85⤵PID:3448
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe86⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe87⤵PID:2056
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe88⤵PID:4316
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe89⤵PID:4308
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe90⤵PID:2032
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe91⤵PID:2972
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe92⤵PID:5116
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe93⤵PID:4568
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe94⤵PID:4664
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe95⤵PID:1292
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe96⤵PID:5136
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe97⤵PID:5184
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe98⤵PID:5244
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe99⤵PID:5312
-
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe100⤵PID:5360
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe101⤵PID:5404
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe102⤵PID:5480
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe103⤵PID:5524
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe104⤵PID:5572
-
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe105⤵PID:5612
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe106⤵PID:5672
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe107⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe108⤵PID:5788
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe109⤵PID:5860
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe110⤵PID:5900
-
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5944 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe112⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe113⤵PID:6024
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe114⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe116⤵PID:5124
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe117⤵PID:5240
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe118⤵PID:5340
-
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe119⤵PID:5416
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe120⤵PID:5520
-
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe121⤵PID:5580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-