Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
Resource
win10v2004-20240426-en
General
-
Target
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
-
Size
80KB
-
MD5
371ba6f286b21e1ad8696a844f0e9a68
-
SHA1
e7865d960f6f011a87b65ef94a829d905d794f25
-
SHA256
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe
-
SHA512
cf0afb4eee8ef05e7bd06ece904a88a59427d10634fa6f4992ed017cbf9a0d6ecd16d88f65fc6922800d43e169cf425f8b91c46ae09ce55330862b51de208acf
-
SSDEEP
1536:kcSsngPO+fifu8UCeztSzjpH1B9z/2LxS5DUHRbPa9b6i+sIk:kZTf+UavV1B9AxS5DSCopsIk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnepfpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmiciaaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllmfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfbjnbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfoeega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laciofpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmpqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddecc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faihkbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeflhdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiffen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgnhmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaemnhla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efneehef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmaioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaedgjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgdpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbioei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqnaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnoikqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2616 Clqnjf32.exe 4552 Ccjfgphj.exe 2672 Ceibclgn.exe 6064 Cidncj32.exe 1664 Clckpf32.exe 2528 Coagla32.exe 5968 Ccmclp32.exe 4296 Cekohk32.exe 4452 Dhjkdg32.exe 4228 Dlegeemh.exe 4112 Doccaall.exe 5364 Dcopbp32.exe 5872 Dhlhjf32.exe 3860 Dlgdkeje.exe 5332 Dofpgqji.exe 3256 Dcalgo32.exe 2428 Dephckaf.exe 2120 Dhnepfpj.exe 5288 Dpemacql.exe 5664 Dcdimopp.exe 2104 Dagiil32.exe 4436 Djnaji32.exe 2436 Dllmfd32.exe 1604 Dokjbp32.exe 5628 Dcfebonm.exe 2076 Dfdbojmq.exe 860 Djpnohej.exe 364 Dlojkddn.exe 944 Dpjflb32.exe 1372 Domfgpca.exe 2624 Dakbckbe.exe 4812 Efgodj32.exe 1840 Ehekqe32.exe 5144 Elagacbk.exe 4028 Eoocmoao.exe 5152 Eckonn32.exe 2892 Ebnoikqb.exe 3236 Ejegjh32.exe 4580 Elccfc32.exe 3180 Epopgbia.exe 3596 Ecmlcmhe.exe 976 Ebploj32.exe 2784 Ejgdpg32.exe 1584 Ehjdldfl.exe 3252 Eleplc32.exe 5536 Eqalmafo.exe 5396 Ecphimfb.exe 1420 Ebbidj32.exe 5092 Efneehef.exe 5472 Ejjqeg32.exe 5444 Ehlaaddj.exe 5732 Eqciba32.exe 4988 Eofinnkf.exe 4672 Ebeejijj.exe 1764 Efpajh32.exe 2556 Ejlmkgkl.exe 4824 Emjjgbjp.exe 2344 Eqfeha32.exe 4480 Eoifcnid.exe 4848 Ecdbdl32.exe 1172 Ffbnph32.exe 4044 Fjnjqfij.exe 2312 Fhajlc32.exe 2628 Fqhbmqqg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Anbkio32.exe Aldomc32.exe File created C:\Windows\SysWOW64\Aaepqjpd.exe Angddopp.exe File created C:\Windows\SysWOW64\Ladjgikj.dll Olfobjbg.exe File opened for modification C:\Windows\SysWOW64\Ebploj32.exe Ecmlcmhe.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mgekbljc.exe File created C:\Windows\SysWOW64\Pqnaim32.exe Pjdilcla.exe File opened for modification C:\Windows\SysWOW64\Dcfebonm.exe Dokjbp32.exe File created C:\Windows\SysWOW64\Ifhmhq32.dll Hjmoibog.exe File opened for modification C:\Windows\SysWOW64\Fjnjqfij.exe Ffbnph32.exe File created C:\Windows\SysWOW64\Eplmgmol.dll Kpccnefa.exe File created C:\Windows\SysWOW64\Hnfmbf32.dll Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Echknh32.exe Dlncan32.exe File created C:\Windows\SysWOW64\Amjknl32.dll Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Emjjgbjp.exe Ejlmkgkl.exe File created C:\Windows\SysWOW64\Ecdbdl32.exe Eoifcnid.exe File opened for modification C:\Windows\SysWOW64\Bbifelba.exe Bjbndobo.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cndikf32.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mdiklqhm.exe File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe Aeopki32.exe File created C:\Windows\SysWOW64\Eagncfoj.dll Gppekj32.exe File created C:\Windows\SysWOW64\Coagla32.exe Clckpf32.exe File opened for modification C:\Windows\SysWOW64\Dpjflb32.exe Dlojkddn.exe File created C:\Windows\SysWOW64\Hdaeob32.dll Aeopki32.exe File opened for modification C:\Windows\SysWOW64\Bjghpn32.exe Baocghgi.exe File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Fqohnp32.exe Fmclmabe.exe File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Ibagcc32.exe File opened for modification C:\Windows\SysWOW64\Olfobjbg.exe Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Ijhodq32.exe Ifmcdblq.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Doccaall.exe Dlegeemh.exe File created C:\Windows\SysWOW64\Mcgdgamg.dll Cajcbgml.exe File created C:\Windows\SysWOW64\Ecmlcmhe.exe Epopgbia.exe File created C:\Windows\SysWOW64\Helfik32.exe Hckjacjg.exe File created C:\Windows\SysWOW64\Ekiidlll.dll Lcbiao32.exe File created C:\Windows\SysWOW64\Ccgldidg.dll Oboaabga.exe File opened for modification C:\Windows\SysWOW64\Dkljak32.exe Dhnnep32.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aadifclh.exe File opened for modification C:\Windows\SysWOW64\Dohfbj32.exe Dkljak32.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Pnfmmb32.dll Giofnacd.exe File created C:\Windows\SysWOW64\Mnfipekh.exe Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Jmnaakne.exe Jibeql32.exe File opened for modification C:\Windows\SysWOW64\Ojalgcnd.exe Ocgdji32.exe File created C:\Windows\SysWOW64\Pgemphmn.exe Oqkdcn32.exe File created C:\Windows\SysWOW64\Laalifad.exe Lkgdml32.exe File created C:\Windows\SysWOW64\Eocenh32.exe Ehimanbq.exe File created C:\Windows\SysWOW64\Hofddb32.dll Fbnhphbp.exe File created C:\Windows\SysWOW64\Giacca32.exe Gfcgge32.exe File created C:\Windows\SysWOW64\Qqfmde32.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Fcgoilpj.exe Fqhbmqqg.exe File created C:\Windows\SysWOW64\Ddhbep32.dll Fjqgff32.exe File created C:\Windows\SysWOW64\Oggacefk.dll Ffgqqaip.exe File created C:\Windows\SysWOW64\Eqbmje32.dll Lpappc32.exe File created C:\Windows\SysWOW64\Beeflhdh.exe Bbgipldd.exe File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe Kgfoan32.exe File opened for modification C:\Windows\SysWOW64\Doeiljfn.exe Dlgmpogj.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Eofinnkf.exe Eqciba32.exe File created C:\Windows\SysWOW64\Gmhfhp32.exe Gfnnlffc.exe File created C:\Windows\SysWOW64\Mifnjj32.dll Eocenh32.exe File created C:\Windows\SysWOW64\Ljodkeij.dll Lpqiemge.exe File created C:\Windows\SysWOW64\Ndcdmikd.exe Njnpppkn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12568 12304 WerFault.exe 664 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efgodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbnboqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbgqohi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnoikqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Lfkaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll" Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll" Gidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkdlkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofpgqji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidbflcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll" Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqhbmqqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll" Pghieg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giofnacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll" Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll" Eoifcnid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfpobpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll" Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcepkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll" Pndohaqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll" Laalifad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" Andqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" Fakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjmhppqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" Ehjdldfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" Mjjmog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2616 3052 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 81 PID 3052 wrote to memory of 2616 3052 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 81 PID 3052 wrote to memory of 2616 3052 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 81 PID 2616 wrote to memory of 4552 2616 Clqnjf32.exe 82 PID 2616 wrote to memory of 4552 2616 Clqnjf32.exe 82 PID 2616 wrote to memory of 4552 2616 Clqnjf32.exe 82 PID 4552 wrote to memory of 2672 4552 Ccjfgphj.exe 83 PID 4552 wrote to memory of 2672 4552 Ccjfgphj.exe 83 PID 4552 wrote to memory of 2672 4552 Ccjfgphj.exe 83 PID 2672 wrote to memory of 6064 2672 Ceibclgn.exe 84 PID 2672 wrote to memory of 6064 2672 Ceibclgn.exe 84 PID 2672 wrote to memory of 6064 2672 Ceibclgn.exe 84 PID 6064 wrote to memory of 1664 6064 Cidncj32.exe 85 PID 6064 wrote to memory of 1664 6064 Cidncj32.exe 85 PID 6064 wrote to memory of 1664 6064 Cidncj32.exe 85 PID 1664 wrote to memory of 2528 1664 Clckpf32.exe 86 PID 1664 wrote to memory of 2528 1664 Clckpf32.exe 86 PID 1664 wrote to memory of 2528 1664 Clckpf32.exe 86 PID 2528 wrote to memory of 5968 2528 Coagla32.exe 87 PID 2528 wrote to memory of 5968 2528 Coagla32.exe 87 PID 2528 wrote to memory of 5968 2528 Coagla32.exe 87 PID 5968 wrote to memory of 4296 5968 Ccmclp32.exe 88 PID 5968 wrote to memory of 4296 5968 Ccmclp32.exe 88 PID 5968 wrote to memory of 4296 5968 Ccmclp32.exe 88 PID 4296 wrote to memory of 4452 4296 Cekohk32.exe 89 PID 4296 wrote to memory of 4452 4296 Cekohk32.exe 89 PID 4296 wrote to memory of 4452 4296 Cekohk32.exe 89 PID 4452 wrote to memory of 4228 4452 Dhjkdg32.exe 91 PID 4452 wrote to memory of 4228 4452 Dhjkdg32.exe 91 PID 4452 wrote to memory of 4228 4452 Dhjkdg32.exe 91 PID 4228 wrote to memory of 4112 4228 Dlegeemh.exe 92 PID 4228 wrote to memory of 4112 4228 Dlegeemh.exe 92 PID 4228 wrote to memory of 4112 4228 Dlegeemh.exe 92 PID 4112 wrote to memory of 5364 4112 Doccaall.exe 93 PID 4112 wrote to memory of 5364 4112 Doccaall.exe 93 PID 4112 wrote to memory of 5364 4112 Doccaall.exe 93 PID 5364 wrote to memory of 5872 5364 Dcopbp32.exe 95 PID 5364 wrote to memory of 5872 5364 Dcopbp32.exe 95 PID 5364 wrote to memory of 5872 5364 Dcopbp32.exe 95 PID 5872 wrote to memory of 3860 5872 Dhlhjf32.exe 96 PID 5872 wrote to memory of 3860 5872 Dhlhjf32.exe 96 PID 5872 wrote to memory of 3860 5872 Dhlhjf32.exe 96 PID 3860 wrote to memory of 5332 3860 Dlgdkeje.exe 97 PID 3860 wrote to memory of 5332 3860 Dlgdkeje.exe 97 PID 3860 wrote to memory of 5332 3860 Dlgdkeje.exe 97 PID 5332 wrote to memory of 3256 5332 Dofpgqji.exe 98 PID 5332 wrote to memory of 3256 5332 Dofpgqji.exe 98 PID 5332 wrote to memory of 3256 5332 Dofpgqji.exe 98 PID 3256 wrote to memory of 2428 3256 Dcalgo32.exe 99 PID 3256 wrote to memory of 2428 3256 Dcalgo32.exe 99 PID 3256 wrote to memory of 2428 3256 Dcalgo32.exe 99 PID 2428 wrote to memory of 2120 2428 Dephckaf.exe 101 PID 2428 wrote to memory of 2120 2428 Dephckaf.exe 101 PID 2428 wrote to memory of 2120 2428 Dephckaf.exe 101 PID 2120 wrote to memory of 5288 2120 Dhnepfpj.exe 102 PID 2120 wrote to memory of 5288 2120 Dhnepfpj.exe 102 PID 2120 wrote to memory of 5288 2120 Dhnepfpj.exe 102 PID 5288 wrote to memory of 5664 5288 Dpemacql.exe 103 PID 5288 wrote to memory of 5664 5288 Dpemacql.exe 103 PID 5288 wrote to memory of 5664 5288 Dpemacql.exe 103 PID 5664 wrote to memory of 2104 5664 Dcdimopp.exe 104 PID 5664 wrote to memory of 2104 5664 Dcdimopp.exe 104 PID 5664 wrote to memory of 2104 5664 Dcdimopp.exe 104 PID 2104 wrote to memory of 4436 2104 Dagiil32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5364 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5288 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe23⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe26⤵
- Executes dropped EXE
PID:5628 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe27⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe28⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe30⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe31⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe32⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe34⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe35⤵
- Executes dropped EXE
PID:5144 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe36⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe37⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe39⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe40⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe43⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe47⤵
- Executes dropped EXE
PID:5536 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe48⤵
- Executes dropped EXE
PID:5396 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe52⤵
- Executes dropped EXE
PID:5444 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe54⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe55⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe56⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe58⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe59⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe61⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe63⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe64⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe66⤵PID:4660
-
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe67⤵PID:3100
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4668 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe69⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe70⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe71⤵PID:5860
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe72⤵PID:5708
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe73⤵PID:1392
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe74⤵PID:3064
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe75⤵PID:1944
-
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe76⤵PID:4692
-
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe78⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe79⤵PID:2868
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe80⤵PID:804
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe81⤵
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe82⤵PID:5904
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe83⤵PID:3896
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe84⤵PID:4008
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe85⤵PID:1860
-
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe86⤵PID:5044
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe89⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe90⤵PID:2860
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe93⤵PID:4432
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe94⤵PID:4192
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe96⤵PID:4656
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe97⤵PID:2220
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe98⤵PID:5632
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe99⤵
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe100⤵PID:3520
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe101⤵PID:2740
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe102⤵PID:668
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe103⤵
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe104⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe105⤵PID:2864
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe106⤵PID:1684
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe107⤵PID:6136
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4696 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe110⤵
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe111⤵PID:4412
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe112⤵PID:1524
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe113⤵PID:2652
-
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe114⤵PID:5816
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe115⤵PID:5060
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe116⤵PID:712
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe117⤵PID:1404
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe118⤵
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe120⤵PID:1148
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe121⤵PID:5960
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe122⤵PID:4448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-