Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 10:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe
-
Size
344KB
-
MD5
fb66cd9375456e3d85a2fb3f2cf9bfc0
-
SHA1
a283a7865dcda09ffa3d07de9177014bac79cfcd
-
SHA256
1a5af17b0d6f2bcb3370e2103b39583de9fa003e376dd569a76f4868d0df7bc3
-
SHA512
5f8db4fc898551d1eff3d2a6096c9adf36752df787ad72db1661fcbc0e04886c1efbb44df41a8b1299ee180acc9c22f95b909701cd8b8906f26434b653594ca4
-
SSDEEP
3072:Oxy0UhQCpVrV2/VknbzvxPLaD6OkPgtz6MjK7aIjCqjRrz3QFn:H09CpX2/mnbzvdLaD6OkPgl6bmIjlQFn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgddhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqgnhmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjbena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigollag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkahnhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaqcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medgncoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjqcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcpncdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqaeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpmjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchhggno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjmmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgipldd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniajnnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapiabak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedaheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjbena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedoge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebkhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphoelqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoapbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hippdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpnib32.exe -
Executes dropped EXE 64 IoCs
pid Process 4740 Elagacbk.exe 4680 Ebnoikqb.exe 4432 Elccfc32.exe 2212 Eoapbo32.exe 976 Eflhoigi.exe 5092 Ecphimfb.exe 212 Ehlaaddj.exe 4488 Eofinnkf.exe 1696 Ejlmkgkl.exe 3888 Eoifcnid.exe 780 Fjnjqfij.exe 5084 Fcgoilpj.exe 4636 Fmocba32.exe 4244 Fcikolnh.exe 2772 Fmapha32.exe 5044 Fopldmcl.exe 3704 Ffjdqg32.exe 548 Fqohnp32.exe 2868 Fflaff32.exe 1396 Fqaeco32.exe 1748 Gbcakg32.exe 1056 Gimjhafg.exe 4952 Gcbnejem.exe 3252 Gjlfbd32.exe 2688 Goiojk32.exe 3712 Gbgkfg32.exe 224 Giacca32.exe 1804 Gpklpkio.exe 944 Gjapmdid.exe 3684 Gqkhjn32.exe 4748 Gfhqbe32.exe 4996 Gmaioo32.exe 1372 Hclakimb.exe 4340 Hfjmgdlf.exe 4376 Hmdedo32.exe 4028 Hpbaqj32.exe 980 Hbanme32.exe 2100 Hjhfnccl.exe 2748 Hpenfjad.exe 2796 Hcqjfh32.exe 728 Hfofbd32.exe 4100 Hadkpm32.exe 2324 Hccglh32.exe 3000 Hjmoibog.exe 3328 Hippdo32.exe 2580 Hcedaheh.exe 4580 Hfcpncdk.exe 1516 Hibljoco.exe 5068 Haidklda.exe 2604 Ibjqcd32.exe 3876 Ijaida32.exe 1900 Iakaql32.exe 4800 Icjmmg32.exe 3084 Ifhiib32.exe 3216 Iiffen32.exe 3040 Iannfk32.exe 1416 Icljbg32.exe 5028 Ibojncfj.exe 3060 Iiibkn32.exe 440 Idofhfmm.exe 1604 Ijhodq32.exe 4928 Imgkql32.exe 2044 Ibccic32.exe 2056 Ijkljp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Feibedlp.dll Ambgef32.exe File created C:\Windows\SysWOW64\Kdopod32.exe Kaqcbi32.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Nbhkac32.exe File opened for modification C:\Windows\SysWOW64\Gicinj32.exe Gfembo32.exe File created C:\Windows\SysWOW64\Fnhfnh32.dll Ceoibflm.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Nkncdifl.exe File opened for modification C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Gjhilj32.dll Gcojed32.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Delnin32.exe File created C:\Windows\SysWOW64\Jffldcca.dll Dohfbj32.exe File created C:\Windows\SysWOW64\Kplpjn32.exe Kmncnb32.exe File created C:\Windows\SysWOW64\Lgmngglp.exe Ldoaklml.exe File created C:\Windows\SysWOW64\Olihhh32.dll Pbkamqmd.exe File opened for modification C:\Windows\SysWOW64\Pjmlbbdg.exe Pgopffec.exe File created C:\Windows\SysWOW64\Phkjck32.dll Lingibiq.exe File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Ibnccmbo.exe File created C:\Windows\SysWOW64\Afomjffg.dll Imfdff32.exe File created C:\Windows\SysWOW64\Iihqganf.dll Lenamdem.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jpjqhgol.exe File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Hkfoeega.exe Helfik32.exe File created C:\Windows\SysWOW64\Nnjaqjfh.dll Bclhhnca.exe File created C:\Windows\SysWOW64\Klohppck.dll Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Dhpjkojk.exe Dafbne32.exe File opened for modification C:\Windows\SysWOW64\Jimekgff.exe Jfoiokfb.exe File created C:\Windows\SysWOW64\Jplmmfmi.exe Jmnaakne.exe File created C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Ekhjmiad.exe Ehimanbq.exe File created C:\Windows\SysWOW64\Gfbploob.exe Gcddpdpo.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Daconoae.exe File created C:\Windows\SysWOW64\Gmlfmg32.dll Hccglh32.exe File created C:\Windows\SysWOW64\Iannfk32.exe Iiffen32.exe File created C:\Windows\SysWOW64\Icljbg32.exe Iannfk32.exe File opened for modification C:\Windows\SysWOW64\Odkjng32.exe Olcbmj32.exe File created C:\Windows\SysWOW64\Odapnf32.exe Olkhmi32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Hpenfjad.exe Hjhfnccl.exe File created C:\Windows\SysWOW64\Jbfpobpb.exe Jdcpcf32.exe File created C:\Windows\SysWOW64\Fbnafb32.exe Fkciihgg.exe File created C:\Windows\SysWOW64\Bhaebcen.exe Bahmfj32.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Maickled.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Dalchnkg.dll Ojopad32.exe File created C:\Windows\SysWOW64\Pbkamqmd.exe Pkaiqf32.exe File created C:\Windows\SysWOW64\Kmfiloih.dll Anfmjhmd.exe File created C:\Windows\SysWOW64\Lmgfda32.exe Lgmngglp.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Bapiabak.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Ibjqcd32.exe Haidklda.exe File opened for modification C:\Windows\SysWOW64\Lpcmec32.exe Lnepih32.exe File created C:\Windows\SysWOW64\Higchddh.dll Dceohhja.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Helfik32.exe Hbnjmp32.exe File opened for modification C:\Windows\SysWOW64\Ndaggimg.exe Nngokoej.exe File opened for modification C:\Windows\SysWOW64\Ddbbeade.exe Dadeieea.exe File created C:\Windows\SysWOW64\Hjmoibog.exe Hccglh32.exe File opened for modification C:\Windows\SysWOW64\Hjmoibog.exe Hccglh32.exe File created C:\Windows\SysWOW64\Oqdoboli.exe Okhfjh32.exe File opened for modification C:\Windows\SysWOW64\Elccfc32.exe Ebnoikqb.exe File created C:\Windows\SysWOW64\Imihfl32.exe Ijkljp32.exe File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe Opakbi32.exe File created C:\Windows\SysWOW64\Iikhfg32.exe Ifllil32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bcjlcn32.exe File created C:\Windows\SysWOW64\Chkede32.dll Elagacbk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12532 12452 WerFault.exe 622 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eefhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odocigqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjmgdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medgncoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpablkhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Menjdbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnaendmh.dll" Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll" Dkjmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll" Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aanjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgifdn32.dll" Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jianff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbgkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcbhjlp.dll" Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepgml32.dll" Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll" Gjapmdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll" Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll" Jcefno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll" Kkihknfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4740 4760 virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe 81 PID 4760 wrote to memory of 4740 4760 virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe 81 PID 4760 wrote to memory of 4740 4760 virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe 81 PID 4740 wrote to memory of 4680 4740 Elagacbk.exe 82 PID 4740 wrote to memory of 4680 4740 Elagacbk.exe 82 PID 4740 wrote to memory of 4680 4740 Elagacbk.exe 82 PID 4680 wrote to memory of 4432 4680 Ebnoikqb.exe 83 PID 4680 wrote to memory of 4432 4680 Ebnoikqb.exe 83 PID 4680 wrote to memory of 4432 4680 Ebnoikqb.exe 83 PID 4432 wrote to memory of 2212 4432 Elccfc32.exe 84 PID 4432 wrote to memory of 2212 4432 Elccfc32.exe 84 PID 4432 wrote to memory of 2212 4432 Elccfc32.exe 84 PID 2212 wrote to memory of 976 2212 Eoapbo32.exe 85 PID 2212 wrote to memory of 976 2212 Eoapbo32.exe 85 PID 2212 wrote to memory of 976 2212 Eoapbo32.exe 85 PID 976 wrote to memory of 5092 976 Eflhoigi.exe 87 PID 976 wrote to memory of 5092 976 Eflhoigi.exe 87 PID 976 wrote to memory of 5092 976 Eflhoigi.exe 87 PID 5092 wrote to memory of 212 5092 Ecphimfb.exe 88 PID 5092 wrote to memory of 212 5092 Ecphimfb.exe 88 PID 5092 wrote to memory of 212 5092 Ecphimfb.exe 88 PID 212 wrote to memory of 4488 212 Ehlaaddj.exe 89 PID 212 wrote to memory of 4488 212 Ehlaaddj.exe 89 PID 212 wrote to memory of 4488 212 Ehlaaddj.exe 89 PID 4488 wrote to memory of 1696 4488 Eofinnkf.exe 91 PID 4488 wrote to memory of 1696 4488 Eofinnkf.exe 91 PID 4488 wrote to memory of 1696 4488 Eofinnkf.exe 91 PID 1696 wrote to memory of 3888 1696 Ejlmkgkl.exe 92 PID 1696 wrote to memory of 3888 1696 Ejlmkgkl.exe 92 PID 1696 wrote to memory of 3888 1696 Ejlmkgkl.exe 92 PID 3888 wrote to memory of 780 3888 Eoifcnid.exe 93 PID 3888 wrote to memory of 780 3888 Eoifcnid.exe 93 PID 3888 wrote to memory of 780 3888 Eoifcnid.exe 93 PID 780 wrote to memory of 5084 780 Fjnjqfij.exe 94 PID 780 wrote to memory of 5084 780 Fjnjqfij.exe 94 PID 780 wrote to memory of 5084 780 Fjnjqfij.exe 94 PID 5084 wrote to memory of 4636 5084 Fcgoilpj.exe 96 PID 5084 wrote to memory of 4636 5084 Fcgoilpj.exe 96 PID 5084 wrote to memory of 4636 5084 Fcgoilpj.exe 96 PID 4636 wrote to memory of 4244 4636 Fmocba32.exe 97 PID 4636 wrote to memory of 4244 4636 Fmocba32.exe 97 PID 4636 wrote to memory of 4244 4636 Fmocba32.exe 97 PID 4244 wrote to memory of 2772 4244 Fcikolnh.exe 98 PID 4244 wrote to memory of 2772 4244 Fcikolnh.exe 98 PID 4244 wrote to memory of 2772 4244 Fcikolnh.exe 98 PID 2772 wrote to memory of 5044 2772 Fmapha32.exe 99 PID 2772 wrote to memory of 5044 2772 Fmapha32.exe 99 PID 2772 wrote to memory of 5044 2772 Fmapha32.exe 99 PID 5044 wrote to memory of 3704 5044 Fopldmcl.exe 100 PID 5044 wrote to memory of 3704 5044 Fopldmcl.exe 100 PID 5044 wrote to memory of 3704 5044 Fopldmcl.exe 100 PID 3704 wrote to memory of 548 3704 Ffjdqg32.exe 101 PID 3704 wrote to memory of 548 3704 Ffjdqg32.exe 101 PID 3704 wrote to memory of 548 3704 Ffjdqg32.exe 101 PID 548 wrote to memory of 2868 548 Fqohnp32.exe 102 PID 548 wrote to memory of 2868 548 Fqohnp32.exe 102 PID 548 wrote to memory of 2868 548 Fqohnp32.exe 102 PID 2868 wrote to memory of 1396 2868 Fflaff32.exe 103 PID 2868 wrote to memory of 1396 2868 Fflaff32.exe 103 PID 2868 wrote to memory of 1396 2868 Fflaff32.exe 103 PID 1396 wrote to memory of 1748 1396 Fqaeco32.exe 104 PID 1396 wrote to memory of 1748 1396 Fqaeco32.exe 104 PID 1396 wrote to memory of 1748 1396 Fqaeco32.exe 104 PID 1748 wrote to memory of 1056 1748 Gbcakg32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_fb66cd9375456e3d85a2fb3f2cf9bfc0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe23⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe24⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe25⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe26⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe28⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe29⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe31⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe32⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe33⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe34⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe37⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe38⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe40⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe41⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe42⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe43⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe49⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe52⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe53⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe55⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe58⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe59⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe60⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe61⤵PID:1836
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe62⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe63⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe64⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe65⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe67⤵PID:3656
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe69⤵PID:4884
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe70⤵PID:4480
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe71⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe72⤵PID:3964
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe74⤵
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe75⤵PID:4484
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe76⤵PID:4408
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe77⤵PID:2184
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe78⤵PID:4540
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe79⤵PID:3540
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe80⤵PID:1860
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe81⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe83⤵PID:3436
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe84⤵PID:1576
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4428 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe87⤵PID:824
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe88⤵
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe89⤵PID:3788
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe90⤵PID:4400
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe91⤵PID:4212
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe92⤵PID:1912
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe93⤵PID:3692
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe94⤵PID:1840
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe95⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe96⤵PID:5232
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe97⤵PID:5300
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe98⤵PID:5356
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe99⤵PID:5424
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe100⤵PID:5476
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe101⤵PID:5524
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe104⤵PID:5648
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe105⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe106⤵PID:5752
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe107⤵
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe108⤵PID:5840
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe109⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe110⤵PID:5924
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe111⤵PID:5972
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe113⤵PID:6052
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe114⤵PID:6104
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe116⤵PID:5176
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe117⤵PID:5288
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe118⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe119⤵PID:5484
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe121⤵PID:5636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-