Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 18:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe
-
Size
80KB
-
MD5
cd4929e690bbb68f0116b73fcd71f0c0
-
SHA1
06276fe2f35a0c4473bcd372dcc02ea32128ecaa
-
SHA256
894c19122bb70fbd0f6eb67e1b1cf018a04678b7b90d1fbc6ad6a4e4a7b1bcec
-
SHA512
a81bccbdba3b7f1eb1c15d36039b9929ab6b60203bc718cc7fe17d3c89ebbe02fc93b5779e6c9b5510fae792217c2b127482985f2bd07cc21fee8cc7bb867733
-
SSDEEP
1536:mAZ3ga9QtNP7sU59XobrQB9el2LXJ9VqDlzVxyh+CbxMa:mARg/tNDsDrQB9eWXJ9IDlRxyhTb7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgplno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpnib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlnbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpocjdld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cippgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbocki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibicnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmdhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbbmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbhkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlaaddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbcqiope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnckpmql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikame32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjcajjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmconhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkekn32.exe -
Executes dropped EXE 64 IoCs
pid Process 3308 Eleplc32.exe 2932 Eodlho32.exe 4660 Efneehef.exe 4656 Ehlaaddj.exe 3216 Elhmablc.exe 720 Eofinnkf.exe 4420 Ecbenm32.exe 3076 Efpajh32.exe 880 Ejlmkgkl.exe 3120 Eqfeha32.exe 4548 Ffbnph32.exe 3060 Fhajlc32.exe 640 Fqhbmqqg.exe 4080 Fbioei32.exe 4412 Fmocba32.exe 4740 Fbllkh32.exe 2732 Fifdgblo.exe 2200 Fqmlhpla.exe 2364 Ffjdqg32.exe 3080 Fqohnp32.exe 3544 Fcnejk32.exe 4048 Fijmbb32.exe 2320 Fodeolof.exe 4696 Gbcakg32.exe 1936 Gimjhafg.exe 2524 Gqdbiofi.exe 5008 Gcbnejem.exe 4024 Giofnacd.exe 2036 Goiojk32.exe 3244 Gfcgge32.exe 784 Giacca32.exe 536 Gfedle32.exe 4760 Gmoliohh.exe 1608 Gpnhekgl.exe 4384 Gjclbc32.exe 768 Gmaioo32.exe 1172 Hboagf32.exe 3672 Hihicplj.exe 3664 Hapaemll.exe 4076 Hbanme32.exe 4820 Habnjm32.exe 1188 Hfofbd32.exe 4776 Hmioonpn.exe 2080 Hfachc32.exe 3456 Hippdo32.exe 5052 Hcedaheh.exe 3536 Hfcpncdk.exe 4720 Iffmccbi.exe 4400 Iidipnal.exe 4652 Ipnalhii.exe 3564 Ifhiib32.exe 4700 Iannfk32.exe 4792 Icljbg32.exe 948 Ifjfnb32.exe 1148 Ipckgh32.exe 1588 Ibagcc32.exe 4140 Iikopmkd.exe 1892 Ipegmg32.exe 1668 Ibccic32.exe 1756 Ijkljp32.exe 1948 Imihfl32.exe 3988 Jbfpobpb.exe 1580 Jiphkm32.exe 4940 Jagqlj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgekdpbp.dll Oondnini.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Amjknl32.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Efcknj32.dll Jehhaaci.exe File created C:\Windows\SysWOW64\Becnaq32.dll Hkjjlhle.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bacjdbch.exe Process not Found File created C:\Windows\SysWOW64\Honckk32.dll Hbanme32.exe File created C:\Windows\SysWOW64\Aoqimi32.dll Qddfkd32.exe File created C:\Windows\SysWOW64\Jgeghp32.exe Process not Found File created C:\Windows\SysWOW64\Naqcfnjk.dll Fcfhof32.exe File opened for modification C:\Windows\SysWOW64\Gahjgj32.exe Gojnko32.exe File created C:\Windows\SysWOW64\Ibihdfhm.dll Qnkdhpjn.exe File created C:\Windows\SysWOW64\Bdgged32.exe Process not Found File created C:\Windows\SysWOW64\Ldjcfk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jbgoof32.exe Jkmgblok.exe File opened for modification C:\Windows\SysWOW64\Nacmdf32.exe Njiegl32.exe File created C:\Windows\SysWOW64\Becifhfj.exe Abemjmgg.exe File opened for modification C:\Windows\SysWOW64\Ebhglj32.exe Emkndc32.exe File created C:\Windows\SysWOW64\Milcqamo.dll Process not Found File created C:\Windows\SysWOW64\Kqfngd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpmokb32.exe Mnocof32.exe File created C:\Windows\SysWOW64\Bkjhib32.dll Abngjnmo.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pcppfaka.exe File created C:\Windows\SysWOW64\Bbnkonbd.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Bhgbbckh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kngcje32.exe Klifnj32.exe File created C:\Windows\SysWOW64\Kgdpni32.exe Process not Found File created C:\Windows\SysWOW64\Qmepam32.exe Process not Found File created C:\Windows\SysWOW64\Nmipdk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dinmhkke.exe Ddadpdmn.exe File created C:\Windows\SysWOW64\Dgeofeib.dll Process not Found File created C:\Windows\SysWOW64\Anmfbl32.exe Process not Found File created C:\Windows\SysWOW64\Jeeobqbq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fcmnpe32.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Dfbiemdb.dll Process not Found File created C:\Windows\SysWOW64\Bldqfd32.dll Process not Found File created C:\Windows\SysWOW64\Ogacbllg.dll Process not Found File created C:\Windows\SysWOW64\Hmioonpn.exe Hfofbd32.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Piijno32.exe Pabblb32.exe File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Poodpmca.exe Plagcbdn.exe File created C:\Windows\SysWOW64\Dpgeee32.exe Dinmhkke.exe File created C:\Windows\SysWOW64\Phdpmbnc.dll Process not Found File created C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Mbfkbhpa.exe Lingibiq.exe File created C:\Windows\SysWOW64\Oemefcap.exe Oocmii32.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Process not Found File created C:\Windows\SysWOW64\Jdkind32.dll Jbfpobpb.exe File created C:\Windows\SysWOW64\Jbfjlb32.dll Lbqklb32.exe File created C:\Windows\SysWOW64\Acjclpcf.exe Anmjcieo.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Gmdjapgb.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Process not Found File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Process not Found File created C:\Windows\SysWOW64\Njfkmphe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gcojed32.exe Gkhbdg32.exe File created C:\Windows\SysWOW64\Pcppfaka.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Hnodaecc.exe Hgelek32.exe File opened for modification C:\Windows\SysWOW64\Nmnqjp32.exe Process not Found File created C:\Windows\SysWOW64\Mlcadgkl.dll Dkgqfl32.exe File created C:\Windows\SysWOW64\Edopabqn.exe Emehdh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14040 14256 Process not Found 1556 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpmd32.dll" Jdbhkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaadfkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmcqa32.dll" Dfamapjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjdachc.dll" Dinmhkke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogppn32.dll" Moaogand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejogg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidofh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiknlagg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liggbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgdjh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfcalbj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmookkn.dll" Npedmdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmcmk32.dll" Alkdnboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejfanad.dll" Eofbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdoago.dll" Inainbcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkioig32.dll" Ibffhhek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pabblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll" Llemdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3732 wrote to memory of 3308 3732 virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe 83 PID 3732 wrote to memory of 3308 3732 virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe 83 PID 3732 wrote to memory of 3308 3732 virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe 83 PID 3308 wrote to memory of 2932 3308 Eleplc32.exe 84 PID 3308 wrote to memory of 2932 3308 Eleplc32.exe 84 PID 3308 wrote to memory of 2932 3308 Eleplc32.exe 84 PID 2932 wrote to memory of 4660 2932 Eodlho32.exe 85 PID 2932 wrote to memory of 4660 2932 Eodlho32.exe 85 PID 2932 wrote to memory of 4660 2932 Eodlho32.exe 85 PID 4660 wrote to memory of 4656 4660 Efneehef.exe 86 PID 4660 wrote to memory of 4656 4660 Efneehef.exe 86 PID 4660 wrote to memory of 4656 4660 Efneehef.exe 86 PID 4656 wrote to memory of 3216 4656 Ehlaaddj.exe 87 PID 4656 wrote to memory of 3216 4656 Ehlaaddj.exe 87 PID 4656 wrote to memory of 3216 4656 Ehlaaddj.exe 87 PID 3216 wrote to memory of 720 3216 Elhmablc.exe 88 PID 3216 wrote to memory of 720 3216 Elhmablc.exe 88 PID 3216 wrote to memory of 720 3216 Elhmablc.exe 88 PID 720 wrote to memory of 4420 720 Eofinnkf.exe 89 PID 720 wrote to memory of 4420 720 Eofinnkf.exe 89 PID 720 wrote to memory of 4420 720 Eofinnkf.exe 89 PID 4420 wrote to memory of 3076 4420 Ecbenm32.exe 90 PID 4420 wrote to memory of 3076 4420 Ecbenm32.exe 90 PID 4420 wrote to memory of 3076 4420 Ecbenm32.exe 90 PID 3076 wrote to memory of 880 3076 Efpajh32.exe 91 PID 3076 wrote to memory of 880 3076 Efpajh32.exe 91 PID 3076 wrote to memory of 880 3076 Efpajh32.exe 91 PID 880 wrote to memory of 3120 880 Ejlmkgkl.exe 92 PID 880 wrote to memory of 3120 880 Ejlmkgkl.exe 92 PID 880 wrote to memory of 3120 880 Ejlmkgkl.exe 92 PID 3120 wrote to memory of 4548 3120 Eqfeha32.exe 93 PID 3120 wrote to memory of 4548 3120 Eqfeha32.exe 93 PID 3120 wrote to memory of 4548 3120 Eqfeha32.exe 93 PID 4548 wrote to memory of 3060 4548 Ffbnph32.exe 94 PID 4548 wrote to memory of 3060 4548 Ffbnph32.exe 94 PID 4548 wrote to memory of 3060 4548 Ffbnph32.exe 94 PID 3060 wrote to memory of 640 3060 Fhajlc32.exe 95 PID 3060 wrote to memory of 640 3060 Fhajlc32.exe 95 PID 3060 wrote to memory of 640 3060 Fhajlc32.exe 95 PID 640 wrote to memory of 4080 640 Fqhbmqqg.exe 96 PID 640 wrote to memory of 4080 640 Fqhbmqqg.exe 96 PID 640 wrote to memory of 4080 640 Fqhbmqqg.exe 96 PID 4080 wrote to memory of 4412 4080 Fbioei32.exe 97 PID 4080 wrote to memory of 4412 4080 Fbioei32.exe 97 PID 4080 wrote to memory of 4412 4080 Fbioei32.exe 97 PID 4412 wrote to memory of 4740 4412 Fmocba32.exe 98 PID 4412 wrote to memory of 4740 4412 Fmocba32.exe 98 PID 4412 wrote to memory of 4740 4412 Fmocba32.exe 98 PID 4740 wrote to memory of 2732 4740 Fbllkh32.exe 99 PID 4740 wrote to memory of 2732 4740 Fbllkh32.exe 99 PID 4740 wrote to memory of 2732 4740 Fbllkh32.exe 99 PID 2732 wrote to memory of 2200 2732 Fifdgblo.exe 100 PID 2732 wrote to memory of 2200 2732 Fifdgblo.exe 100 PID 2732 wrote to memory of 2200 2732 Fifdgblo.exe 100 PID 2200 wrote to memory of 2364 2200 Fqmlhpla.exe 101 PID 2200 wrote to memory of 2364 2200 Fqmlhpla.exe 101 PID 2200 wrote to memory of 2364 2200 Fqmlhpla.exe 101 PID 2364 wrote to memory of 3080 2364 Ffjdqg32.exe 102 PID 2364 wrote to memory of 3080 2364 Ffjdqg32.exe 102 PID 2364 wrote to memory of 3080 2364 Ffjdqg32.exe 102 PID 3080 wrote to memory of 3544 3080 Fqohnp32.exe 103 PID 3080 wrote to memory of 3544 3080 Fqohnp32.exe 103 PID 3080 wrote to memory of 3544 3080 Fqohnp32.exe 103 PID 3544 wrote to memory of 4048 3544 Fcnejk32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_cd4929e690bbb68f0116b73fcd71f0c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe23⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe24⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe25⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe26⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe27⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe28⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe29⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe31⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe32⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe33⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe34⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe35⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe36⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe37⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe38⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe39⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe40⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe42⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe44⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe45⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe46⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe47⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe48⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe49⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe52⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe53⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe55⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe56⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe58⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe59⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe60⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe61⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe62⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe64⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe65⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe66⤵PID:4996
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe67⤵PID:2992
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe68⤵PID:3452
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe69⤵PID:5096
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe71⤵PID:1208
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe72⤵PID:2976
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe73⤵PID:3592
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe74⤵PID:3940
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe75⤵PID:1776
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe76⤵PID:3392
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe77⤵PID:3172
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe78⤵PID:1288
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe79⤵PID:5072
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe80⤵PID:4360
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe81⤵PID:3508
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe83⤵PID:452
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4772 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe85⤵PID:1272
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe88⤵PID:2340
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe89⤵PID:3412
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe90⤵PID:4876
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe91⤵PID:4052
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe92⤵PID:3108
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe93⤵PID:3176
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe94⤵PID:1248
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe95⤵PID:2700
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe96⤵PID:5068
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe97⤵PID:3708
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe98⤵PID:2144
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe99⤵PID:5160
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe100⤵PID:5204
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe101⤵PID:5268
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe102⤵PID:5312
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe103⤵PID:5356
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe105⤵PID:5436
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe106⤵PID:5488
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe107⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe108⤵PID:5576
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe109⤵PID:5620
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe110⤵PID:5664
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe111⤵PID:5708
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe112⤵
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe113⤵PID:5792
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe114⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe115⤵PID:5880
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe116⤵PID:5924
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe117⤵PID:5964
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe118⤵PID:6000
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe119⤵PID:6052
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe120⤵PID:6096
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe121⤵PID:6140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-