Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 13:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe
-
Size
117KB
-
MD5
243e3407f9c183cb2048a939226d7929
-
SHA1
ec1028006c1e9cde1208823ed131a4e8c8eae763
-
SHA256
76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94
-
SHA512
8893e80154ed7ecbd6e02dca6185e3d0bf36958d226cf1886f6406193b6688d235cae57bc1a13c6fcc4ee9c53c9b61895b142d0c8174eb07f299c40db92de7c0
-
SSDEEP
3072:WMlylYtjXClouEsvyQWtzDocVFFfUrQlM:WVGXCK+vZ4VTfMQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aioebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnbekok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmimdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bflagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjjghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhenai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paocim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhennm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmlhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkcpql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjficg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjhfif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaemilci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlemcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgcooaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opfnne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjlgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajlhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdplaho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcmnfop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gimoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdgec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbiackg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecanojgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkomhhae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhenai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efampahd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnilfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfqdid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmahojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbkpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlfoodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfefdpfe.exe -
Executes dropped EXE 64 IoCs
pid Process 4404 Hmpcbhji.exe 4104 Hoeieolb.exe 5060 Ipeeobbe.exe 2964 Imiehfao.exe 3504 Ibhkfm32.exe 5012 Igfclkdj.exe 4836 Lnangaoa.exe 4580 Mfqlfb32.exe 1268 Mnjqmpgg.exe 4056 Mqkiok32.exe 5044 Nqmfdj32.exe 4792 Njfkmphe.exe 4828 Nflkbanj.exe 3660 Nglhld32.exe 3424 Ncchae32.exe 1080 Ngqagcag.exe 1140 Ogcnmc32.exe 1712 Onocomdo.exe 4208 Onapdl32.exe 2480 Pmiikh32.exe 1020 Pmlfqh32.exe 2020 Paiogf32.exe 2800 Pdjgha32.exe 4272 Qfkqjmdg.exe 2164 Qmgelf32.exe 4760 Aaenbd32.exe 2504 Aknbkjfh.exe 2428 Apjkcadp.exe 3800 Aajhndkb.exe 3656 Aonhghjl.exe 3036 Agimkk32.exe 3376 Baannc32.exe 1112 Bmhocd32.exe 4488 Bmjkic32.exe 2804 Bgbpaipl.exe 1076 Bdfpkm32.exe 2656 Cdimqm32.exe 3460 Cammjakm.exe 3956 Cdmfllhn.exe 1568 Cocjiehd.exe 4008 Cdbpgl32.exe 524 Dafppp32.exe 4276 Dgeenfog.exe 3512 Dggbcf32.exe 2856 Dhgonidg.exe 2696 Dbocfo32.exe 2208 Enfckp32.exe 4888 Egohdegl.exe 1180 Egaejeej.exe 548 Eqiibjlj.exe 5104 Edgbii32.exe 844 Eqncnj32.exe 3404 Fbmohmoh.exe 4500 Fndpmndl.exe 1408 Fijdjfdb.exe 4752 Filapfbo.exe 4984 Fohfbpgi.exe 3032 Fkofga32.exe 728 Gpmomo32.exe 232 Gkdpbpih.exe 1932 Geldkfpi.exe 2536 Gijmad32.exe 4936 Ghojbq32.exe 1124 Hbenoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhiddl32.dll Mfmpob32.exe File created C:\Windows\SysWOW64\Pmaece32.dll Bilcol32.exe File created C:\Windows\SysWOW64\Kcdakd32.exe Kiomnk32.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Qmgelf32.exe File created C:\Windows\SysWOW64\Baannc32.exe Agimkk32.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Hlblcn32.exe File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Qkchna32.exe File created C:\Windows\SysWOW64\Bmijpchc.dll Apjkcadp.exe File created C:\Windows\SysWOW64\Kipiefce.dll Afeban32.exe File created C:\Windows\SysWOW64\Clnkig32.dll Ihjafd32.exe File created C:\Windows\SysWOW64\Nmpkakak.exe Nplkhf32.exe File opened for modification C:\Windows\SysWOW64\Lpgalc32.exe Lmfhjhdm.exe File created C:\Windows\SysWOW64\Hkaeih32.exe Hegmlnbp.exe File created C:\Windows\SysWOW64\Aeeomegd.exe Ainnhdbp.exe File created C:\Windows\SysWOW64\Gkedmpik.dll Lpgalc32.exe File opened for modification C:\Windows\SysWOW64\Lnangaoa.exe Igfclkdj.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Onapdl32.exe File opened for modification C:\Windows\SysWOW64\Lmkipncc.exe Lpghfi32.exe File opened for modification C:\Windows\SysWOW64\Lplaaiqd.exe Lhammfci.exe File opened for modification C:\Windows\SysWOW64\Hkcbnh32.exe Hbknebqi.exe File opened for modification C:\Windows\SysWOW64\Kiajck32.exe Kcdakd32.exe File created C:\Windows\SysWOW64\Jlgjfqgj.dll Eimlgnij.exe File opened for modification C:\Windows\SysWOW64\Ecdbop32.exe Edoencdm.exe File opened for modification C:\Windows\SysWOW64\Okmpqjad.exe Ncaklhdi.exe File created C:\Windows\SysWOW64\Apkjddke.exe Aiabhj32.exe File opened for modification C:\Windows\SysWOW64\Cfgace32.exe Chfaenfb.exe File opened for modification C:\Windows\SysWOW64\Bilcol32.exe Bkhceh32.exe File created C:\Windows\SysWOW64\Cmbgdl32.exe Cdhffg32.exe File created C:\Windows\SysWOW64\Maehlqch.exe Mhmcck32.exe File created C:\Windows\SysWOW64\Ebokodfc.exe Ehifak32.exe File created C:\Windows\SysWOW64\Lhjicplp.dll Pnjgog32.exe File created C:\Windows\SysWOW64\Ipgkjlmg.exe Ibcjqgnm.exe File created C:\Windows\SysWOW64\Jllhpkfk.exe Jbccge32.exe File opened for modification C:\Windows\SysWOW64\Gnckooob.exe Gdkffi32.exe File created C:\Windows\SysWOW64\Iebfmfdg.exe Ijmapm32.exe File opened for modification C:\Windows\SysWOW64\Oklifdmi.exe Onhhmpoo.exe File created C:\Windows\SysWOW64\Bbkeacqo.exe Bdgehobe.exe File created C:\Windows\SysWOW64\Iheocj32.dll Pfojdh32.exe File created C:\Windows\SysWOW64\Bhnbgoib.dll Gjcmngnj.exe File created C:\Windows\SysWOW64\Icajjnkn.dll Ihaidhgf.exe File created C:\Windows\SysWOW64\Cmkjoj32.dll Jdopjh32.exe File created C:\Windows\SysWOW64\Filapfbo.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Ocoick32.dll Gkdpbpih.exe File created C:\Windows\SysWOW64\Mnfooh32.dll Llkjmb32.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Bflham32.exe File created C:\Windows\SysWOW64\Okmpqjad.exe Ncaklhdi.exe File created C:\Windows\SysWOW64\Ioppho32.exe Homcbo32.exe File opened for modification C:\Windows\SysWOW64\Golcak32.exe Ghbkdald.exe File created C:\Windows\SysWOW64\Fcpakn32.exe Fboecfii.exe File opened for modification C:\Windows\SysWOW64\Lkcccn32.exe Lbhool32.exe File opened for modification C:\Windows\SysWOW64\Dfakcj32.exe Dpgbgpbe.exe File created C:\Windows\SysWOW64\Kdhlepkl.exe Knkcmild.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Hjnmfk32.dll Mojopk32.exe File created C:\Windows\SysWOW64\Hgbonm32.exe Hfbbdj32.exe File created C:\Windows\SysWOW64\Ohaokbfd.exe Oknnanhj.exe File opened for modification C:\Windows\SysWOW64\Qclmck32.exe Pjcikejg.exe File opened for modification C:\Windows\SysWOW64\Mccokj32.exe Mepnaf32.exe File opened for modification C:\Windows\SysWOW64\Nkcmjlio.exe Nlnpio32.exe File created C:\Windows\SysWOW64\Gbpnedga.dll Ggdigekj.exe File opened for modification C:\Windows\SysWOW64\Gbjlgj32.exe Golcak32.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Hlblcn32.exe Hiacacpg.exe File created C:\Windows\SysWOW64\Dgihop32.exe Dckoia32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7400 6824 WerFault.exe 653 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll" Bagmdllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abcppq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaohkjak.dll" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll" Fkcpql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obnnnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbappaql.dll" Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gikbneio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmahhb.dll" Egknji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioffhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodpebj.dll" Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll" Hkaeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oakjnnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbpgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egbdjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppklijpk.dll" Bgokdomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfaijand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cicjokll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmfhjhdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bagmdllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjficg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfjkmma.dll" Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gledpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbje32.dll" Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focanl32.dll" Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccppmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aioebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehepld32.dll" Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohbck32.dll" Kfidgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nqmfdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlck32.dll" Fpcdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjcqffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpnhp32.dll" Lplaaiqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epplai32.dll" Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmimdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cefoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll" Dpgbgpbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clpppmqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lplaaiqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcedmkmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkakhakq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll" Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll" Loacdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqpbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggdigekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfidgk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1372 wrote to memory of 4404 1372 76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe 92 PID 1372 wrote to memory of 4404 1372 76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe 92 PID 1372 wrote to memory of 4404 1372 76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe 92 PID 4404 wrote to memory of 4104 4404 Hmpcbhji.exe 93 PID 4404 wrote to memory of 4104 4404 Hmpcbhji.exe 93 PID 4404 wrote to memory of 4104 4404 Hmpcbhji.exe 93 PID 4104 wrote to memory of 5060 4104 Hoeieolb.exe 94 PID 4104 wrote to memory of 5060 4104 Hoeieolb.exe 94 PID 4104 wrote to memory of 5060 4104 Hoeieolb.exe 94 PID 5060 wrote to memory of 2964 5060 Ipeeobbe.exe 95 PID 5060 wrote to memory of 2964 5060 Ipeeobbe.exe 95 PID 5060 wrote to memory of 2964 5060 Ipeeobbe.exe 95 PID 2964 wrote to memory of 3504 2964 Imiehfao.exe 96 PID 2964 wrote to memory of 3504 2964 Imiehfao.exe 96 PID 2964 wrote to memory of 3504 2964 Imiehfao.exe 96 PID 3504 wrote to memory of 5012 3504 Ibhkfm32.exe 97 PID 3504 wrote to memory of 5012 3504 Ibhkfm32.exe 97 PID 3504 wrote to memory of 5012 3504 Ibhkfm32.exe 97 PID 5012 wrote to memory of 4836 5012 Igfclkdj.exe 98 PID 5012 wrote to memory of 4836 5012 Igfclkdj.exe 98 PID 5012 wrote to memory of 4836 5012 Igfclkdj.exe 98 PID 4836 wrote to memory of 4580 4836 Lnangaoa.exe 99 PID 4836 wrote to memory of 4580 4836 Lnangaoa.exe 99 PID 4836 wrote to memory of 4580 4836 Lnangaoa.exe 99 PID 4580 wrote to memory of 1268 4580 Mfqlfb32.exe 100 PID 4580 wrote to memory of 1268 4580 Mfqlfb32.exe 100 PID 4580 wrote to memory of 1268 4580 Mfqlfb32.exe 100 PID 1268 wrote to memory of 4056 1268 Mnjqmpgg.exe 101 PID 1268 wrote to memory of 4056 1268 Mnjqmpgg.exe 101 PID 1268 wrote to memory of 4056 1268 Mnjqmpgg.exe 101 PID 4056 wrote to memory of 5044 4056 Mqkiok32.exe 102 PID 4056 wrote to memory of 5044 4056 Mqkiok32.exe 102 PID 4056 wrote to memory of 5044 4056 Mqkiok32.exe 102 PID 5044 wrote to memory of 4792 5044 Nqmfdj32.exe 103 PID 5044 wrote to memory of 4792 5044 Nqmfdj32.exe 103 PID 5044 wrote to memory of 4792 5044 Nqmfdj32.exe 103 PID 4792 wrote to memory of 4828 4792 Njfkmphe.exe 104 PID 4792 wrote to memory of 4828 4792 Njfkmphe.exe 104 PID 4792 wrote to memory of 4828 4792 Njfkmphe.exe 104 PID 4828 wrote to memory of 3660 4828 Nflkbanj.exe 105 PID 4828 wrote to memory of 3660 4828 Nflkbanj.exe 105 PID 4828 wrote to memory of 3660 4828 Nflkbanj.exe 105 PID 3660 wrote to memory of 3424 3660 Nglhld32.exe 106 PID 3660 wrote to memory of 3424 3660 Nglhld32.exe 106 PID 3660 wrote to memory of 3424 3660 Nglhld32.exe 106 PID 3424 wrote to memory of 1080 3424 Ncchae32.exe 107 PID 3424 wrote to memory of 1080 3424 Ncchae32.exe 107 PID 3424 wrote to memory of 1080 3424 Ncchae32.exe 107 PID 1080 wrote to memory of 1140 1080 Ngqagcag.exe 108 PID 1080 wrote to memory of 1140 1080 Ngqagcag.exe 108 PID 1080 wrote to memory of 1140 1080 Ngqagcag.exe 108 PID 1140 wrote to memory of 1712 1140 Ogcnmc32.exe 109 PID 1140 wrote to memory of 1712 1140 Ogcnmc32.exe 109 PID 1140 wrote to memory of 1712 1140 Ogcnmc32.exe 109 PID 1712 wrote to memory of 4208 1712 Onocomdo.exe 110 PID 1712 wrote to memory of 4208 1712 Onocomdo.exe 110 PID 1712 wrote to memory of 4208 1712 Onocomdo.exe 110 PID 4208 wrote to memory of 2480 4208 Onapdl32.exe 111 PID 4208 wrote to memory of 2480 4208 Onapdl32.exe 111 PID 4208 wrote to memory of 2480 4208 Onapdl32.exe 111 PID 2480 wrote to memory of 1020 2480 Pmiikh32.exe 112 PID 2480 wrote to memory of 1020 2480 Pmiikh32.exe 112 PID 2480 wrote to memory of 1020 2480 Pmiikh32.exe 112 PID 1020 wrote to memory of 2020 1020 Pmlfqh32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe"C:\Users\Admin\AppData\Local\Temp\76537c55de801d877ed28bd8ca05d58a90af904f4638a6995393d08946fbbf94.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe23⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe24⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe25⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe27⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe28⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe30⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe31⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe33⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe34⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe35⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe37⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe38⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe39⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe40⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe41⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe43⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe44⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe45⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe46⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe47⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe48⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe49⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe51⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe52⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe54⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe55⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe57⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe58⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe59⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe62⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe63⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe64⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Hbenoi32.exeC:\Windows\system32\Hbenoi32.exe65⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe66⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe67⤵
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe68⤵PID:1980
-
C:\Windows\SysWOW64\Hemmac32.exeC:\Windows\system32\Hemmac32.exe69⤵PID:2808
-
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe71⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe73⤵PID:1600
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe74⤵PID:4556
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe75⤵PID:1860
-
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe76⤵PID:4972
-
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe77⤵PID:5160
-
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe78⤵PID:5200
-
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe80⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Kpiqfima.exeC:\Windows\system32\Kpiqfima.exe81⤵PID:5324
-
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe82⤵PID:5384
-
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe83⤵PID:5424
-
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe84⤵PID:5480
-
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe85⤵PID:5532
-
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe86⤵PID:5584
-
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe87⤵PID:5624
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe88⤵PID:5704
-
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe89⤵PID:5752
-
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe90⤵PID:5796
-
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe91⤵PID:5856
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe93⤵PID:6008
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe94⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe95⤵PID:6104
-
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe96⤵PID:5148
-
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe97⤵PID:5236
-
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe98⤵PID:5320
-
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe99⤵PID:5416
-
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe100⤵PID:5464
-
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe102⤵PID:5632
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe103⤵PID:5736
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe104⤵PID:5812
-
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe105⤵PID:5892
-
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe106⤵PID:6032
-
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe107⤵PID:6080
-
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe108⤵PID:5188
-
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe110⤵PID:5456
-
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe111⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe112⤵PID:5692
-
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe113⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe114⤵PID:5304
-
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe115⤵PID:6084
-
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe116⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe119⤵PID:6004
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe120⤵PID:4184
-
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe121⤵PID:4544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-