Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe
Resource
win10v2004-20240426-en
General
-
Target
bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe
-
Size
85KB
-
MD5
a04add5c7c637a1f42eee4f72e60ace8
-
SHA1
25eb462470063060ba91be4d525d33a93ce0c86a
-
SHA256
bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003
-
SHA512
8e55fc2a28b6bf003b5683f8581f96a7b97a50b8518e1c4a984206f911f623672a87c0c311b65725286d4787b950f4269bf8a7df1d9622fa37af21ab287991e9
-
SSDEEP
1536:+lhrCuSyYlcCX3yqRmJGIEsMQqedAeFgt2LHkMQ262AjCsQ2PCZZrqOlNfVSLUK+:+0uJQ9VmJGIEsMQ1dAeFg+HkMQH2qC7T
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehljfnpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccchof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpodlbng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebbafoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eemnjbaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mleoafmn.exe -
Executes dropped EXE 64 IoCs
pid Process 1764 Odnnnnfe.exe 3516 Onfbfc32.exe 1140 Occkojkm.exe 1428 Onholckc.exe 3052 Oqgkhnjf.exe 3196 Ojopad32.exe 1056 Obfhba32.exe 4224 Okolkg32.exe 4908 Oqkdcn32.exe 4228 Pjdilcla.exe 2976 Pqnaim32.exe 2988 Pnbbbabh.exe 3980 Pcojkhap.exe 4108 Pjhbgb32.exe 5072 Pgmcqggf.exe 2380 Pjkombfj.exe 4832 Pbbgnpgl.exe 3648 Peqcjkfp.exe 748 Pgopffec.exe 1476 Pkjlge32.exe 2096 Pnihcq32.exe 4456 Pbddcoei.exe 3232 Pagdol32.exe 1352 Qchmagie.exe 5080 Qjbena32.exe 1324 Qbimoo32.exe 3100 Acjjfggb.exe 2416 Agffge32.exe 5024 Alabgd32.exe 3044 Ajdbcano.exe 3940 Abkjdnoa.exe 2236 Aanjpk32.exe 3132 Aejfpjne.exe 680 Acmflf32.exe 468 Ahhblemi.exe 4176 Ajfoiqll.exe 320 Acocaf32.exe 4356 Adcmmeog.exe 3704 Abemjmgg.exe 3116 Bhaebcen.exe 1528 Bdhfhe32.exe 3640 Behbag32.exe 3636 Bdkcmdhp.exe 3456 Bejogg32.exe 4424 Bdolhc32.exe 1288 Blfdia32.exe 412 Boepel32.exe 3612 Cliaoq32.exe 2880 Cogmkl32.exe 2024 Chpada32.exe 3464 Cecbmf32.exe 3532 Ckpjfm32.exe 4900 Cefoce32.exe 2288 Cdkldb32.exe 4952 Dekhneap.exe 3732 Daaicfgd.exe 1912 Dhkapp32.exe 2640 Dadeieea.exe 640 Dhnnep32.exe 1980 Dhpjkojk.exe 408 Dkoggkjo.exe 1344 Eaklidoi.exe 2300 Ehedfo32.exe 3016 Elppfmoo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dblgpl32.exe Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Eidlnd32.exe Ebjcajjd.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Qlimed32.exe File created C:\Windows\SysWOW64\Dkqaoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mimpolee.exe Lbchba32.exe File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Mmbheilp.dll Lgffic32.exe File created C:\Windows\SysWOW64\Kemilf32.dll Acokhc32.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe Offnhpfo.exe File opened for modification C:\Windows\SysWOW64\Kofkbk32.exe Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Klqcioba.exe Kfckahdj.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Baadiiif.exe File created C:\Windows\SysWOW64\Hncmmd32.exe Hkeaqi32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Mqjbok32.dll Gdppbfff.exe File created C:\Windows\SysWOW64\Jgkhgb32.dll Pqcjepfo.exe File opened for modification C:\Windows\SysWOW64\Dfjgaq32.exe Dannij32.exe File opened for modification C:\Windows\SysWOW64\Iljpij32.exe Hkicaahi.exe File created C:\Windows\SysWOW64\Baiinofi.dll Ncchae32.exe File opened for modification C:\Windows\SysWOW64\Ldleel32.exe Llemdo32.exe File created C:\Windows\SysWOW64\Pgllfp32.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Jcbldglg.dll Daaicfgd.exe File created C:\Windows\SysWOW64\Inmabofh.dll Kjepjkhf.exe File created C:\Windows\SysWOW64\Niakfbpa.exe Najceeoo.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Ncnofeof.exe File opened for modification C:\Windows\SysWOW64\Jjamia32.exe Jgcamf32.exe File created C:\Windows\SysWOW64\Hphlgp32.dll Cjhfpa32.exe File created C:\Windows\SysWOW64\Aojefobm.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Hoogfnnb.exe Hghoeqmp.exe File opened for modification C:\Windows\SysWOW64\Ocamjm32.exe Oiihahme.exe File created C:\Windows\SysWOW64\Qipkmbib.dll Idkbkl32.exe File created C:\Windows\SysWOW64\Emoinpcd.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Neqopnhb.exe File created C:\Windows\SysWOW64\Moipoh32.exe Mnhdgpii.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfnbdecg.exe Jkhngl32.exe File created C:\Windows\SysWOW64\Bkoigdom.exe Bjnmpl32.exe File created C:\Windows\SysWOW64\Lnadagbm.exe Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Gdppbfff.exe Gekcaj32.exe File opened for modification C:\Windows\SysWOW64\Odmbaj32.exe Oanfen32.exe File created C:\Windows\SysWOW64\Jihiic32.dll Nopfpgip.exe File opened for modification C:\Windows\SysWOW64\Offnhpfo.exe Omnjojpo.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Process not Found File created C:\Windows\SysWOW64\Nognnj32.exe Nliaao32.exe File opened for modification C:\Windows\SysWOW64\Ckjbhmad.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Dpifba32.dll Poomegpf.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File created C:\Windows\SysWOW64\Ofdljpcg.dll Fpodlbng.exe File created C:\Windows\SysWOW64\Emdajb32.exe Ejfeng32.exe File opened for modification C:\Windows\SysWOW64\Kglmio32.exe Kcpahpmd.exe File opened for modification C:\Windows\SysWOW64\Qqijje32.exe Qgqeappe.exe File created C:\Windows\SysWOW64\Jeciaina.dll Dbkqfe32.exe File created C:\Windows\SysWOW64\Pickil32.dll Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Hkeaqi32.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Kfankifm.exe Klljnp32.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Jkgpbp32.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Imllie32.dll Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Pahpfc32.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Qciaajej.dll Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bcebhoii.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10152 9920 Process not Found 1175 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblkiipl.dll" Fknicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belqaa32.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll" Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljekoej.dll" Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbkfjcb.dll" Nojanpej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaobqhf.dll" Ghkeio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpjfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmflc32.dll" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfcmhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglfplgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhnbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkhgb32.dll" Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmcmd32.dll" Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbfo32.dll" Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okedcjcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmmffmb.dll" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjpdi32.dll" Pgmcqggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepohhai.dll" Khmknk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpendjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll" Lbjlfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjeanmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll" Oncofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeapfm32.dll" Aqoiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngdja32.dll" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Dkbocbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1764 2092 bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe 80 PID 2092 wrote to memory of 1764 2092 bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe 80 PID 2092 wrote to memory of 1764 2092 bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe 80 PID 1764 wrote to memory of 3516 1764 Odnnnnfe.exe 81 PID 1764 wrote to memory of 3516 1764 Odnnnnfe.exe 81 PID 1764 wrote to memory of 3516 1764 Odnnnnfe.exe 81 PID 3516 wrote to memory of 1140 3516 Onfbfc32.exe 82 PID 3516 wrote to memory of 1140 3516 Onfbfc32.exe 82 PID 3516 wrote to memory of 1140 3516 Onfbfc32.exe 82 PID 1140 wrote to memory of 1428 1140 Occkojkm.exe 83 PID 1140 wrote to memory of 1428 1140 Occkojkm.exe 83 PID 1140 wrote to memory of 1428 1140 Occkojkm.exe 83 PID 1428 wrote to memory of 3052 1428 Onholckc.exe 84 PID 1428 wrote to memory of 3052 1428 Onholckc.exe 84 PID 1428 wrote to memory of 3052 1428 Onholckc.exe 84 PID 3052 wrote to memory of 3196 3052 Oqgkhnjf.exe 85 PID 3052 wrote to memory of 3196 3052 Oqgkhnjf.exe 85 PID 3052 wrote to memory of 3196 3052 Oqgkhnjf.exe 85 PID 3196 wrote to memory of 1056 3196 Ojopad32.exe 86 PID 3196 wrote to memory of 1056 3196 Ojopad32.exe 86 PID 3196 wrote to memory of 1056 3196 Ojopad32.exe 86 PID 1056 wrote to memory of 4224 1056 Obfhba32.exe 87 PID 1056 wrote to memory of 4224 1056 Obfhba32.exe 87 PID 1056 wrote to memory of 4224 1056 Obfhba32.exe 87 PID 4224 wrote to memory of 4908 4224 Okolkg32.exe 88 PID 4224 wrote to memory of 4908 4224 Okolkg32.exe 88 PID 4224 wrote to memory of 4908 4224 Okolkg32.exe 88 PID 4908 wrote to memory of 4228 4908 Oqkdcn32.exe 89 PID 4908 wrote to memory of 4228 4908 Oqkdcn32.exe 89 PID 4908 wrote to memory of 4228 4908 Oqkdcn32.exe 89 PID 4228 wrote to memory of 2976 4228 Pjdilcla.exe 90 PID 4228 wrote to memory of 2976 4228 Pjdilcla.exe 90 PID 4228 wrote to memory of 2976 4228 Pjdilcla.exe 90 PID 2976 wrote to memory of 2988 2976 Pqnaim32.exe 91 PID 2976 wrote to memory of 2988 2976 Pqnaim32.exe 91 PID 2976 wrote to memory of 2988 2976 Pqnaim32.exe 91 PID 2988 wrote to memory of 3980 2988 Pnbbbabh.exe 92 PID 2988 wrote to memory of 3980 2988 Pnbbbabh.exe 92 PID 2988 wrote to memory of 3980 2988 Pnbbbabh.exe 92 PID 3980 wrote to memory of 4108 3980 Pcojkhap.exe 93 PID 3980 wrote to memory of 4108 3980 Pcojkhap.exe 93 PID 3980 wrote to memory of 4108 3980 Pcojkhap.exe 93 PID 4108 wrote to memory of 5072 4108 Pjhbgb32.exe 94 PID 4108 wrote to memory of 5072 4108 Pjhbgb32.exe 94 PID 4108 wrote to memory of 5072 4108 Pjhbgb32.exe 94 PID 5072 wrote to memory of 2380 5072 Pgmcqggf.exe 95 PID 5072 wrote to memory of 2380 5072 Pgmcqggf.exe 95 PID 5072 wrote to memory of 2380 5072 Pgmcqggf.exe 95 PID 2380 wrote to memory of 4832 2380 Pjkombfj.exe 96 PID 2380 wrote to memory of 4832 2380 Pjkombfj.exe 96 PID 2380 wrote to memory of 4832 2380 Pjkombfj.exe 96 PID 4832 wrote to memory of 3648 4832 Pbbgnpgl.exe 97 PID 4832 wrote to memory of 3648 4832 Pbbgnpgl.exe 97 PID 4832 wrote to memory of 3648 4832 Pbbgnpgl.exe 97 PID 3648 wrote to memory of 748 3648 Peqcjkfp.exe 98 PID 3648 wrote to memory of 748 3648 Peqcjkfp.exe 98 PID 3648 wrote to memory of 748 3648 Peqcjkfp.exe 98 PID 748 wrote to memory of 1476 748 Pgopffec.exe 99 PID 748 wrote to memory of 1476 748 Pgopffec.exe 99 PID 748 wrote to memory of 1476 748 Pgopffec.exe 99 PID 1476 wrote to memory of 2096 1476 Pkjlge32.exe 100 PID 1476 wrote to memory of 2096 1476 Pkjlge32.exe 100 PID 1476 wrote to memory of 2096 1476 Pkjlge32.exe 100 PID 2096 wrote to memory of 4456 2096 Pnihcq32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe"C:\Users\Admin\AppData\Local\Temp\bb378c1be69bad3bf63f4aee0f5db6b2e54af502e44b4d92c7f5f616eedc0003.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe23⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe24⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe25⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe26⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe27⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe28⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe29⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe30⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe31⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe32⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe33⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe34⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe35⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe36⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe37⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe38⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe39⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe40⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe41⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe42⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe43⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe44⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe45⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe47⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe48⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe49⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe51⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe52⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe54⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe55⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe56⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe58⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe59⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe62⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe63⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe64⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe66⤵PID:4460
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe67⤵PID:396
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe68⤵PID:3400
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe69⤵PID:3564
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe70⤵PID:3452
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe71⤵PID:4496
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe72⤵PID:212
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe73⤵PID:1052
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe74⤵PID:3008
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe75⤵PID:4320
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe78⤵PID:4244
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe79⤵PID:1696
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe80⤵PID:2920
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe82⤵PID:1480
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe83⤵PID:1100
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe84⤵PID:2984
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe85⤵PID:2068
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe86⤵PID:1136
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe87⤵PID:5084
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe88⤵PID:1844
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe89⤵PID:2104
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe90⤵PID:3848
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe91⤵PID:4388
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe92⤵PID:1836
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe94⤵PID:4416
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe95⤵PID:3244
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe96⤵PID:2548
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe97⤵PID:540
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe98⤵PID:1008
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe99⤵PID:4476
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe100⤵PID:840
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe101⤵PID:2836
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe102⤵PID:1160
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe103⤵PID:3764
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe105⤵PID:5132
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe106⤵PID:5176
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe107⤵PID:5220
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe108⤵PID:5264
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe109⤵PID:5308
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe110⤵PID:5352
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe111⤵PID:5396
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe112⤵PID:5436
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe113⤵PID:5488
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe115⤵PID:5604
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe116⤵PID:5652
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe117⤵PID:5696
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe118⤵PID:5740
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe119⤵PID:5784
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe120⤵PID:5828
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe121⤵PID:5872
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe122⤵PID:5916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-