Analysis
-
max time kernel
79s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 04:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe
-
Size
60KB
-
MD5
b278cb563b2a74dfee6b3873062f8100
-
SHA1
d03e2f0927d163e1fd83f2ffb9c9853ae1af2187
-
SHA256
3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66
-
SHA512
8ea4acbed852dc538f9686bd608af2212f3b1aa282aa2490645f281d272a75383318fd427911da0f83cd05dacd04a2990cc5d9d797d66f6aa553acf8b6a72ee4
-
SSDEEP
1536:DECklUTAT/3QiORlbUwhz8eRFtQUB86l1rs:sxT/Qrthz8eRFtQUB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahbje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmaioo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmeal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megdccmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcboack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgkhnjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcdlmgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gempgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfedle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjghpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmjfifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohnonij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhmj32.exe -
Executes dropped EXE 64 IoCs
pid Process 4800 Cakjmm32.exe 1988 Cibank32.exe 1460 Clqnjf32.exe 1816 Coojfa32.exe 2988 Ccjfgphj.exe 1260 Cidncj32.exe 3952 Cpofpdgd.exe 4556 Capchmmb.exe 2068 Dhjkdg32.exe 2224 Dpacfd32.exe 2248 Dabpnlkp.exe 5084 Dlgdkeje.exe 3896 Dcalgo32.exe 5108 Djlddi32.exe 2364 Dljqpd32.exe 1164 Debeijoc.exe 644 Dllmfd32.exe 232 Daifnk32.exe 3964 Dpjflb32.exe 4896 Dchbhn32.exe 3212 Epmcab32.exe 2312 Epopgbia.exe 1472 Ehjdldfl.exe 3188 Ejjqeg32.exe 1940 Eofinnkf.exe 1076 Ehonfc32.exe 4060 Eoifcnid.exe 1584 Fbgbpihg.exe 2696 Fqhbmqqg.exe 1292 Fbioei32.exe 1080 Fjqgff32.exe 2340 Fcikolnh.exe 5056 Fifdgblo.exe 4480 Fmapha32.exe 1820 Fbnhphbp.exe 4276 Fihqmb32.exe 2476 Fqohnp32.exe 536 Fflaff32.exe 2904 Fjhmgeao.exe 4048 Fodeolof.exe 668 Gjjjle32.exe 4716 Gqdbiofi.exe 3996 Gcbnejem.exe 2924 Gjlfbd32.exe 2124 Gqfooodg.exe 3352 Giacca32.exe 5104 Gpklpkio.exe 3408 Gfedle32.exe 4696 Gidphq32.exe 3360 Gbldaffp.exe 4616 Gmaioo32.exe 4512 Gppekj32.exe 4876 Hboagf32.exe 3620 Hmdedo32.exe 3368 Hbanme32.exe 100 Hikfip32.exe 400 Hpenfjad.exe 968 Hcqjfh32.exe 1948 Hfofbd32.exe 1852 Hmioonpn.exe 2100 Hccglh32.exe 4760 Hbeghene.exe 2172 Hippdo32.exe 464 Haggelfd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Emoinpcd.exe Ekpmbddq.exe File created C:\Windows\SysWOW64\Ghipne32.exe Gaogak32.exe File created C:\Windows\SysWOW64\Embkoi32.exe Eigonjcj.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iiehpahb.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Bfcqdoab.dll Fmlneg32.exe File created C:\Windows\SysWOW64\Gndcedao.dll Kkhpdcab.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Process not Found File created C:\Windows\SysWOW64\Mhjmpfcl.dll Process not Found File created C:\Windows\SysWOW64\Ncchae32.exe Process not Found File created C:\Windows\SysWOW64\Jfdida32.exe Jpjqhgol.exe File opened for modification C:\Windows\SysWOW64\Cqpbglno.exe Bfjnjcni.exe File created C:\Windows\SysWOW64\Fdnnlj32.dll Process not Found File created C:\Windows\SysWOW64\Mgghhlhq.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nqfbaq32.exe File created C:\Windows\SysWOW64\Qfcfml32.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Ghmpjalb.dll Hpomcp32.exe File created C:\Windows\SysWOW64\Cihclh32.exe Process not Found File created C:\Windows\SysWOW64\Napjdpcn.exe Process not Found File created C:\Windows\SysWOW64\Pejkmk32.exe Process not Found File created C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File opened for modification C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File created C:\Windows\SysWOW64\Jkaqnk32.exe Jehhaaci.exe File created C:\Windows\SysWOW64\Nlhlkhcm.dll Nomncpcg.exe File created C:\Windows\SysWOW64\Iakiia32.exe Ikqqlgem.exe File opened for modification C:\Windows\SysWOW64\Naecop32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Process not Found File created C:\Windows\SysWOW64\Cleqadmh.dll Andgoobc.exe File created C:\Windows\SysWOW64\Cddecc32.exe Ceaehfjj.exe File opened for modification C:\Windows\SysWOW64\Doeiljfn.exe Ddpeoafg.exe File opened for modification C:\Windows\SysWOW64\Hgjljpkm.exe Hfipbh32.exe File created C:\Windows\SysWOW64\Hejkiial.dll Plndcl32.exe File opened for modification C:\Windows\SysWOW64\Ebnfbcbc.exe Process not Found File created C:\Windows\SysWOW64\Knkffk32.dll Fchddejl.exe File opened for modification C:\Windows\SysWOW64\Bgpgng32.exe Boipmj32.exe File created C:\Windows\SysWOW64\Mklbeh32.dll Process not Found File created C:\Windows\SysWOW64\Hbeghene.exe Hccglh32.exe File created C:\Windows\SysWOW64\Eofbch32.exe Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Fknbil32.exe Fhofmq32.exe File opened for modification C:\Windows\SysWOW64\Fmndpq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Klmpiiai.exe Kechmoil.exe File opened for modification C:\Windows\SysWOW64\Agbkmijg.exe Aokcklid.exe File created C:\Windows\SysWOW64\Oeaoab32.exe Oohgdhfn.exe File opened for modification C:\Windows\SysWOW64\Addaif32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dnbakghm.exe Process not Found File created C:\Windows\SysWOW64\Gikdkj32.exe Process not Found File created C:\Windows\SysWOW64\Pjmjdm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjhmgeao.exe Fflaff32.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File opened for modification C:\Windows\SysWOW64\Kechmoil.exe Kbekqdjh.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Process not Found File created C:\Windows\SysWOW64\Fifdgblo.exe Fcikolnh.exe File created C:\Windows\SysWOW64\Oifeab32.exe Oblmdhdo.exe File created C:\Windows\SysWOW64\Jlfpdh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kjepjkhf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Process not Found File created C:\Windows\SysWOW64\Hnhghcki.exe Hkjjlhle.exe File created C:\Windows\SysWOW64\Gipdap32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgdidgjg.exe Process not Found File created C:\Windows\SysWOW64\Gdmpga32.dll Process not Found File created C:\Windows\SysWOW64\Fbnafb32.exe Fooeif32.exe File created C:\Windows\SysWOW64\Megdccmb.exe Mchhggno.exe File created C:\Windows\SysWOW64\Neppokal.exe Noehba32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15692 15372 Process not Found 1736 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqfah32.dll" Cehkhecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghopckpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbmccpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macgaopp.dll" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaakpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaogak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" Ocdqjceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfljpbki.dll" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll" Imgkql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll" Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bendbkih.dll" Lfjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hminmc32.dll" Llgcph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhfedil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" Jcgbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddqghpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipaiqmd.dll" Qgciaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eobocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkonb32.dll" Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbileede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmigagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiidgeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohepjfbb.dll" Gojnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgllk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 4800 1984 3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe 81 PID 1984 wrote to memory of 4800 1984 3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe 81 PID 1984 wrote to memory of 4800 1984 3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe 81 PID 4800 wrote to memory of 1988 4800 Cakjmm32.exe 82 PID 4800 wrote to memory of 1988 4800 Cakjmm32.exe 82 PID 4800 wrote to memory of 1988 4800 Cakjmm32.exe 82 PID 1988 wrote to memory of 1460 1988 Cibank32.exe 83 PID 1988 wrote to memory of 1460 1988 Cibank32.exe 83 PID 1988 wrote to memory of 1460 1988 Cibank32.exe 83 PID 1460 wrote to memory of 1816 1460 Clqnjf32.exe 84 PID 1460 wrote to memory of 1816 1460 Clqnjf32.exe 84 PID 1460 wrote to memory of 1816 1460 Clqnjf32.exe 84 PID 1816 wrote to memory of 2988 1816 Coojfa32.exe 85 PID 1816 wrote to memory of 2988 1816 Coojfa32.exe 85 PID 1816 wrote to memory of 2988 1816 Coojfa32.exe 85 PID 2988 wrote to memory of 1260 2988 Ccjfgphj.exe 86 PID 2988 wrote to memory of 1260 2988 Ccjfgphj.exe 86 PID 2988 wrote to memory of 1260 2988 Ccjfgphj.exe 86 PID 1260 wrote to memory of 3952 1260 Cidncj32.exe 87 PID 1260 wrote to memory of 3952 1260 Cidncj32.exe 87 PID 1260 wrote to memory of 3952 1260 Cidncj32.exe 87 PID 3952 wrote to memory of 4556 3952 Cpofpdgd.exe 88 PID 3952 wrote to memory of 4556 3952 Cpofpdgd.exe 88 PID 3952 wrote to memory of 4556 3952 Cpofpdgd.exe 88 PID 4556 wrote to memory of 2068 4556 Capchmmb.exe 89 PID 4556 wrote to memory of 2068 4556 Capchmmb.exe 89 PID 4556 wrote to memory of 2068 4556 Capchmmb.exe 89 PID 2068 wrote to memory of 2224 2068 Dhjkdg32.exe 90 PID 2068 wrote to memory of 2224 2068 Dhjkdg32.exe 90 PID 2068 wrote to memory of 2224 2068 Dhjkdg32.exe 90 PID 2224 wrote to memory of 2248 2224 Dpacfd32.exe 91 PID 2224 wrote to memory of 2248 2224 Dpacfd32.exe 91 PID 2224 wrote to memory of 2248 2224 Dpacfd32.exe 91 PID 2248 wrote to memory of 5084 2248 Dabpnlkp.exe 92 PID 2248 wrote to memory of 5084 2248 Dabpnlkp.exe 92 PID 2248 wrote to memory of 5084 2248 Dabpnlkp.exe 92 PID 5084 wrote to memory of 3896 5084 Dlgdkeje.exe 93 PID 5084 wrote to memory of 3896 5084 Dlgdkeje.exe 93 PID 5084 wrote to memory of 3896 5084 Dlgdkeje.exe 93 PID 3896 wrote to memory of 5108 3896 Dcalgo32.exe 94 PID 3896 wrote to memory of 5108 3896 Dcalgo32.exe 94 PID 3896 wrote to memory of 5108 3896 Dcalgo32.exe 94 PID 5108 wrote to memory of 2364 5108 Djlddi32.exe 95 PID 5108 wrote to memory of 2364 5108 Djlddi32.exe 95 PID 5108 wrote to memory of 2364 5108 Djlddi32.exe 95 PID 2364 wrote to memory of 1164 2364 Dljqpd32.exe 96 PID 2364 wrote to memory of 1164 2364 Dljqpd32.exe 96 PID 2364 wrote to memory of 1164 2364 Dljqpd32.exe 96 PID 1164 wrote to memory of 644 1164 Debeijoc.exe 97 PID 1164 wrote to memory of 644 1164 Debeijoc.exe 97 PID 1164 wrote to memory of 644 1164 Debeijoc.exe 97 PID 644 wrote to memory of 232 644 Dllmfd32.exe 98 PID 644 wrote to memory of 232 644 Dllmfd32.exe 98 PID 644 wrote to memory of 232 644 Dllmfd32.exe 98 PID 232 wrote to memory of 3964 232 Daifnk32.exe 99 PID 232 wrote to memory of 3964 232 Daifnk32.exe 99 PID 232 wrote to memory of 3964 232 Daifnk32.exe 99 PID 3964 wrote to memory of 4896 3964 Dpjflb32.exe 100 PID 3964 wrote to memory of 4896 3964 Dpjflb32.exe 100 PID 3964 wrote to memory of 4896 3964 Dpjflb32.exe 100 PID 4896 wrote to memory of 3212 4896 Dchbhn32.exe 101 PID 4896 wrote to memory of 3212 4896 Dchbhn32.exe 101 PID 4896 wrote to memory of 3212 4896 Dchbhn32.exe 101 PID 3212 wrote to memory of 2312 3212 Epmcab32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe"C:\Users\Admin\AppData\Local\Temp\3c724f77ce2250c301c2f63d81cfa06c5d6e627e865900af541a36e2048c3f66.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe23⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe24⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe25⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe26⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe27⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe28⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe29⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe30⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe31⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe32⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe34⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe35⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe36⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe37⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe38⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe40⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe41⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe42⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe43⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe44⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe45⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe47⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe48⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe50⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe51⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe53⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe55⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe56⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe57⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe58⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe59⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe60⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe61⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe63⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe64⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe65⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe66⤵PID:2328
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe67⤵PID:4384
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe68⤵PID:1028
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe69⤵PID:1128
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe70⤵PID:3216
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe71⤵PID:4596
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe72⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe73⤵PID:4452
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe74⤵PID:2496
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe75⤵PID:3252
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe76⤵PID:4192
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe77⤵PID:1280
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe78⤵PID:4504
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe79⤵PID:4040
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe80⤵PID:612
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe81⤵PID:3484
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe82⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe83⤵PID:5092
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe84⤵PID:2380
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe85⤵PID:5040
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe86⤵PID:1708
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe87⤵
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe88⤵PID:4820
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe89⤵PID:2764
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe90⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe91⤵PID:1688
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe92⤵PID:3552
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe93⤵PID:2156
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe94⤵PID:4188
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe95⤵PID:2168
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe96⤵PID:820
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe97⤵PID:1044
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe98⤵PID:2484
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe99⤵PID:4912
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe100⤵PID:3020
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe101⤵PID:3812
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe102⤵PID:4816
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe103⤵PID:4644
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe104⤵PID:1376
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe105⤵PID:2972
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe106⤵PID:4420
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe107⤵PID:3280
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe108⤵PID:2960
-
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe109⤵PID:4888
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe110⤵PID:4268
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3156 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3736 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe113⤵PID:2304
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe114⤵PID:2384
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe115⤵PID:1336
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe116⤵PID:1180
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe117⤵PID:1468
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe118⤵PID:5144
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe119⤵PID:5188
-
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe120⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe121⤵PID:5268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-