Analysis
-
max time kernel
35s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe
-
Size
275KB
-
MD5
768a670b5b0827ae2308febe900cb7e6
-
SHA1
11c83a495ff2f52e5331ca491693919978f5fd84
-
SHA256
d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa
-
SHA512
1a24fd27207593c1e39ba0e3412463c167819ca9ac40b53a032f5657b7b786848421bc87d1aef37e967d35bab6c409e8e949efe8b48d455b50d3c7420843ce8a
-
SSDEEP
6144:hyMcseFbgzL2V4cpC0L4AY7YWT63cpC0L4f:jeIL2/p9i7drp9S
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpolli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdjfpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmqldpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gniqhpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oigokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceiadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klflfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmppmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkhfnea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjpmmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oappof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmabdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmabdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppgfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbaqhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdanngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goidmibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmaebi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klflfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqeoegfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcpkmef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgelbhmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbdpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikgkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjcgccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdjbcim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhicao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbaqhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jopogefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qddmbkoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcjfdqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammjekmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgmoahd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcgjlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjiiemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhagb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eebnqcjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiobh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hembfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pieodn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2008 Ggfgoo32.exe 2192 Gpdhiaoi.exe 2708 Gfcjqkbp.exe 2892 Hjiiemaj.exe 2764 Hhmioa32.exe 2676 Ildhcd32.exe 3004 Jaejfj32.exe 1644 Jpkgggnh.exe 1272 Jodmdboj.exe 2976 Khonbhch.exe 2284 Ldpbmg32.exe 952 Lmppmi32.exe 2076 Mnhbep32.exe 1160 Mmolll32.exe 820 Npbbcgga.exe 1268 Nojljcjf.exe 916 Pnkhfnea.exe 1232 Pefmkpbl.exe 628 Pockoeeg.exe 1828 Qddmbkoi.exe 1164 Aocgnh32.exe 580 Aoedch32.exe 1084 Afaieb32.exe 1584 Bbhikcpn.exe 2852 Bjfkde32.exe 2728 Bmfdfpih.exe 2472 Cjmaed32.exe 2772 Cekkaanh.exe 2780 Cocpjf32.exe 2884 Dafeaapg.exe 2052 Dmbpaa32.exe 2524 Elgmbnfn.exe 2960 Eebnqcjl.exe 2968 Edgkap32.exe 2392 Epnkfq32.exe 2488 Fndhed32.exe 1296 Fqgnmo32.exe 2108 Fhbcaa32.exe 2440 Fiepga32.exe 2268 Gglimm32.exe 2496 Gmlokdgp.exe 2344 Gmnkqcem.exe 1492 Hbomdjoo.exe 1884 Hmeaaboe.exe 288 Hpejcnlf.exe 2484 Ieepad32.exe 1072 Ihhehoci.exe 2100 Ikinjj32.exe 2836 Ipefba32.exe 2116 Jphcgq32.exe 2628 Jlodma32.exe 2796 Jkdanngk.exe 2664 Jhhagb32.exe 2528 Jhjnmb32.exe 1636 Khlkba32.exe 1768 Knlpphnd.exe 2276 Knnmeh32.exe 2316 Klcjfdqi.exe 748 Lhjjle32.exe 2232 Lkkcmqcn.exe 2876 Lkmpcpak.exe 2096 Ljbmdmfc.exe 924 Lnpejklj.exe 1732 Mnbbpkjg.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 2008 Ggfgoo32.exe 2008 Ggfgoo32.exe 2192 Gpdhiaoi.exe 2192 Gpdhiaoi.exe 2708 Gfcjqkbp.exe 2708 Gfcjqkbp.exe 2892 Hjiiemaj.exe 2892 Hjiiemaj.exe 2764 Hhmioa32.exe 2764 Hhmioa32.exe 2676 Ildhcd32.exe 2676 Ildhcd32.exe 3004 Jaejfj32.exe 3004 Jaejfj32.exe 1644 Jpkgggnh.exe 1644 Jpkgggnh.exe 1272 Jodmdboj.exe 1272 Jodmdboj.exe 2976 Khonbhch.exe 2976 Khonbhch.exe 2284 Ldpbmg32.exe 2284 Ldpbmg32.exe 952 Lmppmi32.exe 952 Lmppmi32.exe 2076 Mnhbep32.exe 2076 Mnhbep32.exe 1160 Mmolll32.exe 1160 Mmolll32.exe 820 Npbbcgga.exe 820 Npbbcgga.exe 1268 Nojljcjf.exe 1268 Nojljcjf.exe 916 Pnkhfnea.exe 916 Pnkhfnea.exe 1232 Pefmkpbl.exe 1232 Pefmkpbl.exe 628 Pockoeeg.exe 628 Pockoeeg.exe 1828 Qddmbkoi.exe 1828 Qddmbkoi.exe 1164 Aocgnh32.exe 1164 Aocgnh32.exe 580 Aoedch32.exe 580 Aoedch32.exe 1084 Afaieb32.exe 1084 Afaieb32.exe 1584 Bbhikcpn.exe 1584 Bbhikcpn.exe 2852 Bjfkde32.exe 2852 Bjfkde32.exe 2728 Bmfdfpih.exe 2728 Bmfdfpih.exe 2472 Cjmaed32.exe 2472 Cjmaed32.exe 2772 Cekkaanh.exe 2772 Cekkaanh.exe 2780 Cocpjf32.exe 2780 Cocpjf32.exe 2884 Dafeaapg.exe 2884 Dafeaapg.exe 2052 Dmbpaa32.exe 2052 Dmbpaa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdfjjkfh.dll Mgkiaihl.exe File created C:\Windows\SysWOW64\Ihhehoci.exe Ieepad32.exe File opened for modification C:\Windows\SysWOW64\Nhjcgccc.exe Mbiadm32.exe File created C:\Windows\SysWOW64\Pdgbkhca.dll Ammjekmg.exe File opened for modification C:\Windows\SysWOW64\Debcjiod.exe Dbbkhnbc.exe File created C:\Windows\SysWOW64\Ijgcmc32.exe Igfkkh32.exe File created C:\Windows\SysWOW64\Jaejfj32.exe Ildhcd32.exe File created C:\Windows\SysWOW64\Pfcohlce.exe Ominjg32.exe File opened for modification C:\Windows\SysWOW64\Gkmabdfb.exe Gniqhpgi.exe File created C:\Windows\SysWOW64\Hnimgcjd.exe Hildollm.exe File created C:\Windows\SysWOW64\Ffflagmn.dll Lhcpkmef.exe File created C:\Windows\SysWOW64\Kceehijb.exe Khpqkq32.exe File opened for modification C:\Windows\SysWOW64\Qcgfcbbh.exe Qoimmc32.exe File created C:\Windows\SysWOW64\Qepbjh32.exe Phlaqc32.exe File opened for modification C:\Windows\SysWOW64\Fmidimen.exe Fgmogcpc.exe File created C:\Windows\SysWOW64\Gdfoaq32.dll Kpmkjlbi.exe File created C:\Windows\SysWOW64\Hkahhl32.dll Afaieb32.exe File opened for modification C:\Windows\SysWOW64\Mocogc32.exe Mnbbpkjg.exe File opened for modification C:\Windows\SysWOW64\Gcbchhmc.exe Gcpfbhof.exe File created C:\Windows\SysWOW64\Mqfajdpe.exe Mfmpifdf.exe File created C:\Windows\SysWOW64\Eljkqfko.exe Epckkeek.exe File created C:\Windows\SysWOW64\Qpdnfk32.dll Dlblmh32.exe File opened for modification C:\Windows\SysWOW64\Bdlakf32.exe Bqnidh32.exe File created C:\Windows\SysWOW64\Lnbbgfcf.dll Nbnmhe32.exe File opened for modification C:\Windows\SysWOW64\Afaieb32.exe Aoedch32.exe File created C:\Windows\SysWOW64\Ffiedlhj.dll Dafeaapg.exe File opened for modification C:\Windows\SysWOW64\Cajokmfi.exe Cnifia32.exe File opened for modification C:\Windows\SysWOW64\Ojhehlag.exe Oappof32.exe File created C:\Windows\SysWOW64\Fmlpmddp.dll Mcmpkj32.exe File created C:\Windows\SysWOW64\Lmapiahb.dll Gglimm32.exe File opened for modification C:\Windows\SysWOW64\Knlpphnd.exe Khlkba32.exe File opened for modification C:\Windows\SysWOW64\Ddjmaebi.exe Daidojeh.exe File created C:\Windows\SysWOW64\Flknalpa.dll Glanpi32.exe File opened for modification C:\Windows\SysWOW64\Gniqhpgi.exe Gkhgge32.exe File created C:\Windows\SysWOW64\Aphdchgf.dll Cpolli32.exe File created C:\Windows\SysWOW64\Oeigiqba.dll Hkpdbj32.exe File created C:\Windows\SysWOW64\Ijodiedi.exe Hadckp32.exe File created C:\Windows\SysWOW64\Pncgfohq.dll Lmppmi32.exe File opened for modification C:\Windows\SysWOW64\Bjfkde32.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Lociadma.dll Khlkba32.exe File created C:\Windows\SysWOW64\Mbiadm32.exe Mfbqol32.exe File created C:\Windows\SysWOW64\Pgdfbb32.exe Oaeqeljm.exe File created C:\Windows\SysWOW64\Mkamoald.dll Ijodiedi.exe File created C:\Windows\SysWOW64\Ebfdocio.dll Hmnmil32.exe File created C:\Windows\SysWOW64\Ghfnjchn.dll Elgmbnfn.exe File created C:\Windows\SysWOW64\Cpbfbf32.dll Iihkea32.exe File created C:\Windows\SysWOW64\Fdiijm32.dll Mfkcdgfi.exe File opened for modification C:\Windows\SysWOW64\Ghhoej32.exe Glanpi32.exe File created C:\Windows\SysWOW64\Gkhgge32.exe Ghhoej32.exe File created C:\Windows\SysWOW64\Gmkhkkgp.dll Ghhoej32.exe File created C:\Windows\SysWOW64\Gmioem32.dll Ikinjj32.exe File opened for modification C:\Windows\SysWOW64\Knnmeh32.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Mfbqol32.exe Mbdhinmf.exe File created C:\Windows\SysWOW64\Pcbmhb32.exe Pigkjmap.exe File opened for modification C:\Windows\SysWOW64\Diljpn32.exe Cjgmoahd.exe File created C:\Windows\SysWOW64\Fgmogcpc.exe Fpqjeiji.exe File created C:\Windows\SysWOW64\Afaieb32.exe Aoedch32.exe File created C:\Windows\SysWOW64\Ddhgnq32.dll Ahcoli32.exe File opened for modification C:\Windows\SysWOW64\Npgngokp.exe Ncqmbn32.exe File created C:\Windows\SysWOW64\Elokeaab.dll Ncqmbn32.exe File created C:\Windows\SysWOW64\Ominjg32.exe Ojhehlag.exe File opened for modification C:\Windows\SysWOW64\Lmppmi32.exe Ldpbmg32.exe File created C:\Windows\SysWOW64\Iiepac32.dll Qoimmc32.exe File created C:\Windows\SysWOW64\Debcjiod.exe Dbbkhnbc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqplml32.dll" Floaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfnjchn.dll" Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johokdpe.dll" Jhpdlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epckkeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Debcjiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkijl32.dll" Kmqldpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdnnpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmnmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmbjd32.dll" Niqijkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbaqhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbaqhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmnih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcocqpoi.dll" Qepbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaeadppc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefmkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfcaoap.dll" Jkdanngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpfieff.dll" Ceiadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmqldpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqojpqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkofnoej.dll" Lkjlcjpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqcmkjje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmiimabd.dll" Aoedch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anegij32.dll" Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakbebih.dll" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elokeaab.dll" Ncqmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjgmoahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edgkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahcoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmnkqcem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjhfcbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linfjobh.dll" Khonbhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklfokoe.dll" Npbbcgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojljcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkamoald.dll" Ijodiedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oappof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ominjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knleqncp.dll" Ljbmdmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adaeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmijiiao.dll" Mbdhinmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncqmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhehlag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcjqkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knlpphnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmphlhmc.dll" Fqgnmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjpmmij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdfjekmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdjbcim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agikmeeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhgge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higkdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcnpkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfoaq32.dll" Kpmkjlbi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2008 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 29 PID 1756 wrote to memory of 2008 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 29 PID 1756 wrote to memory of 2008 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 29 PID 1756 wrote to memory of 2008 1756 d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe 29 PID 2008 wrote to memory of 2192 2008 Ggfgoo32.exe 30 PID 2008 wrote to memory of 2192 2008 Ggfgoo32.exe 30 PID 2008 wrote to memory of 2192 2008 Ggfgoo32.exe 30 PID 2008 wrote to memory of 2192 2008 Ggfgoo32.exe 30 PID 2192 wrote to memory of 2708 2192 Gpdhiaoi.exe 31 PID 2192 wrote to memory of 2708 2192 Gpdhiaoi.exe 31 PID 2192 wrote to memory of 2708 2192 Gpdhiaoi.exe 31 PID 2192 wrote to memory of 2708 2192 Gpdhiaoi.exe 31 PID 2708 wrote to memory of 2892 2708 Gfcjqkbp.exe 32 PID 2708 wrote to memory of 2892 2708 Gfcjqkbp.exe 32 PID 2708 wrote to memory of 2892 2708 Gfcjqkbp.exe 32 PID 2708 wrote to memory of 2892 2708 Gfcjqkbp.exe 32 PID 2892 wrote to memory of 2764 2892 Hjiiemaj.exe 33 PID 2892 wrote to memory of 2764 2892 Hjiiemaj.exe 33 PID 2892 wrote to memory of 2764 2892 Hjiiemaj.exe 33 PID 2892 wrote to memory of 2764 2892 Hjiiemaj.exe 33 PID 2764 wrote to memory of 2676 2764 Hhmioa32.exe 34 PID 2764 wrote to memory of 2676 2764 Hhmioa32.exe 34 PID 2764 wrote to memory of 2676 2764 Hhmioa32.exe 34 PID 2764 wrote to memory of 2676 2764 Hhmioa32.exe 34 PID 2676 wrote to memory of 3004 2676 Ildhcd32.exe 35 PID 2676 wrote to memory of 3004 2676 Ildhcd32.exe 35 PID 2676 wrote to memory of 3004 2676 Ildhcd32.exe 35 PID 2676 wrote to memory of 3004 2676 Ildhcd32.exe 35 PID 3004 wrote to memory of 1644 3004 Jaejfj32.exe 36 PID 3004 wrote to memory of 1644 3004 Jaejfj32.exe 36 PID 3004 wrote to memory of 1644 3004 Jaejfj32.exe 36 PID 3004 wrote to memory of 1644 3004 Jaejfj32.exe 36 PID 1644 wrote to memory of 1272 1644 Jpkgggnh.exe 37 PID 1644 wrote to memory of 1272 1644 Jpkgggnh.exe 37 PID 1644 wrote to memory of 1272 1644 Jpkgggnh.exe 37 PID 1644 wrote to memory of 1272 1644 Jpkgggnh.exe 37 PID 1272 wrote to memory of 2976 1272 Jodmdboj.exe 38 PID 1272 wrote to memory of 2976 1272 Jodmdboj.exe 38 PID 1272 wrote to memory of 2976 1272 Jodmdboj.exe 38 PID 1272 wrote to memory of 2976 1272 Jodmdboj.exe 38 PID 2976 wrote to memory of 2284 2976 Khonbhch.exe 39 PID 2976 wrote to memory of 2284 2976 Khonbhch.exe 39 PID 2976 wrote to memory of 2284 2976 Khonbhch.exe 39 PID 2976 wrote to memory of 2284 2976 Khonbhch.exe 39 PID 2284 wrote to memory of 952 2284 Ldpbmg32.exe 40 PID 2284 wrote to memory of 952 2284 Ldpbmg32.exe 40 PID 2284 wrote to memory of 952 2284 Ldpbmg32.exe 40 PID 2284 wrote to memory of 952 2284 Ldpbmg32.exe 40 PID 952 wrote to memory of 2076 952 Lmppmi32.exe 41 PID 952 wrote to memory of 2076 952 Lmppmi32.exe 41 PID 952 wrote to memory of 2076 952 Lmppmi32.exe 41 PID 952 wrote to memory of 2076 952 Lmppmi32.exe 41 PID 2076 wrote to memory of 1160 2076 Mnhbep32.exe 42 PID 2076 wrote to memory of 1160 2076 Mnhbep32.exe 42 PID 2076 wrote to memory of 1160 2076 Mnhbep32.exe 42 PID 2076 wrote to memory of 1160 2076 Mnhbep32.exe 42 PID 1160 wrote to memory of 820 1160 Mmolll32.exe 43 PID 1160 wrote to memory of 820 1160 Mmolll32.exe 43 PID 1160 wrote to memory of 820 1160 Mmolll32.exe 43 PID 1160 wrote to memory of 820 1160 Mmolll32.exe 43 PID 820 wrote to memory of 1268 820 Npbbcgga.exe 44 PID 820 wrote to memory of 1268 820 Npbbcgga.exe 44 PID 820 wrote to memory of 1268 820 Npbbcgga.exe 44 PID 820 wrote to memory of 1268 820 Npbbcgga.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe"C:\Users\Admin\AppData\Local\Temp\d6c1a59f8c83cf469ea69812336633e25dd794d1e7da62db0b2f5a65499dc5fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ggfgoo32.exeC:\Windows\system32\Ggfgoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Gpdhiaoi.exeC:\Windows\system32\Gpdhiaoi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gfcjqkbp.exeC:\Windows\system32\Gfcjqkbp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Hjiiemaj.exeC:\Windows\system32\Hjiiemaj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Hhmioa32.exeC:\Windows\system32\Hhmioa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ildhcd32.exeC:\Windows\system32\Ildhcd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jaejfj32.exeC:\Windows\system32\Jaejfj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Jpkgggnh.exeC:\Windows\system32\Jpkgggnh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Jodmdboj.exeC:\Windows\system32\Jodmdboj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Khonbhch.exeC:\Windows\system32\Khonbhch.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ldpbmg32.exeC:\Windows\system32\Ldpbmg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Lmppmi32.exeC:\Windows\system32\Lmppmi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Mmolll32.exeC:\Windows\system32\Mmolll32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Npbbcgga.exeC:\Windows\system32\Npbbcgga.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Eebnqcjl.exeC:\Windows\system32\Eebnqcjl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fndhed32.exeC:\Windows\system32\Fndhed32.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Fqgnmo32.exeC:\Windows\system32\Fqgnmo32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe39⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fiepga32.exeC:\Windows\system32\Fiepga32.exe40⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gglimm32.exeC:\Windows\system32\Gglimm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Gmlokdgp.exeC:\Windows\system32\Gmlokdgp.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Gmnkqcem.exeC:\Windows\system32\Gmnkqcem.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Hbomdjoo.exeC:\Windows\system32\Hbomdjoo.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hmeaaboe.exeC:\Windows\system32\Hmeaaboe.exe45⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Hpejcnlf.exeC:\Windows\system32\Hpejcnlf.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Ieepad32.exeC:\Windows\system32\Ieepad32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ihhehoci.exeC:\Windows\system32\Ihhehoci.exe48⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ikinjj32.exeC:\Windows\system32\Ikinjj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Ipefba32.exeC:\Windows\system32\Ipefba32.exe50⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jphcgq32.exeC:\Windows\system32\Jphcgq32.exe51⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Jlodma32.exeC:\Windows\system32\Jlodma32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Jkdanngk.exeC:\Windows\system32\Jkdanngk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Jhhagb32.exeC:\Windows\system32\Jhhagb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Jhjnmb32.exeC:\Windows\system32\Jhjnmb32.exe55⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Khlkba32.exeC:\Windows\system32\Khlkba32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Knlpphnd.exeC:\Windows\system32\Knlpphnd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Knnmeh32.exeC:\Windows\system32\Knnmeh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Klcjfdqi.exeC:\Windows\system32\Klcjfdqi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lhjjle32.exeC:\Windows\system32\Lhjjle32.exe60⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Lkkcmqcn.exeC:\Windows\system32\Lkkcmqcn.exe61⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lkmpcpak.exeC:\Windows\system32\Lkmpcpak.exe62⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ljbmdmfc.exeC:\Windows\system32\Ljbmdmfc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Lnpejklj.exeC:\Windows\system32\Lnpejklj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Mocogc32.exeC:\Windows\system32\Mocogc32.exe66⤵PID:688
-
C:\Windows\SysWOW64\Mbdhinmf.exeC:\Windows\system32\Mbdhinmf.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Mfbqol32.exeC:\Windows\system32\Mfbqol32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe69⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Nhjcgccc.exeC:\Windows\system32\Nhjcgccc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Ndadld32.exeC:\Windows\system32\Ndadld32.exe71⤵PID:1976
-
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ndfmgdeb.exeC:\Windows\system32\Ndfmgdeb.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Odhjmc32.exeC:\Windows\system32\Odhjmc32.exe74⤵PID:1696
-
C:\Windows\SysWOW64\Oigokj32.exeC:\Windows\system32\Oigokj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe76⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Pieodn32.exeC:\Windows\system32\Pieodn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe79⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe80⤵PID:3068
-
C:\Windows\SysWOW64\Qoimmc32.exeC:\Windows\system32\Qoimmc32.exe81⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Qcgfcbbh.exeC:\Windows\system32\Qcgfcbbh.exe82⤵PID:2788
-
C:\Windows\SysWOW64\Ahcoli32.exeC:\Windows\system32\Ahcoli32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe84⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ahhhgh32.exeC:\Windows\system32\Ahhhgh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe86⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Adaeai32.exeC:\Windows\system32\Adaeai32.exe87⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Ammjekmg.exeC:\Windows\system32\Ammjekmg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Bjqjoolp.exeC:\Windows\system32\Bjqjoolp.exe89⤵PID:3060
-
C:\Windows\SysWOW64\Bmacqj32.exeC:\Windows\system32\Bmacqj32.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Bfjhippb.exeC:\Windows\system32\Bfjhippb.exe91⤵PID:2296
-
C:\Windows\SysWOW64\Bijakkmc.exeC:\Windows\system32\Bijakkmc.exe92⤵PID:1244
-
C:\Windows\SysWOW64\Cnifia32.exeC:\Windows\system32\Cnifia32.exe93⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Cajokmfi.exeC:\Windows\system32\Cajokmfi.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Cpolli32.exeC:\Windows\system32\Cpolli32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Cjgmoahd.exeC:\Windows\system32\Cjgmoahd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Diljpn32.exeC:\Windows\system32\Diljpn32.exe97⤵PID:1352
-
C:\Windows\SysWOW64\Dpiobh32.exeC:\Windows\system32\Dpiobh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Dlblmh32.exeC:\Windows\system32\Dlblmh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Ddmaak32.exeC:\Windows\system32\Ddmaak32.exe100⤵PID:1648
-
C:\Windows\SysWOW64\Eaaajo32.exeC:\Windows\system32\Eaaajo32.exe101⤵PID:1820
-
C:\Windows\SysWOW64\Ecggmfde.exeC:\Windows\system32\Ecggmfde.exe102⤵PID:700
-
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe103⤵PID:2200
-
C:\Windows\SysWOW64\Fieiephm.exeC:\Windows\system32\Fieiephm.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Fgpcgi32.exeC:\Windows\system32\Fgpcgi32.exe105⤵PID:2240
-
C:\Windows\SysWOW64\Fgbpmh32.exeC:\Windows\system32\Fgbpmh32.exe106⤵PID:2904
-
C:\Windows\SysWOW64\Fgelbhmg.exeC:\Windows\system32\Fgelbhmg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Gfjicd32.exeC:\Windows\system32\Gfjicd32.exe108⤵PID:2536
-
C:\Windows\SysWOW64\Gcpfbhof.exeC:\Windows\system32\Gcpfbhof.exe109⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe110⤵PID:1836
-
C:\Windows\SysWOW64\Goidmibg.exeC:\Windows\system32\Goidmibg.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Hkpdbj32.exeC:\Windows\system32\Hkpdbj32.exe112⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Hggegknp.exeC:\Windows\system32\Hggegknp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Hqojpqdp.exeC:\Windows\system32\Hqojpqdp.exe114⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Hembfo32.exeC:\Windows\system32\Hembfo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe116⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Ijodiedi.exeC:\Windows\system32\Ijodiedi.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Ifhacfhj.exeC:\Windows\system32\Ifhacfhj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Iihkea32.exeC:\Windows\system32\Iihkea32.exe119⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Iikgkq32.exeC:\Windows\system32\Iikgkq32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Jhpdlm32.exeC:\Windows\system32\Jhpdlm32.exe121⤵
- Modifies registry class
PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-