Analysis
-
max time kernel
94s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe
-
Size
302KB
-
MD5
2d409e79d4d910b6f944dc2d784e5cca
-
SHA1
2ccc7cbf6f883d4e48f754d9d89b0c2c39097a40
-
SHA256
6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc
-
SHA512
ecc62ced261aed00a1acf2ce5bf172c8b77afe1afa5f229c933bf57ab26bb4fd843131147447dee5049d84785ef43b91ee62bf0e782eefc222370cf74fb6fd3e
-
SSDEEP
6144:WCo2Ky4i1cL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:Wcsiiv8lXhuT9XvEhdfEmwlY1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljdceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpjoloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbhpch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pblajhje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nelfeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifmqfm32.exe -
Executes dropped EXE 64 IoCs
pid Process 4912 Dfoplpla.exe 1700 Ddcqedkk.exe 3048 Eagaoh32.exe 2868 Eplnpeol.exe 3980 Efffmo32.exe 1016 Edjgfcec.exe 2268 Embkoi32.exe 392 Ejflhm32.exe 5068 Epcdqd32.exe 2392 Fmgejhgn.exe 2520 Fineoi32.exe 4104 Fgbfhmll.exe 3712 Fpjjac32.exe 3508 Fpmggb32.exe 4956 Fmqgpgoc.exe 4544 Ggilil32.exe 1756 Gaopfe32.exe 4108 Gdmmbq32.exe 4236 Gpcmga32.exe 3692 Gkiaej32.exe 3224 Ghmbno32.exe 936 Gphgbafl.exe 428 Giqkkf32.exe 2708 Hkpheidp.exe 636 Hhdhon32.exe 4776 Hammhcij.exe 1064 Hkeaqi32.exe 4004 Hhiajmod.exe 4484 Haafcb32.exe 3380 Hpfcdojl.exe 5008 Iklgah32.exe 3576 Iddljmpc.exe 1844 Ijadbdoj.exe 2940 Ihbdplfi.exe 3916 Inomhbeq.exe 712 Idieem32.exe 1224 Ikcmbfcj.exe 2744 Ibmeoq32.exe 2100 Ikejgf32.exe 4500 Jdnoplhh.exe 4632 Jkhgmf32.exe 3480 Jqdoem32.exe 2188 Jhlgfj32.exe 3096 Jqglkmlj.exe 1276 Jdbhkk32.exe 1688 Jnkldqkc.exe 4892 Jhpqaiji.exe 1376 Jjamia32.exe 920 Jdgafjpn.exe 3432 Jibmgi32.exe 4896 Kdinljnk.exe 2804 Kkcfid32.exe 2904 Kiggbhda.exe 1848 Kkfcndce.exe 2836 Kbpkkn32.exe 2636 Kijchhbo.exe 3716 Knflpoqf.exe 4904 Keqdmihc.exe 3552 Kniieo32.exe 1228 Kecabifp.exe 4524 Lbgalmej.exe 2704 Liqihglg.exe 5088 Lalnmiia.exe 508 Licfngjd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmgejhgn.exe Epcdqd32.exe File opened for modification C:\Windows\SysWOW64\Ikejgf32.exe Ibmeoq32.exe File created C:\Windows\SysWOW64\Bohbhmfm.exe Badanigc.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File opened for modification C:\Windows\SysWOW64\Ocnabm32.exe Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Eppjfgcp.exe Eifaim32.exe File opened for modification C:\Windows\SysWOW64\Iibccgep.exe Igdgglfl.exe File opened for modification C:\Windows\SysWOW64\Jgmjmjnb.exe Jmeede32.exe File created C:\Windows\SysWOW64\Mgmodn32.dll Bkgeainn.exe File created C:\Windows\SysWOW64\Dkedonpo.exe Dcnlnaom.exe File created C:\Windows\SysWOW64\Eaecci32.dll Egpnooan.exe File created C:\Windows\SysWOW64\Egfdnejf.dll Jqglkmlj.exe File opened for modification C:\Windows\SysWOW64\Jnjejjgh.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Bnoknihb.exe Blnoga32.exe File created C:\Windows\SysWOW64\Loacdc32.exe Lhgkgijg.exe File opened for modification C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Dijbno32.exe Dbpjaeoc.exe File created C:\Windows\SysWOW64\Phonha32.exe Paeelgnj.exe File created C:\Windows\SysWOW64\Jimldogg.exe Jafdcbge.exe File created C:\Windows\SysWOW64\Mpnmig32.dll Jafdcbge.exe File created C:\Windows\SysWOW64\Cdolgfbp.exe Ciihjmcj.exe File created C:\Windows\SysWOW64\Fcekfnkb.exe Fqfojblo.exe File created C:\Windows\SysWOW64\Laniklje.dll 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dmcain32.exe File opened for modification C:\Windows\SysWOW64\Enfckp32.exe Dkhgod32.exe File created C:\Windows\SysWOW64\Cnggkf32.dll Enmjlojd.exe File created C:\Windows\SysWOW64\Daeifj32.exe Dkkaiphj.exe File created C:\Windows\SysWOW64\Bcinna32.exe Bkafmd32.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kkeldnpi.exe File created C:\Windows\SysWOW64\Qipkmbib.dll Ibmeoq32.exe File opened for modification C:\Windows\SysWOW64\Jqglkmlj.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Ddhmmpnk.dll Mhfppabl.exe File created C:\Windows\SysWOW64\Glengm32.exe Gigaka32.exe File created C:\Windows\SysWOW64\Qjpnpd32.dll Jnjejjgh.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Jhlgfj32.exe Jqdoem32.exe File created C:\Windows\SysWOW64\Nlfndjhh.dll Gkkgpc32.exe File created C:\Windows\SysWOW64\Plopnh32.dll Ojigdcll.exe File opened for modification C:\Windows\SysWOW64\Edjgfcec.exe Efffmo32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jdgafjpn.exe File created C:\Windows\SysWOW64\Licfngjd.exe Lalnmiia.exe File opened for modification C:\Windows\SysWOW64\Bokehc32.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qmhlgmmm.exe File created C:\Windows\SysWOW64\Gflonn32.dll Ofjqihnn.exe File created C:\Windows\SysWOW64\Ggfglb32.exe Gnnccl32.exe File opened for modification C:\Windows\SysWOW64\Ljdceo32.exe Licfngjd.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bokehc32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Lpcncmnn.dll Iedjmioj.exe File created C:\Windows\SysWOW64\Hmkqgckn.dll Lgpoihnl.exe File created C:\Windows\SysWOW64\Aknbkjfh.exe Ahofoogd.exe File created C:\Windows\SysWOW64\Fqbliicp.exe Fkfcqb32.exe File created C:\Windows\SysWOW64\Ahkdgl32.dll Dkedonpo.exe File created C:\Windows\SysWOW64\Gpojkp32.dll Bgelgi32.exe File opened for modification C:\Windows\SysWOW64\Gdmmbq32.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Haafcb32.exe Hhiajmod.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cmcolgbj.exe File created C:\Windows\SysWOW64\Akccap32.exe Ahdged32.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Badanigc.exe File opened for modification C:\Windows\SysWOW64\Eifaim32.exe Enpmld32.exe File created C:\Windows\SysWOW64\Kfnfjehl.exe Kcpjnjii.exe File created C:\Windows\SysWOW64\Nobdbkhf.exe Mblcnj32.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Pagbaglh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5856 5916 WerFault.exe 931 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dflmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll" Mcelpggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmfcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajohfcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll" Bjfogbjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll" Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binnimfj.dll" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjjjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll" Ppdbgncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkogiikb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kapfiqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccmcgcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhielqhi.dll" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqglkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eaceghcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haodle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dalofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcekfnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgpcd32.dll" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkpjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqkgbcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adkgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egljbmnm.dll" Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeemh32.dll" Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifdaage.dll" Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ampaho32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 4912 2160 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 82 PID 2160 wrote to memory of 4912 2160 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 82 PID 2160 wrote to memory of 4912 2160 6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe 82 PID 4912 wrote to memory of 1700 4912 Dfoplpla.exe 83 PID 4912 wrote to memory of 1700 4912 Dfoplpla.exe 83 PID 4912 wrote to memory of 1700 4912 Dfoplpla.exe 83 PID 1700 wrote to memory of 3048 1700 Ddcqedkk.exe 84 PID 1700 wrote to memory of 3048 1700 Ddcqedkk.exe 84 PID 1700 wrote to memory of 3048 1700 Ddcqedkk.exe 84 PID 3048 wrote to memory of 2868 3048 Eagaoh32.exe 86 PID 3048 wrote to memory of 2868 3048 Eagaoh32.exe 86 PID 3048 wrote to memory of 2868 3048 Eagaoh32.exe 86 PID 2868 wrote to memory of 3980 2868 Eplnpeol.exe 87 PID 2868 wrote to memory of 3980 2868 Eplnpeol.exe 87 PID 2868 wrote to memory of 3980 2868 Eplnpeol.exe 87 PID 3980 wrote to memory of 1016 3980 Efffmo32.exe 89 PID 3980 wrote to memory of 1016 3980 Efffmo32.exe 89 PID 3980 wrote to memory of 1016 3980 Efffmo32.exe 89 PID 1016 wrote to memory of 2268 1016 Edjgfcec.exe 90 PID 1016 wrote to memory of 2268 1016 Edjgfcec.exe 90 PID 1016 wrote to memory of 2268 1016 Edjgfcec.exe 90 PID 2268 wrote to memory of 392 2268 Embkoi32.exe 91 PID 2268 wrote to memory of 392 2268 Embkoi32.exe 91 PID 2268 wrote to memory of 392 2268 Embkoi32.exe 91 PID 392 wrote to memory of 5068 392 Ejflhm32.exe 92 PID 392 wrote to memory of 5068 392 Ejflhm32.exe 92 PID 392 wrote to memory of 5068 392 Ejflhm32.exe 92 PID 5068 wrote to memory of 2392 5068 Epcdqd32.exe 93 PID 5068 wrote to memory of 2392 5068 Epcdqd32.exe 93 PID 5068 wrote to memory of 2392 5068 Epcdqd32.exe 93 PID 2392 wrote to memory of 2520 2392 Fmgejhgn.exe 94 PID 2392 wrote to memory of 2520 2392 Fmgejhgn.exe 94 PID 2392 wrote to memory of 2520 2392 Fmgejhgn.exe 94 PID 2520 wrote to memory of 4104 2520 Fineoi32.exe 96 PID 2520 wrote to memory of 4104 2520 Fineoi32.exe 96 PID 2520 wrote to memory of 4104 2520 Fineoi32.exe 96 PID 4104 wrote to memory of 3712 4104 Fgbfhmll.exe 97 PID 4104 wrote to memory of 3712 4104 Fgbfhmll.exe 97 PID 4104 wrote to memory of 3712 4104 Fgbfhmll.exe 97 PID 3712 wrote to memory of 3508 3712 Fpjjac32.exe 98 PID 3712 wrote to memory of 3508 3712 Fpjjac32.exe 98 PID 3712 wrote to memory of 3508 3712 Fpjjac32.exe 98 PID 3508 wrote to memory of 4956 3508 Fpmggb32.exe 99 PID 3508 wrote to memory of 4956 3508 Fpmggb32.exe 99 PID 3508 wrote to memory of 4956 3508 Fpmggb32.exe 99 PID 4956 wrote to memory of 4544 4956 Fmqgpgoc.exe 100 PID 4956 wrote to memory of 4544 4956 Fmqgpgoc.exe 100 PID 4956 wrote to memory of 4544 4956 Fmqgpgoc.exe 100 PID 4544 wrote to memory of 1756 4544 Ggilil32.exe 101 PID 4544 wrote to memory of 1756 4544 Ggilil32.exe 101 PID 4544 wrote to memory of 1756 4544 Ggilil32.exe 101 PID 1756 wrote to memory of 4108 1756 Gaopfe32.exe 102 PID 1756 wrote to memory of 4108 1756 Gaopfe32.exe 102 PID 1756 wrote to memory of 4108 1756 Gaopfe32.exe 102 PID 4108 wrote to memory of 4236 4108 Gdmmbq32.exe 103 PID 4108 wrote to memory of 4236 4108 Gdmmbq32.exe 103 PID 4108 wrote to memory of 4236 4108 Gdmmbq32.exe 103 PID 4236 wrote to memory of 3692 4236 Gpcmga32.exe 104 PID 4236 wrote to memory of 3692 4236 Gpcmga32.exe 104 PID 4236 wrote to memory of 3692 4236 Gpcmga32.exe 104 PID 3692 wrote to memory of 3224 3692 Gkiaej32.exe 105 PID 3692 wrote to memory of 3224 3692 Gkiaej32.exe 105 PID 3692 wrote to memory of 3224 3692 Gkiaej32.exe 105 PID 3224 wrote to memory of 936 3224 Ghmbno32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe"C:\Users\Admin\AppData\Local\Temp\6561141c81a99be0b5d94ff1eb7bc4a6e185c3e85774c1fe6a0e5aa620dea2cc.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe24⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe25⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe26⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe27⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe28⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe30⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe31⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe32⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe33⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe34⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe35⤵PID:2304
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe36⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe37⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe38⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe39⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe42⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe43⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe47⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe48⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe49⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe50⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe53⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe54⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe55⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe59⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe61⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe62⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe64⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:508 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe68⤵PID:1884
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe69⤵PID:4312
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe70⤵PID:1388
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe71⤵PID:4416
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe72⤵PID:3232
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe73⤵PID:2448
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe74⤵PID:1020
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe76⤵PID:2132
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe77⤵PID:1144
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe78⤵PID:5080
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe79⤵PID:1868
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe80⤵PID:4204
-
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe81⤵
- Drops file in System32 directory
PID:4256 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe83⤵PID:2396
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe84⤵PID:1400
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe85⤵PID:4840
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe86⤵PID:4588
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe87⤵PID:4784
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe88⤵PID:1052
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe89⤵PID:3944
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe91⤵PID:4576
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe92⤵PID:1504
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe93⤵PID:776
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe94⤵PID:4288
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe95⤵PID:884
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe96⤵PID:3656
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe97⤵PID:4816
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe98⤵PID:4472
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe99⤵PID:32
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe100⤵PID:2540
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe101⤵PID:3800
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe102⤵PID:3928
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe103⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe104⤵PID:2440
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe105⤵PID:3892
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe106⤵PID:3640
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe107⤵PID:3824
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4160 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe109⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe110⤵PID:4752
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe111⤵PID:5148
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe112⤵PID:5192
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe113⤵PID:5236
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe114⤵PID:5280
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe116⤵PID:5368
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe117⤵PID:5412
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe118⤵PID:5456
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe119⤵PID:5500
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-