Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe
-
Size
207KB
-
MD5
0f5b1ff19c31ec53f6abb2c9e91dca4e
-
SHA1
64d30db06bf2c80977ef1ed5a59bb17b22177816
-
SHA256
33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d
-
SHA512
fe8972725d3587ffa0defbfb06bbae008cfd5fc78065b8021eeeaabe65ad3a5c47d1cb91616517e4d658c90bc4cd34609746a226d2335fd6f8518d4e389ecf8f
-
SSDEEP
6144:s4s7SpFGGkJY21QVjj+VPj92d62ASOwj:qwguPpIPj92aSOc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaenbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmmbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjfflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibnligoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiqjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geanfelc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modgdicm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmmboed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonhghjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bphqji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiiflaoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcaofebg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleepoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekkkoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbohigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjmkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndnpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfbobf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1484 Hdnldd32.exe 3472 Hocqam32.exe 4580 Hninbj32.exe 2432 Hhnbpb32.exe 4072 Iohjlmeg.exe 4652 Ifbbig32.exe 2412 Iickkbje.exe 2268 Idjlpc32.exe 3780 Ibnligoc.exe 4376 Igjeanmj.exe 1944 Jngjch32.exe 2684 Joffnk32.exe 2756 Jkmgblok.exe 1320 Jeekkafl.exe 3748 Jnnpdg32.exe 1636 Jfgdkd32.exe 228 Kgknhl32.exe 1956 Khmknk32.exe 1788 Klkcdj32.exe 4712 Lhdqnj32.exe 2068 Lpneegel.exe 988 Lppbkgcj.exe 1948 Llgcph32.exe 3972 Leoghn32.exe 5080 Mimpolee.exe 4168 Medqcmki.exe 4624 Mefmimif.exe 3608 Mehjol32.exe 1624 Mblkhq32.exe 1968 Mockmala.exe 2992 Nlglfe32.exe 4112 Nlihle32.exe 3500 Nhpiafnm.exe 1704 Npgabc32.exe 4704 Nomncpcg.exe 1760 Ngdfdmdi.exe 2780 Nlqomd32.exe 3096 Ooagno32.exe 4200 Olehhc32.exe 540 Oocddono.exe 1844 Olgemcli.exe 4724 Oepifi32.exe 1252 Opemca32.exe 2524 Ollnhb32.exe 4468 Pedbahod.exe 3356 Pjbkgfej.exe 3612 Ppmcdq32.exe 2332 Pgflqkdd.exe 4100 Pcmlfl32.exe 3872 Pleaoa32.exe 1516 Pjjahe32.exe 3624 Qgnbaj32.exe 4184 Qjlnnemp.exe 2308 Qcdbfk32.exe 2648 Qfbobf32.exe 1688 Acgolj32.exe 3140 Amodep32.exe 1400 Afghneoo.exe 3372 Aggegh32.exe 5028 Aihaoqlp.exe 1296 Ajhniccb.exe 4576 Aodfajaj.exe 4872 Ajjjocap.exe 4600 Bcbohigp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Aonhghjl.exe File created C:\Windows\SysWOW64\Emkcbcna.dll Qbonoghb.exe File opened for modification C:\Windows\SysWOW64\Cippgm32.exe Cmipblaq.exe File opened for modification C:\Windows\SysWOW64\Hgiepjga.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Nhbolp32.exe Nahgoe32.exe File created C:\Windows\SysWOW64\Hjaqmkhl.dll Jemfhacc.exe File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Dqiieebk.dll Klkcdj32.exe File created C:\Windows\SysWOW64\Bcdkfq32.dll Eaqdegaj.exe File created C:\Windows\SysWOW64\Bbdhiojo.exe Blhpqhlh.exe File created C:\Windows\SysWOW64\Hpcodihc.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Fimgpahk.dll Ddgplado.exe File created C:\Windows\SysWOW64\Oblhcj32.exe Oqklkbbi.exe File created C:\Windows\SysWOW64\Lglfodah.dll Mimpolee.exe File created C:\Windows\SysWOW64\Cioilg32.exe Cfqmpl32.exe File opened for modification C:\Windows\SysWOW64\Gipdap32.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Dokmlmhl.dll Hienlpel.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Efeihb32.exe File opened for modification C:\Windows\SysWOW64\Njmqnobn.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Pfoann32.exe Omgmeigd.exe File opened for modification C:\Windows\SysWOW64\Nlihle32.exe Nlglfe32.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Ilqoobdd.exe Iibccgep.exe File created C:\Windows\SysWOW64\Hmhloljn.dll Hhnbpb32.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Lnldla32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mcelpggq.exe File created C:\Windows\SysWOW64\Npgqep32.dll Egkddo32.exe File created C:\Windows\SysWOW64\Lbekag32.dll Bbdhiojo.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Plbfdekd.exe File opened for modification C:\Windows\SysWOW64\Gaebef32.exe Glhimp32.exe File created C:\Windows\SysWOW64\Mmmncpmp.dll Iahgad32.exe File opened for modification C:\Windows\SysWOW64\Ofegni32.exe Ookoaokf.exe File created C:\Windows\SysWOW64\Lncmdghm.dll Cpcpfg32.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File opened for modification C:\Windows\SysWOW64\Ooagno32.exe Nlqomd32.exe File opened for modification C:\Windows\SysWOW64\Boldhf32.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Efcagd32.dll Mjdebfnd.exe File created C:\Windows\SysWOW64\Mnjqmpgg.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Klekfinp.exe Koajmepf.exe File created C:\Windows\SysWOW64\Ajohfcpj.exe Adepji32.exe File created C:\Windows\SysWOW64\Akoqpg32.exe Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Geaepk32.exe File created C:\Windows\SysWOW64\Hgiepjga.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Ohfaap32.dll Ohghgodi.exe File created C:\Windows\SysWOW64\Knhakh32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Aaohcj32.exe Albpkc32.exe File opened for modification C:\Windows\SysWOW64\Bbaclegm.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Kaedkn32.dll Lndham32.exe File created C:\Windows\SysWOW64\Ghhhcomg.exe Gdmmbq32.exe File created C:\Windows\SysWOW64\Cpdfhgmd.dll Mcjmel32.exe File created C:\Windows\SysWOW64\Mcelpggq.exe Mjlhgaqp.exe File opened for modification C:\Windows\SysWOW64\Jeekkafl.exe Jkmgblok.exe File opened for modification C:\Windows\SysWOW64\Cbdjeg32.exe Clgbmp32.exe File created C:\Windows\SysWOW64\Hmpcbhji.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Kgflcifg.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Gnobcjlg.dll Gkaclqkk.exe File opened for modification C:\Windows\SysWOW64\Innfnl32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Acmobchj.exe Ackbmcjl.exe File created C:\Windows\SysWOW64\Hankellh.dll Innfnl32.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Ohkkhhmh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6008 6612 WerFault.exe 867 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnnpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iickkbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejojljqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpdnedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icndnfbg.dll" Ajjjocap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Ihkjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cildom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mejpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Falcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdmoohbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbblbdb.dll" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaigbkko.dll" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkalh32.dll" Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifpcjin.dll" Fkihnmhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Phedhmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpengmlg.dll" Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pleaoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgflqkdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chnbbqpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diadam32.dll" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll" Fncibg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll" Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Paelfmaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjoqncg.dll" Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kilpmh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1484 1752 33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe 80 PID 1752 wrote to memory of 1484 1752 33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe 80 PID 1752 wrote to memory of 1484 1752 33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe 80 PID 1484 wrote to memory of 3472 1484 Hdnldd32.exe 81 PID 1484 wrote to memory of 3472 1484 Hdnldd32.exe 81 PID 1484 wrote to memory of 3472 1484 Hdnldd32.exe 81 PID 3472 wrote to memory of 4580 3472 Hocqam32.exe 82 PID 3472 wrote to memory of 4580 3472 Hocqam32.exe 82 PID 3472 wrote to memory of 4580 3472 Hocqam32.exe 82 PID 4580 wrote to memory of 2432 4580 Hninbj32.exe 83 PID 4580 wrote to memory of 2432 4580 Hninbj32.exe 83 PID 4580 wrote to memory of 2432 4580 Hninbj32.exe 83 PID 2432 wrote to memory of 4072 2432 Hhnbpb32.exe 84 PID 2432 wrote to memory of 4072 2432 Hhnbpb32.exe 84 PID 2432 wrote to memory of 4072 2432 Hhnbpb32.exe 84 PID 4072 wrote to memory of 4652 4072 Iohjlmeg.exe 85 PID 4072 wrote to memory of 4652 4072 Iohjlmeg.exe 85 PID 4072 wrote to memory of 4652 4072 Iohjlmeg.exe 85 PID 4652 wrote to memory of 2412 4652 Ifbbig32.exe 86 PID 4652 wrote to memory of 2412 4652 Ifbbig32.exe 86 PID 4652 wrote to memory of 2412 4652 Ifbbig32.exe 86 PID 2412 wrote to memory of 2268 2412 Iickkbje.exe 87 PID 2412 wrote to memory of 2268 2412 Iickkbje.exe 87 PID 2412 wrote to memory of 2268 2412 Iickkbje.exe 87 PID 2268 wrote to memory of 3780 2268 Idjlpc32.exe 88 PID 2268 wrote to memory of 3780 2268 Idjlpc32.exe 88 PID 2268 wrote to memory of 3780 2268 Idjlpc32.exe 88 PID 3780 wrote to memory of 4376 3780 Ibnligoc.exe 89 PID 3780 wrote to memory of 4376 3780 Ibnligoc.exe 89 PID 3780 wrote to memory of 4376 3780 Ibnligoc.exe 89 PID 4376 wrote to memory of 1944 4376 Igjeanmj.exe 90 PID 4376 wrote to memory of 1944 4376 Igjeanmj.exe 90 PID 4376 wrote to memory of 1944 4376 Igjeanmj.exe 90 PID 1944 wrote to memory of 2684 1944 Jngjch32.exe 91 PID 1944 wrote to memory of 2684 1944 Jngjch32.exe 91 PID 1944 wrote to memory of 2684 1944 Jngjch32.exe 91 PID 2684 wrote to memory of 2756 2684 Joffnk32.exe 92 PID 2684 wrote to memory of 2756 2684 Joffnk32.exe 92 PID 2684 wrote to memory of 2756 2684 Joffnk32.exe 92 PID 2756 wrote to memory of 1320 2756 Jkmgblok.exe 93 PID 2756 wrote to memory of 1320 2756 Jkmgblok.exe 93 PID 2756 wrote to memory of 1320 2756 Jkmgblok.exe 93 PID 1320 wrote to memory of 3748 1320 Jeekkafl.exe 94 PID 1320 wrote to memory of 3748 1320 Jeekkafl.exe 94 PID 1320 wrote to memory of 3748 1320 Jeekkafl.exe 94 PID 3748 wrote to memory of 1636 3748 Jnnpdg32.exe 95 PID 3748 wrote to memory of 1636 3748 Jnnpdg32.exe 95 PID 3748 wrote to memory of 1636 3748 Jnnpdg32.exe 95 PID 1636 wrote to memory of 228 1636 Jfgdkd32.exe 96 PID 1636 wrote to memory of 228 1636 Jfgdkd32.exe 96 PID 1636 wrote to memory of 228 1636 Jfgdkd32.exe 96 PID 228 wrote to memory of 1956 228 Kgknhl32.exe 97 PID 228 wrote to memory of 1956 228 Kgknhl32.exe 97 PID 228 wrote to memory of 1956 228 Kgknhl32.exe 97 PID 1956 wrote to memory of 1788 1956 Khmknk32.exe 98 PID 1956 wrote to memory of 1788 1956 Khmknk32.exe 98 PID 1956 wrote to memory of 1788 1956 Khmknk32.exe 98 PID 1788 wrote to memory of 4712 1788 Klkcdj32.exe 99 PID 1788 wrote to memory of 4712 1788 Klkcdj32.exe 99 PID 1788 wrote to memory of 4712 1788 Klkcdj32.exe 99 PID 4712 wrote to memory of 2068 4712 Lhdqnj32.exe 100 PID 4712 wrote to memory of 2068 4712 Lhdqnj32.exe 100 PID 4712 wrote to memory of 2068 4712 Lhdqnj32.exe 100 PID 2068 wrote to memory of 988 2068 Lpneegel.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe"C:\Users\Admin\AppData\Local\Temp\33a00ac6e9aef6b88ce6ea30161747407801e8b8ce6927dfd09486d6f4c4958d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe23⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe24⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe27⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe28⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe29⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe30⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe31⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe33⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe34⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe36⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe37⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe39⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe40⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe41⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe42⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe43⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe44⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe45⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe46⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe47⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe48⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe50⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe52⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe54⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe55⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe57⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe58⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe60⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe61⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe62⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe63⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe66⤵PID:3268
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe67⤵PID:1096
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe68⤵PID:3476
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe69⤵PID:4920
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4288 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe71⤵PID:2060
-
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe72⤵PID:2224
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe73⤵PID:4360
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe74⤵PID:4984
-
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe75⤵PID:1028
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe76⤵PID:3696
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe77⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe78⤵PID:2080
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe79⤵PID:4084
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe80⤵PID:1100
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe81⤵PID:1640
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe82⤵PID:4008
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe83⤵PID:3628
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe84⤵PID:2416
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe85⤵PID:2064
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe86⤵PID:804
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe87⤵PID:3284
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe89⤵PID:1740
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe90⤵PID:2384
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe91⤵PID:4928
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe92⤵PID:428
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe93⤵
- Drops file in System32 directory
PID:4972 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe94⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe95⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe96⤵PID:4356
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe97⤵PID:3912
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe98⤵PID:2144
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe100⤵PID:4232
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe101⤵PID:3592
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe102⤵PID:3180
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe103⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe104⤵PID:4328
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe106⤵PID:1900
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe107⤵PID:1608
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe109⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe110⤵PID:3364
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe111⤵PID:1084
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe112⤵PID:3548
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe113⤵PID:2988
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe114⤵PID:4824
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe115⤵PID:4852
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe116⤵PID:2304
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe117⤵PID:2436
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe118⤵PID:244
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe119⤵
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe120⤵PID:224
-
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-