Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 11:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b2f57dc5c9abe810959b830e71367aa0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b2f57dc5c9abe810959b830e71367aa0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
b2f57dc5c9abe810959b830e71367aa0N.exe
-
Size
239KB
-
MD5
b2f57dc5c9abe810959b830e71367aa0
-
SHA1
b70b53c5188d378ae3c570b8b80b4009833bc502
-
SHA256
b3c05e25300573419060296b3ff1679c762f44dfdfbede85b6eb3b86f27d2a26
-
SHA512
521db731a38047ec76cb29038557a041d05f4f4d9febd6987c637cda007c180ee813f87f6ce72584e38a2f7752b1d57d4f9ae8117b54084a82d8ca071408707d
-
SSDEEP
6144:ixAqJ1gZlVrtv35CPXbo92ynn8sbeWDSpaH8n:EhJwHRFbeE8n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inecki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knofbkai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qalkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phqbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehndac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbhidja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omldglpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaadpkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcokknab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflbnogg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnafinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcfhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbfdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehkdfda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpklbfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibmjdca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coakknli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldllmhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfeaomjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgnnfno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjidjja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnccdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjkbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdofhgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabqnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coakknli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnonnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibffkcpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqglnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiiifa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqohip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhandfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibadhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqihcgea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkdfhko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnqjlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckqefhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblpjecl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidnok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldllmhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglable.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjejnmam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impceced.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achejo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmegmk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1480 Bfoelf32.exe 5068 Bgnafinp.exe 872 Bmkjnp32.exe 4132 Bmngcp32.exe 3000 Cnmcnb32.exe 1220 Cfhhbe32.exe 316 Cdlhki32.exe 3100 Cjfqhcei.exe 2936 Cjhmnc32.exe 1572 Cfonbdij.exe 4784 Cdcolh32.exe 1412 Dmlcennd.exe 1164 Djpcnbmn.exe 3032 Dkbpda32.exe 4032 Dopijpab.exe 5100 Dgknnb32.exe 4320 Daqblk32.exe 3044 Eacoak32.exe 2236 Eknppp32.exe 1844 Eokhfn32.exe 4248 Ehdmodne.exe 2928 Eehnhhmo.exe 1988 Fncblj32.exe 3600 Fobofmal.exe 468 Fgnckpog.exe 4336 Facghh32.exe 1660 Faednh32.exe 4860 Foiegl32.exe 1596 Ghbipb32.exe 1004 Gajnighe.exe 4404 Gnaonh32.exe 2572 Goqkhk32.exe 3332 Gkglmlkq.exe 456 Gkjhbl32.exe 2376 Hacqofpk.exe 772 Hhnilp32.exe 2780 Hohahjod.exe 4160 Hddiqaml.exe 3420 Hknamkdi.exe 972 Hnmnigdl.exe 3848 Hdgffq32.exe 4956 Holjci32.exe 224 Hhdoloap.exe 180 Hbmcedhp.exe 1172 Hgjlmlfg.exe 612 Idnlgpea.exe 3748 Iocqdh32.exe 1464 Iilemnkh.exe 3364 Inhneeio.exe 1016 Iinbbnie.exe 3872 Ibffkcpe.exe 3216 Ikokdi32.exe 4128 Ifdoaa32.exe 1652 Igekijlj.exe 2192 Jbkpfb32.exe 4780 Jkcdohbq.exe 824 Jigdilaj.exe 2740 Joamef32.exe 4420 Jkhnjg32.exe 2788 Jilndl32.exe 3140 Jbdbmace.exe 4604 Jinkikkb.exe 2248 Kfbkbpjl.exe 1272 Kiagokip.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fnpmopgg.exe Flaacdhd.exe File opened for modification C:\Windows\SysWOW64\Adfggk32.exe Aagkkp32.exe File created C:\Windows\SysWOW64\Biogck32.exe Bfqkgp32.exe File opened for modification C:\Windows\SysWOW64\Ccpklbfk.exe Cgijgaqf.exe File opened for modification C:\Windows\SysWOW64\Mlmbilje.exe Mecjlb32.exe File created C:\Windows\SysWOW64\Lqadop32.exe Ljhlbfao.exe File created C:\Windows\SysWOW64\Nmngfn32.exe Mmkkpnnj.exe File created C:\Windows\SysWOW64\Fbjipd32.dll Igekijlj.exe File created C:\Windows\SysWOW64\Lfimaj32.dll Pkngld32.exe File opened for modification C:\Windows\SysWOW64\Ahngagki.exe Afpkelle.exe File created C:\Windows\SysWOW64\Bhmpllck.dll Dldllmhp.exe File created C:\Windows\SysWOW64\Pmegmk32.exe Pkfjao32.exe File created C:\Windows\SysWOW64\Iicdoapj.dll Onmflh32.exe File created C:\Windows\SysWOW64\Feekec32.dll Dhcmmphl.exe File created C:\Windows\SysWOW64\Pofmeghp.dll Niabbpio.exe File created C:\Windows\SysWOW64\Pfjgom32.dll Mcnmlilo.exe File created C:\Windows\SysWOW64\Ojbafpmo.exe Ohcejdnk.exe File created C:\Windows\SysWOW64\Ndnleh32.dll Cfonbdij.exe File created C:\Windows\SysWOW64\Hbnbdkaq.dll Kfbkbpjl.exe File created C:\Windows\SysWOW64\Cmoniibe.dll Lgniaj32.exe File created C:\Windows\SysWOW64\Qajedhhk.exe Polihlih.exe File opened for modification C:\Windows\SysWOW64\Iqfcgjeg.exe Ignnnd32.exe File created C:\Windows\SysWOW64\Njhcmnae.dll Hgdempce.exe File created C:\Windows\SysWOW64\Booond32.dll Kgbjekic.exe File opened for modification C:\Windows\SysWOW64\Anjiogfe.exe Ahmqgq32.exe File created C:\Windows\SysWOW64\Iinbbnie.exe Inhneeio.exe File opened for modification C:\Windows\SysWOW64\Jbkpfb32.exe Igekijlj.exe File created C:\Windows\SysWOW64\Nlpeib32.exe Niaimf32.exe File created C:\Windows\SysWOW64\Dhdehlbp.dll Gkgebfge.exe File created C:\Windows\SysWOW64\Iimlffhe.dll Gbnoll32.exe File opened for modification C:\Windows\SysWOW64\Eklamo32.exe Ehndac32.exe File opened for modification C:\Windows\SysWOW64\Idnlgpea.exe Hgjlmlfg.exe File opened for modification C:\Windows\SysWOW64\Bkhciapp.exe Bbpoqk32.exe File created C:\Windows\SysWOW64\Hqnkka32.dll Hpdlkplb.exe File created C:\Windows\SysWOW64\Eocccn32.exe Eglkaa32.exe File created C:\Windows\SysWOW64\Elpmkg32.dll Kqknnaoc.exe File created C:\Windows\SysWOW64\Ojmgkq32.exe Ohokoe32.exe File created C:\Windows\SysWOW64\Nfhbjmmj.exe Npnjmb32.exe File opened for modification C:\Windows\SysWOW64\Cjfqhcei.exe Cdlhki32.exe File opened for modification C:\Windows\SysWOW64\Okbhqf32.exe Ohdldk32.exe File created C:\Windows\SysWOW64\Chmbchfo.exe Bngnfofi.exe File created C:\Windows\SysWOW64\Jilndl32.exe Jkhnjg32.exe File opened for modification C:\Windows\SysWOW64\Ohbfiage.exe Ogaiai32.exe File created C:\Windows\SysWOW64\Hapcbe32.dll Qlbfgp32.exe File created C:\Windows\SysWOW64\Blffajqa.dll Dojggfqb.exe File opened for modification C:\Windows\SysWOW64\Holjci32.exe Hdgffq32.exe File created C:\Windows\SysWOW64\Mbnlmg32.dll Pnhfhf32.exe File created C:\Windows\SysWOW64\Ldbqeh32.dll Emglffqk.exe File created C:\Windows\SysWOW64\Mbpdeghj.exe Mhjpgn32.exe File created C:\Windows\SysWOW64\Gmmdclie.exe Gbhpfcio.exe File opened for modification C:\Windows\SysWOW64\Limgkiob.exe Lpdbbd32.exe File created C:\Windows\SysWOW64\Iqfcgjeg.exe Ignnnd32.exe File created C:\Windows\SysWOW64\Qklbaimg.dll Aoboikcp.exe File created C:\Windows\SysWOW64\Jijpbc32.dll Bldlcn32.exe File created C:\Windows\SysWOW64\Gmccakom.dll Feioad32.exe File opened for modification C:\Windows\SysWOW64\Gielbcbe.exe Gplgjn32.exe File created C:\Windows\SysWOW64\Kmafkfnp.dll Lnihhjin.exe File created C:\Windows\SysWOW64\Eiaolpoo.exe Ebggoe32.exe File opened for modification C:\Windows\SysWOW64\Ofohjlga.exe Oabpbe32.exe File created C:\Windows\SysWOW64\Gehjaa32.dll Maqhkdqg.exe File created C:\Windows\SysWOW64\Eokhfn32.exe Eknppp32.exe File opened for modification C:\Windows\SysWOW64\Ahmqgq32.exe Aeodke32.exe File created C:\Windows\SysWOW64\Ifneca32.dll Boqljigp.exe File created C:\Windows\SysWOW64\Opiiia32.exe Omkmme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12320 6400 WerFault.exe 859 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbilem32.dll" Pjfcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifjahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnfko32.dll" Mobbioeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljmpb32.dll" Oeffce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biogck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hidnok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjpjk32.dll" Nqhmlfae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfmnfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnfmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehnhhmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qomocfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amgeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjikh32.dll" Bgnafinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgkpplq.dll" Biogck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kellmijc.dll" Knklgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ompmbklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnldom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglbkcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlged32.dll" Nelmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgigom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bamkqehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipplgnbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilabamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblbdep.dll" Fncblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjbfij32.dll" Jqbbbhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhojac32.dll" Bdikgail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glacol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncafaeom.dll" Hbmcedhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcokknab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Impceced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idchjjeo.dll" Qploen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggancn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaomii32.dll" Hknamkdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnecnd32.dll" Kiagokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgplajo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klcenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ominodap.dll" Lcfpadnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkall32.dll" Ebdldibm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbchemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allphe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjkkchc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kackli32.dll" Fenhlcgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjcajgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmgccjfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkopm32.dll" Hlfceafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhjepap.dll" Gighhcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjgpiflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmlaj32.dll" Lfeaomjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaqmkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akobpb32.dll" Pkqdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbanbbfn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 744 wrote to memory of 1480 744 b2f57dc5c9abe810959b830e71367aa0N.exe 83 PID 744 wrote to memory of 1480 744 b2f57dc5c9abe810959b830e71367aa0N.exe 83 PID 744 wrote to memory of 1480 744 b2f57dc5c9abe810959b830e71367aa0N.exe 83 PID 1480 wrote to memory of 5068 1480 Bfoelf32.exe 84 PID 1480 wrote to memory of 5068 1480 Bfoelf32.exe 84 PID 1480 wrote to memory of 5068 1480 Bfoelf32.exe 84 PID 5068 wrote to memory of 872 5068 Bgnafinp.exe 86 PID 5068 wrote to memory of 872 5068 Bgnafinp.exe 86 PID 5068 wrote to memory of 872 5068 Bgnafinp.exe 86 PID 872 wrote to memory of 4132 872 Bmkjnp32.exe 88 PID 872 wrote to memory of 4132 872 Bmkjnp32.exe 88 PID 872 wrote to memory of 4132 872 Bmkjnp32.exe 88 PID 4132 wrote to memory of 3000 4132 Bmngcp32.exe 89 PID 4132 wrote to memory of 3000 4132 Bmngcp32.exe 89 PID 4132 wrote to memory of 3000 4132 Bmngcp32.exe 89 PID 3000 wrote to memory of 1220 3000 Cnmcnb32.exe 90 PID 3000 wrote to memory of 1220 3000 Cnmcnb32.exe 90 PID 3000 wrote to memory of 1220 3000 Cnmcnb32.exe 90 PID 1220 wrote to memory of 316 1220 Cfhhbe32.exe 91 PID 1220 wrote to memory of 316 1220 Cfhhbe32.exe 91 PID 1220 wrote to memory of 316 1220 Cfhhbe32.exe 91 PID 316 wrote to memory of 3100 316 Cdlhki32.exe 92 PID 316 wrote to memory of 3100 316 Cdlhki32.exe 92 PID 316 wrote to memory of 3100 316 Cdlhki32.exe 92 PID 3100 wrote to memory of 2936 3100 Cjfqhcei.exe 93 PID 3100 wrote to memory of 2936 3100 Cjfqhcei.exe 93 PID 3100 wrote to memory of 2936 3100 Cjfqhcei.exe 93 PID 2936 wrote to memory of 1572 2936 Cjhmnc32.exe 94 PID 2936 wrote to memory of 1572 2936 Cjhmnc32.exe 94 PID 2936 wrote to memory of 1572 2936 Cjhmnc32.exe 94 PID 1572 wrote to memory of 4784 1572 Cfonbdij.exe 95 PID 1572 wrote to memory of 4784 1572 Cfonbdij.exe 95 PID 1572 wrote to memory of 4784 1572 Cfonbdij.exe 95 PID 4784 wrote to memory of 1412 4784 Cdcolh32.exe 96 PID 4784 wrote to memory of 1412 4784 Cdcolh32.exe 96 PID 4784 wrote to memory of 1412 4784 Cdcolh32.exe 96 PID 1412 wrote to memory of 1164 1412 Dmlcennd.exe 97 PID 1412 wrote to memory of 1164 1412 Dmlcennd.exe 97 PID 1412 wrote to memory of 1164 1412 Dmlcennd.exe 97 PID 1164 wrote to memory of 3032 1164 Djpcnbmn.exe 98 PID 1164 wrote to memory of 3032 1164 Djpcnbmn.exe 98 PID 1164 wrote to memory of 3032 1164 Djpcnbmn.exe 98 PID 3032 wrote to memory of 4032 3032 Dkbpda32.exe 99 PID 3032 wrote to memory of 4032 3032 Dkbpda32.exe 99 PID 3032 wrote to memory of 4032 3032 Dkbpda32.exe 99 PID 4032 wrote to memory of 5100 4032 Dopijpab.exe 100 PID 4032 wrote to memory of 5100 4032 Dopijpab.exe 100 PID 4032 wrote to memory of 5100 4032 Dopijpab.exe 100 PID 5100 wrote to memory of 4320 5100 Dgknnb32.exe 101 PID 5100 wrote to memory of 4320 5100 Dgknnb32.exe 101 PID 5100 wrote to memory of 4320 5100 Dgknnb32.exe 101 PID 4320 wrote to memory of 3044 4320 Daqblk32.exe 102 PID 4320 wrote to memory of 3044 4320 Daqblk32.exe 102 PID 4320 wrote to memory of 3044 4320 Daqblk32.exe 102 PID 3044 wrote to memory of 2236 3044 Eacoak32.exe 103 PID 3044 wrote to memory of 2236 3044 Eacoak32.exe 103 PID 3044 wrote to memory of 2236 3044 Eacoak32.exe 103 PID 2236 wrote to memory of 1844 2236 Eknppp32.exe 104 PID 2236 wrote to memory of 1844 2236 Eknppp32.exe 104 PID 2236 wrote to memory of 1844 2236 Eknppp32.exe 104 PID 1844 wrote to memory of 4248 1844 Eokhfn32.exe 105 PID 1844 wrote to memory of 4248 1844 Eokhfn32.exe 105 PID 1844 wrote to memory of 4248 1844 Eokhfn32.exe 105 PID 4248 wrote to memory of 2928 4248 Ehdmodne.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2f57dc5c9abe810959b830e71367aa0N.exe"C:\Users\Admin\AppData\Local\Temp\b2f57dc5c9abe810959b830e71367aa0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Bmkjnp32.exeC:\Windows\system32\Bmkjnp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Cjfqhcei.exeC:\Windows\system32\Cjfqhcei.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cfonbdij.exeC:\Windows\system32\Cfonbdij.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Djpcnbmn.exeC:\Windows\system32\Djpcnbmn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Dkbpda32.exeC:\Windows\system32\Dkbpda32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Dopijpab.exeC:\Windows\system32\Dopijpab.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Dgknnb32.exeC:\Windows\system32\Dgknnb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Daqblk32.exeC:\Windows\system32\Daqblk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Eacoak32.exeC:\Windows\system32\Eacoak32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Eknppp32.exeC:\Windows\system32\Eknppp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Eokhfn32.exeC:\Windows\system32\Eokhfn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Ehdmodne.exeC:\Windows\system32\Ehdmodne.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Eehnhhmo.exeC:\Windows\system32\Eehnhhmo.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Fncblj32.exeC:\Windows\system32\Fncblj32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Fobofmal.exeC:\Windows\system32\Fobofmal.exe25⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Fgnckpog.exeC:\Windows\system32\Fgnckpog.exe26⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Facghh32.exeC:\Windows\system32\Facghh32.exe27⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Faednh32.exeC:\Windows\system32\Faednh32.exe28⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Foiegl32.exeC:\Windows\system32\Foiegl32.exe29⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ghbipb32.exeC:\Windows\system32\Ghbipb32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Gajnighe.exeC:\Windows\system32\Gajnighe.exe31⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Gnaonh32.exeC:\Windows\system32\Gnaonh32.exe32⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Goqkhk32.exeC:\Windows\system32\Goqkhk32.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gkglmlkq.exeC:\Windows\system32\Gkglmlkq.exe34⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Gfmpjejf.exeC:\Windows\system32\Gfmpjejf.exe35⤵PID:5028
-
C:\Windows\SysWOW64\Gkjhbl32.exeC:\Windows\system32\Gkjhbl32.exe36⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Hacqofpk.exeC:\Windows\system32\Hacqofpk.exe37⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Hhnilp32.exeC:\Windows\system32\Hhnilp32.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Hohahjod.exeC:\Windows\system32\Hohahjod.exe39⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hddiqaml.exeC:\Windows\system32\Hddiqaml.exe40⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hknamkdi.exeC:\Windows\system32\Hknamkdi.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Hnmnigdl.exeC:\Windows\system32\Hnmnigdl.exe42⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Hdgffq32.exeC:\Windows\system32\Hdgffq32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Holjci32.exeC:\Windows\system32\Holjci32.exe44⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Hhdoloap.exeC:\Windows\system32\Hhdoloap.exe45⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Hbmcedhp.exeC:\Windows\system32\Hbmcedhp.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:180 -
C:\Windows\SysWOW64\Hgjlmlfg.exeC:\Windows\system32\Hgjlmlfg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Idnlgpea.exeC:\Windows\system32\Idnlgpea.exe48⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Iocqdh32.exeC:\Windows\system32\Iocqdh32.exe49⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Iilemnkh.exeC:\Windows\system32\Iilemnkh.exe50⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Inhneeio.exeC:\Windows\system32\Inhneeio.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Iinbbnie.exeC:\Windows\system32\Iinbbnie.exe52⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ibffkcpe.exeC:\Windows\system32\Ibffkcpe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Ikokdi32.exeC:\Windows\system32\Ikokdi32.exe54⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Ifdoaa32.exeC:\Windows\system32\Ifdoaa32.exe55⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Igekijlj.exeC:\Windows\system32\Igekijlj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Jbkpfb32.exeC:\Windows\system32\Jbkpfb32.exe57⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Jkcdohbq.exeC:\Windows\system32\Jkcdohbq.exe58⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Jigdilaj.exeC:\Windows\system32\Jigdilaj.exe59⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Joamef32.exeC:\Windows\system32\Joamef32.exe60⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jkhnjg32.exeC:\Windows\system32\Jkhnjg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Jilndl32.exeC:\Windows\system32\Jilndl32.exe62⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Jbdbmace.exeC:\Windows\system32\Jbdbmace.exe63⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Jinkikkb.exeC:\Windows\system32\Jinkikkb.exe64⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Kfbkbpjl.exeC:\Windows\system32\Kfbkbpjl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Kiagokip.exeC:\Windows\system32\Kiagokip.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Keghdl32.exeC:\Windows\system32\Keghdl32.exe67⤵PID:3260
-
C:\Windows\SysWOW64\Kpmlaenj.exeC:\Windows\system32\Kpmlaenj.exe68⤵PID:2308
-
C:\Windows\SysWOW64\Kejeilma.exeC:\Windows\system32\Kejeilma.exe69⤵PID:2312
-
C:\Windows\SysWOW64\Kldmff32.exeC:\Windows\system32\Kldmff32.exe70⤵PID:2984
-
C:\Windows\SysWOW64\Kfiaco32.exeC:\Windows\system32\Kfiaco32.exe71⤵PID:416
-
C:\Windows\SysWOW64\Kbpbhp32.exeC:\Windows\system32\Kbpbhp32.exe72⤵PID:3212
-
C:\Windows\SysWOW64\Khmjqf32.exeC:\Windows\system32\Khmjqf32.exe73⤵PID:2920
-
C:\Windows\SysWOW64\Lpdbbd32.exeC:\Windows\system32\Lpdbbd32.exe74⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Limgkiob.exeC:\Windows\system32\Limgkiob.exe75⤵PID:1288
-
C:\Windows\SysWOW64\Lpfogcfo.exeC:\Windows\system32\Lpfogcfo.exe76⤵PID:1976
-
C:\Windows\SysWOW64\Lechpjdf.exeC:\Windows\system32\Lechpjdf.exe77⤵PID:4760
-
C:\Windows\SysWOW64\Lpilmcdl.exeC:\Windows\system32\Lpilmcdl.exe78⤵PID:3120
-
C:\Windows\SysWOW64\Llpmbd32.exeC:\Windows\system32\Llpmbd32.exe79⤵PID:3104
-
C:\Windows\SysWOW64\Lfeaomjf.exeC:\Windows\system32\Lfeaomjf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Llbigdhn.exeC:\Windows\system32\Llbigdhn.exe81⤵PID:4112
-
C:\Windows\SysWOW64\Lifjahgh.exeC:\Windows\system32\Lifjahgh.exe82⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Mobbioeo.exeC:\Windows\system32\Mobbioeo.exe83⤵
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Moeooo32.exeC:\Windows\system32\Moeooo32.exe84⤵PID:4680
-
C:\Windows\SysWOW64\Mpdkiajo.exeC:\Windows\system32\Mpdkiajo.exe85⤵PID:3716
-
C:\Windows\SysWOW64\Mbchemic.exeC:\Windows\system32\Mbchemic.exe86⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Mhppmd32.exeC:\Windows\system32\Mhppmd32.exe87⤵PID:4264
-
C:\Windows\SysWOW64\Mpieda32.exeC:\Windows\system32\Mpieda32.exe88⤵PID:1912
-
C:\Windows\SysWOW64\Niaimf32.exeC:\Windows\system32\Niaimf32.exe89⤵
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Nlpeib32.exeC:\Windows\system32\Nlpeib32.exe90⤵PID:3640
-
C:\Windows\SysWOW64\Nonbem32.exeC:\Windows\system32\Nonbem32.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Nlbbna32.exeC:\Windows\system32\Nlbbna32.exe92⤵PID:1432
-
C:\Windows\SysWOW64\Nbljklah.exeC:\Windows\system32\Nbljklah.exe93⤵PID:1828
-
C:\Windows\SysWOW64\Nhiccb32.exeC:\Windows\system32\Nhiccb32.exe94⤵PID:2732
-
C:\Windows\SysWOW64\Ngjcajgo.exeC:\Windows\system32\Ngjcajgo.exe95⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Nlgliaef.exeC:\Windows\system32\Nlgliaef.exe96⤵PID:3520
-
C:\Windows\SysWOW64\Ncadfk32.exeC:\Windows\system32\Ncadfk32.exe97⤵PID:1688
-
C:\Windows\SysWOW64\Niklcedp.exeC:\Windows\system32\Niklcedp.exe98⤵PID:4796
-
C:\Windows\SysWOW64\Nohdkl32.exeC:\Windows\system32\Nohdkl32.exe99⤵PID:3928
-
C:\Windows\SysWOW64\Nccqlkkp.exeC:\Windows\system32\Nccqlkkp.exe100⤵PID:928
-
C:\Windows\SysWOW64\Opgaeojj.exeC:\Windows\system32\Opgaeojj.exe101⤵PID:3208
-
C:\Windows\SysWOW64\Ogaiai32.exeC:\Windows\system32\Ogaiai32.exe102⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ohbfiage.exeC:\Windows\system32\Ohbfiage.exe103⤵PID:4660
-
C:\Windows\SysWOW64\Ochjgj32.exeC:\Windows\system32\Ochjgj32.exe104⤵PID:1932
-
C:\Windows\SysWOW64\Oeffce32.exeC:\Windows\system32\Oeffce32.exe105⤵
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Ocjglj32.exeC:\Windows\system32\Ocjglj32.exe106⤵PID:3460
-
C:\Windows\SysWOW64\Ohgodq32.exeC:\Windows\system32\Ohgodq32.exe107⤵PID:4528
-
C:\Windows\SysWOW64\Ooagak32.exeC:\Windows\system32\Ooagak32.exe108⤵PID:768
-
C:\Windows\SysWOW64\Oekpnebi.exeC:\Windows\system32\Oekpnebi.exe109⤵PID:1636
-
C:\Windows\SysWOW64\Olehko32.exeC:\Windows\system32\Olehko32.exe110⤵PID:1336
-
C:\Windows\SysWOW64\Opqdknbo.exeC:\Windows\system32\Opqdknbo.exe111⤵PID:2880
-
C:\Windows\SysWOW64\Pofalj32.exeC:\Windows\system32\Pofalj32.exe112⤵PID:1340
-
C:\Windows\SysWOW64\Pfpiid32.exeC:\Windows\system32\Pfpiid32.exe113⤵PID:5136
-
C:\Windows\SysWOW64\Phneep32.exeC:\Windows\system32\Phneep32.exe114⤵PID:5180
-
C:\Windows\SysWOW64\Pfbfod32.exeC:\Windows\system32\Pfbfod32.exe115⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Phqbko32.exeC:\Windows\system32\Phqbko32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Pcffhh32.exeC:\Windows\system32\Pcffhh32.exe117⤵PID:5312
-
C:\Windows\SysWOW64\Pjpoeb32.exeC:\Windows\system32\Pjpoeb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Ppjgaljd.exeC:\Windows\system32\Ppjgaljd.exe119⤵PID:5396
-
C:\Windows\SysWOW64\Pjbkjb32.exeC:\Windows\system32\Pjbkjb32.exe120⤵PID:5440
-
C:\Windows\SysWOW64\Qgfldf32.exeC:\Windows\system32\Qgfldf32.exe121⤵PID:5484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-