Analysis
-
max time kernel
80s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 04:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe
-
Size
110KB
-
MD5
0eb8de8ae0fbd22ac2ac8db48e6c5bf0
-
SHA1
ba2e980ba8d685f13fbcb5dd69cf5ca6524c918f
-
SHA256
0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727
-
SHA512
072aea56726f1a1531e467d180ba97e7692aec2c49d809f253dbe9068cd0523bd846eb92e62a60f4296a6658712d33a0dd028f50f97b492ee450595ea05af3bc
-
SSDEEP
3072:JPGVKqFt8FED0vllz2aWqdDg8oxjVfvl7:1nqFtX0vllYqfoxjVfvl7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiejda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfchjddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmnbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfiiggpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdoel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqdmghnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamoon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapobl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooangh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppelkeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mminfech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhlkjaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgiof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfeagefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeailhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felbmqpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjgofkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hladlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qniogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbpme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhejgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojboa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcpojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mankaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkqbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbapom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaope32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdhja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaodkmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogoncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgljil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnboma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djipbbne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlicp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noaeqjpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflpkpjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcldhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clffalkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpknplq.exe -
Executes dropped EXE 64 IoCs
pid Process 4648 Gnepna32.exe 1660 Gimqajgh.exe 2076 Hedafk32.exe 3452 Hefnkkkj.exe 5032 Hffken32.exe 948 Hfhgkmpj.exe 1480 Hfjdqmng.exe 1980 Hpchib32.exe 1284 Iepaaico.exe 3648 Iebngial.exe 5016 Ibfnqmpf.exe 2136 Ibhkfm32.exe 3536 Joahqn32.exe 2836 Opnbae32.exe 4620 Opclldhj.exe 2192 Ojhpimhp.exe 4460 Pccahbmn.exe 3904 Pfdjinjo.exe 1028 Pnmopk32.exe 1296 Ppolhcnm.exe 3852 Ppahmb32.exe 732 Qobhkjdi.exe 3272 Qjiipk32.exe 3572 Ahmjjoig.exe 3960 Aphnnafb.exe 3588 Aoioli32.exe 3372 Agdcpkll.exe 4332 Aajhndkb.exe 4424 Akblfj32.exe 2084 Ahfmpnql.exe 1004 Amcehdod.exe 1680 Bkgeainn.exe 2548 Bgnffj32.exe 4764 Bklomh32.exe 3992 Bnlhncgi.exe 5100 Bdfpkm32.exe 2252 Cgifbhid.exe 2856 Cpbjkn32.exe 2240 Ckgohf32.exe 2572 Dafppp32.exe 4980 Dhphmj32.exe 4196 Dqnjgl32.exe 4892 Doojec32.exe 3520 Doagjc32.exe 924 Dkhgod32.exe 1860 Ekjded32.exe 456 Ebdlangb.exe 4484 Edeeci32.exe 2352 Ekcgkb32.exe 5108 Figgdg32.exe 5136 Fdnhih32.exe 5176 Fnfmbmbi.exe 5220 Fbdehlip.exe 5264 Finnef32.exe 5304 Fajbjh32.exe 5344 Galoohke.exe 5384 Gkaclqkk.exe 5424 Gejhef32.exe 5456 Gbnhoj32.exe 5504 Gndick32.exe 5540 Gijmad32.exe 5588 Gngeik32.exe 5632 Hlkfbocp.exe 5676 Hlmchoan.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cdbmifdl.exe Cjlilndf.exe File opened for modification C:\Windows\SysWOW64\Cgbfka32.exe Cdbmifdl.exe File created C:\Windows\SysWOW64\Aiplmq32.exe Amikgpcc.exe File opened for modification C:\Windows\SysWOW64\Fhdocc32.exe Folkjnbc.exe File created C:\Windows\SysWOW64\Gkomkdlk.dll Kebodc32.exe File opened for modification C:\Windows\SysWOW64\Kcdakd32.exe Kiomnk32.exe File created C:\Windows\SysWOW64\Adadbi32.exe Acbhhf32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Cgifbhid.exe File created C:\Windows\SysWOW64\Kdhlepkl.exe Kebodc32.exe File created C:\Windows\SysWOW64\Joahop32.exe Jamhflqq.exe File opened for modification C:\Windows\SysWOW64\Nmajbnha.exe Nmommn32.exe File created C:\Windows\SysWOW64\Ifdgaond.exe Hmlbij32.exe File created C:\Windows\SysWOW64\Paennh32.exe Phmjdbpo.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Iamoon32.exe Hdfapjbl.exe File opened for modification C:\Windows\SysWOW64\Qlmopqdc.exe Qahkch32.exe File opened for modification C:\Windows\SysWOW64\Npnqcpmc.exe Njahki32.exe File created C:\Windows\SysWOW64\Olkbkbih.dll Fmpjfn32.exe File opened for modification C:\Windows\SysWOW64\Boldcj32.exe Biolkc32.exe File opened for modification C:\Windows\SysWOW64\Nfcoekhe.exe Nfabok32.exe File opened for modification C:\Windows\SysWOW64\Paqebike.exe Phfcdcfg.exe File created C:\Windows\SysWOW64\Jbnopbdl.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Doojec32.exe Dqnjgl32.exe File opened for modification C:\Windows\SysWOW64\Gdknpp32.exe Gjficg32.exe File opened for modification C:\Windows\SysWOW64\Mldhacpj.exe Mpnglbkf.exe File created C:\Windows\SysWOW64\Cogadadh.dll Liabjh32.exe File created C:\Windows\SysWOW64\Cnealfkf.exe Bpaacblm.exe File opened for modification C:\Windows\SysWOW64\Lbenho32.exe Lbcabo32.exe File created C:\Windows\SysWOW64\Ojhpimhp.exe Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Gndick32.exe Gbnhoj32.exe File created C:\Windows\SysWOW64\Lpghfi32.exe Ljjpnb32.exe File created C:\Windows\SysWOW64\Lonnfg32.exe Lhdeinhb.exe File opened for modification C:\Windows\SysWOW64\Dnngpj32.exe Daeifj32.exe File created C:\Windows\SysWOW64\Mccokj32.exe Mdpagc32.exe File created C:\Windows\SysWOW64\Iddehb32.dll Dhgjll32.exe File created C:\Windows\SysWOW64\Phfhfa32.exe Okpkgm32.exe File created C:\Windows\SysWOW64\Cpkhqmjb.dll Cgifbhid.exe File created C:\Windows\SysWOW64\Hcbpme32.exe Gmfkjl32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Dijgjpip.exe File created C:\Windows\SysWOW64\Idqogkic.dll Cgcmeh32.exe File created C:\Windows\SysWOW64\Oendaipn.exe Ondleo32.exe File created C:\Windows\SysWOW64\Fnihje32.dll Afhfaddk.exe File created C:\Windows\SysWOW64\Egbdjhlp.exe Ephlnn32.exe File opened for modification C:\Windows\SysWOW64\Eoekde32.exe Efjgpc32.exe File created C:\Windows\SysWOW64\Fhiphi32.exe Fghcqq32.exe File opened for modification C:\Windows\SysWOW64\Cnboma32.exe Cejjdlap.exe File opened for modification C:\Windows\SysWOW64\Fagcfc32.exe Emikpeig.exe File created C:\Windows\SysWOW64\Djndja32.dll Ablahjhj.exe File created C:\Windows\SysWOW64\Finnef32.exe Fbdehlip.exe File created C:\Windows\SysWOW64\Acgfec32.exe Aeffgkkp.exe File opened for modification C:\Windows\SysWOW64\Hocjaj32.exe Gekeie32.exe File created C:\Windows\SysWOW64\Joqafgni.exe Ibjqaf32.exe File opened for modification C:\Windows\SysWOW64\Akhaipei.exe Qghlmbae.exe File created C:\Windows\SysWOW64\Doagjc32.exe Doojec32.exe File opened for modification C:\Windows\SysWOW64\Mkicjgnn.exe Meljappg.exe File opened for modification C:\Windows\SysWOW64\Mfgiof32.exe Mkadam32.exe File created C:\Windows\SysWOW64\Genmbb32.dll Aekdolkj.exe File opened for modification C:\Windows\SysWOW64\Dcdpakii.exe Dlfniafa.exe File created C:\Windows\SysWOW64\Ahmjjoig.exe Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Cejjdlap.exe Cnmebblf.exe File created C:\Windows\SysWOW64\Fiheheka.exe Fkgejncb.exe File created C:\Windows\SysWOW64\Hmbqdiko.dll Bnobfn32.exe File created C:\Windows\SysWOW64\Papambbb.dll Dkhgod32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjikhb32.dll" Fhdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijblmdkg.dll" Kdbchp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiplmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkcmi32.dll" Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofhqmba.dll" Lpghfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpiedch.dll" Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahnld32.dll" Clffalkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbmifdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfaenfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bilcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldlmieaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efegoj32.dll" Jognokdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll" Pcpgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdgaond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoenbkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihkgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimdklek.dll" Imcqacfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkchpoka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjggal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcaeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enlqdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joqafgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lefkkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiodha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdiadlg.dll" Kfjjbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfabmmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbokab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdhdbhl.dll" Olnmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnpognhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddlig32.dll" Hjaioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebgqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfeaclj.dll" Pndhhnda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll" Kejloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkfal32.dll" Meljappg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aikbpckb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjompqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpdidol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqbohocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djipbbne.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 4648 2160 0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe 94 PID 2160 wrote to memory of 4648 2160 0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe 94 PID 2160 wrote to memory of 4648 2160 0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe 94 PID 4648 wrote to memory of 1660 4648 Gnepna32.exe 95 PID 4648 wrote to memory of 1660 4648 Gnepna32.exe 95 PID 4648 wrote to memory of 1660 4648 Gnepna32.exe 95 PID 1660 wrote to memory of 2076 1660 Gimqajgh.exe 96 PID 1660 wrote to memory of 2076 1660 Gimqajgh.exe 96 PID 1660 wrote to memory of 2076 1660 Gimqajgh.exe 96 PID 2076 wrote to memory of 3452 2076 Hedafk32.exe 98 PID 2076 wrote to memory of 3452 2076 Hedafk32.exe 98 PID 2076 wrote to memory of 3452 2076 Hedafk32.exe 98 PID 3452 wrote to memory of 5032 3452 Hefnkkkj.exe 99 PID 3452 wrote to memory of 5032 3452 Hefnkkkj.exe 99 PID 3452 wrote to memory of 5032 3452 Hefnkkkj.exe 99 PID 5032 wrote to memory of 948 5032 Hffken32.exe 100 PID 5032 wrote to memory of 948 5032 Hffken32.exe 100 PID 5032 wrote to memory of 948 5032 Hffken32.exe 100 PID 948 wrote to memory of 1480 948 Hfhgkmpj.exe 101 PID 948 wrote to memory of 1480 948 Hfhgkmpj.exe 101 PID 948 wrote to memory of 1480 948 Hfhgkmpj.exe 101 PID 1480 wrote to memory of 1980 1480 Hfjdqmng.exe 102 PID 1480 wrote to memory of 1980 1480 Hfjdqmng.exe 102 PID 1480 wrote to memory of 1980 1480 Hfjdqmng.exe 102 PID 1980 wrote to memory of 1284 1980 Hpchib32.exe 103 PID 1980 wrote to memory of 1284 1980 Hpchib32.exe 103 PID 1980 wrote to memory of 1284 1980 Hpchib32.exe 103 PID 1284 wrote to memory of 3648 1284 Iepaaico.exe 104 PID 1284 wrote to memory of 3648 1284 Iepaaico.exe 104 PID 1284 wrote to memory of 3648 1284 Iepaaico.exe 104 PID 3648 wrote to memory of 5016 3648 Iebngial.exe 105 PID 3648 wrote to memory of 5016 3648 Iebngial.exe 105 PID 3648 wrote to memory of 5016 3648 Iebngial.exe 105 PID 5016 wrote to memory of 2136 5016 Ibfnqmpf.exe 106 PID 5016 wrote to memory of 2136 5016 Ibfnqmpf.exe 106 PID 5016 wrote to memory of 2136 5016 Ibfnqmpf.exe 106 PID 2136 wrote to memory of 3536 2136 Ibhkfm32.exe 107 PID 2136 wrote to memory of 3536 2136 Ibhkfm32.exe 107 PID 2136 wrote to memory of 3536 2136 Ibhkfm32.exe 107 PID 3536 wrote to memory of 2836 3536 Joahqn32.exe 109 PID 3536 wrote to memory of 2836 3536 Joahqn32.exe 109 PID 3536 wrote to memory of 2836 3536 Joahqn32.exe 109 PID 2836 wrote to memory of 4620 2836 Opnbae32.exe 110 PID 2836 wrote to memory of 4620 2836 Opnbae32.exe 110 PID 2836 wrote to memory of 4620 2836 Opnbae32.exe 110 PID 4620 wrote to memory of 2192 4620 Opclldhj.exe 111 PID 4620 wrote to memory of 2192 4620 Opclldhj.exe 111 PID 4620 wrote to memory of 2192 4620 Opclldhj.exe 111 PID 2192 wrote to memory of 4460 2192 Ojhpimhp.exe 112 PID 2192 wrote to memory of 4460 2192 Ojhpimhp.exe 112 PID 2192 wrote to memory of 4460 2192 Ojhpimhp.exe 112 PID 4460 wrote to memory of 3904 4460 Pccahbmn.exe 113 PID 4460 wrote to memory of 3904 4460 Pccahbmn.exe 113 PID 4460 wrote to memory of 3904 4460 Pccahbmn.exe 113 PID 3904 wrote to memory of 1028 3904 Pfdjinjo.exe 114 PID 3904 wrote to memory of 1028 3904 Pfdjinjo.exe 114 PID 3904 wrote to memory of 1028 3904 Pfdjinjo.exe 114 PID 1028 wrote to memory of 1296 1028 Pnmopk32.exe 115 PID 1028 wrote to memory of 1296 1028 Pnmopk32.exe 115 PID 1028 wrote to memory of 1296 1028 Pnmopk32.exe 115 PID 1296 wrote to memory of 3852 1296 Ppolhcnm.exe 116 PID 1296 wrote to memory of 3852 1296 Ppolhcnm.exe 116 PID 1296 wrote to memory of 3852 1296 Ppolhcnm.exe 116 PID 3852 wrote to memory of 732 3852 Ppahmb32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe"C:\Users\Admin\AppData\Local\Temp\0bf7fea449dabf1d3778c76b1f7baa94d99d0ce6f5e8889d8ee917c34c850727.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe23⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe25⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe26⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe27⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe28⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe29⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe30⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe31⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe32⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe35⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe36⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe37⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe40⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe41⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe42⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4196 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe45⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe47⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe48⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe49⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe50⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe52⤵
- Executes dropped EXE
PID:5136 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe53⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe55⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe57⤵
- Executes dropped EXE
PID:5344 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe58⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe59⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe61⤵
- Executes dropped EXE
PID:5504 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe62⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe63⤵
- Executes dropped EXE
PID:5588 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe64⤵
- Executes dropped EXE
PID:5632 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe65⤵
- Executes dropped EXE
PID:5676 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe66⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe67⤵PID:5772
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe68⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe69⤵PID:5904
-
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe70⤵PID:5944
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe72⤵PID:6040
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe73⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe74⤵
- Modifies registry class
PID:6120 -
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe75⤵PID:5132
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe76⤵PID:5212
-
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe77⤵PID:5244
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe79⤵PID:5416
-
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe80⤵PID:5488
-
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe81⤵PID:5536
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe82⤵PID:5612
-
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe83⤵PID:5684
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe84⤵PID:5184
-
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe85⤵
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe86⤵PID:5856
-
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe87⤵PID:5952
-
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe88⤵PID:6032
-
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe89⤵PID:6100
-
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe90⤵PID:3332
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe91⤵PID:5256
-
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe92⤵PID:5328
-
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe93⤵PID:5452
-
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe94⤵PID:5640
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe95⤵PID:5728
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe96⤵PID:5800
-
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe97⤵PID:5932
-
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe98⤵PID:6112
-
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5364 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe100⤵PID:1776
-
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe101⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe102⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe103⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe104⤵PID:5628
-
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe105⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe106⤵PID:5844
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe107⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe108⤵PID:5672
-
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe109⤵PID:6180
-
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe110⤵PID:6236
-
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe111⤵
- Drops file in System32 directory
PID:6276 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe112⤵PID:6324
-
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe113⤵PID:6364
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe114⤵PID:6408
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe115⤵PID:6460
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe116⤵PID:6532
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6604 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe118⤵PID:6640
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe119⤵PID:6692
-
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe120⤵PID:6732
-
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe121⤵PID:6780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-