Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 17:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe
-
Size
45KB
-
MD5
a7e77bd9e37e87c0da733979d804919f
-
SHA1
79057419c5e127d3a905139b14ef15938f609397
-
SHA256
0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65
-
SHA512
a2f1bcf921d4b480029667dcd215123fc8f77352160645499ad25aa6799e01516e306a5aa078ad45e3447909198f4bd72abc014e97eaaaf66b6349b194ec8c45
-
SSDEEP
768:j9Qp8NK352IVSwMKX1ajUwmZ1vyukw2WpukS/1H5WT:BNq2rfKX8OZxyu72CYW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmcdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplcnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glngep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecjahd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcinie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabgkpad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljpcfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppepkmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekqgnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpihlbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjpppbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmodffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkobdeok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbbel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inejlibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafnmnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emfebjgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbaggce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklglk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkabefqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iannpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leenanik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bichcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomfae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahlnefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inecac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngbgmpcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehifpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdbhpbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfenc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amibqhed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahiiqafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjcpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhbifgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplebmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomelheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjdjmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boknic32.exe -
Executes dropped EXE 64 IoCs
pid Process 2620 Mmmqhl32.exe 748 Njjdho32.exe 1008 Nfaemp32.exe 2336 Npiiffqe.exe 5048 Ogcnmc32.exe 3360 Oclkgccf.exe 1648 Ocohmc32.exe 3508 Paeelgnj.exe 1924 Pnifekmd.exe 3656 Pjbcplpe.exe 1812 Phfcipoo.exe 1204 Qfkqjmdg.exe 1232 Qfmmplad.exe 1752 Ahmjjoig.exe 560 Adcjop32.exe 1624 Aajhndkb.exe 2360 Amcehdod.exe 2004 Bhhiemoj.exe 1516 Bgnffj32.exe 1004 Bdagpnbk.exe 1636 Bkphhgfc.exe 3816 Cammjakm.exe 3652 Cpbjkn32.exe 4104 Cpdgqmnb.exe 2840 Dnonkq32.exe 2024 Dhgonidg.exe 4608 Ekjded32.exe 1444 Egaejeej.exe 4068 Eomffaag.exe 3844 Fooclapd.exe 1760 Fbplml32.exe 1068 Finnef32.exe 3300 Fajbjh32.exe 3996 Gpolbo32.exe 4220 Glfmgp32.exe 2928 Hlkfbocp.exe 1724 Hiacacpg.exe 2936 Hnbeeiji.exe 4988 Hihibbjo.exe 2388 Iehmmb32.exe 4316 Joqafgni.exe 2592 Jemfhacc.exe 3224 Jhnojl32.exe 4856 Jbepme32.exe 3292 Kekbjo32.exe 1804 Ljbnfleo.exe 4780 Mledmg32.exe 2304 Nbbeml32.exe 644 Ncbafoge.exe 1480 Oophlo32.exe 1656 Omfekbdh.exe 3316 Piocecgj.exe 976 Pcegclgp.exe 4516 Paihlpfi.exe 1836 Qamago32.exe 4960 Qjhbfd32.exe 4088 Apjdikqd.exe 1120 Baepolni.exe 2992 Cmbgdl32.exe 4708 Cpfmlghd.exe 2384 Dgbanq32.exe 1944 Ddklbd32.exe 1564 Edfknb32.exe 2240 Fboecfii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Haaocp32.exe Hhhkjj32.exe File created C:\Windows\SysWOW64\Icpnjl32.dll Ndphpk32.exe File created C:\Windows\SysWOW64\Hjmchc32.dll Hmbflc32.exe File created C:\Windows\SysWOW64\Egaejeej.exe Ekjded32.exe File opened for modification C:\Windows\SysWOW64\Ilgcblnp.exe Iibaeb32.exe File created C:\Windows\SysWOW64\Kmaooihb.exe Kfggbope.exe File created C:\Windows\SysWOW64\Ppeipfdm.exe Plbfohbl.exe File created C:\Windows\SysWOW64\Ehkllbpl.dll Aqmldddb.exe File created C:\Windows\SysWOW64\Fpckjlje.exe Fnqebaog.exe File created C:\Windows\SysWOW64\Npmkdm32.dll Kdjhkp32.exe File created C:\Windows\SysWOW64\Mjbikolk.dll Jcmkjeko.exe File opened for modification C:\Windows\SysWOW64\Haclio32.exe Haaocp32.exe File created C:\Windows\SysWOW64\Hlnbhlof.dll Gfbpfedp.exe File opened for modification C:\Windows\SysWOW64\Bmkcjd32.exe Bjlgnh32.exe File created C:\Windows\SysWOW64\Gkhkdjli.exe Gdobgp32.exe File created C:\Windows\SysWOW64\Ogokeh32.dll Ppepkmhi.exe File created C:\Windows\SysWOW64\Efgono32.exe Eomfae32.exe File created C:\Windows\SysWOW64\Fbgnbigb.dll Nkgmmpab.exe File created C:\Windows\SysWOW64\Ehddpdlc.exe Dkedjbgg.exe File created C:\Windows\SysWOW64\Gfbpfedp.exe Gohhik32.exe File created C:\Windows\SysWOW64\Pmomfb32.dll Ccnnmmbp.exe File opened for modification C:\Windows\SysWOW64\Gqmnpk32.exe Fljlom32.exe File opened for modification C:\Windows\SysWOW64\Phfhfa32.exe Omlkmign.exe File created C:\Windows\SysWOW64\Fqhfobnm.dll Cqfahh32.exe File created C:\Windows\SysWOW64\Dhdkig32.exe Cajblmci.exe File created C:\Windows\SysWOW64\Bijnai32.dll Laqhao32.exe File opened for modification C:\Windows\SysWOW64\Nolekd32.exe Mdddhlbl.exe File opened for modification C:\Windows\SysWOW64\Agjhbbob.exe Pgeogb32.exe File created C:\Windows\SysWOW64\Jjcqffkm.exe Jqklnp32.exe File created C:\Windows\SysWOW64\Pnbmmabm.dll Ehifpm32.exe File opened for modification C:\Windows\SysWOW64\Pmlmdd32.exe Olfgbl32.exe File created C:\Windows\SysWOW64\Nolekd32.exe Mdddhlbl.exe File created C:\Windows\SysWOW64\Pofbggpf.dll Iohlcg32.exe File created C:\Windows\SysWOW64\Cfoece32.dll Elagjihh.exe File opened for modification C:\Windows\SysWOW64\Mnochl32.exe Mgdklb32.exe File created C:\Windows\SysWOW64\Jlkafdco.exe Jjihfbno.exe File opened for modification C:\Windows\SysWOW64\Aifpoj32.exe Apnkfelb.exe File created C:\Windows\SysWOW64\Mkcjlf32.exe Mdibplaf.exe File opened for modification C:\Windows\SysWOW64\Phaabm32.exe Pmlmdd32.exe File created C:\Windows\SysWOW64\Mkdkdafo.dll Falcli32.exe File opened for modification C:\Windows\SysWOW64\Jojboa32.exe Jhpjbgne.exe File created C:\Windows\SysWOW64\Iannpa32.exe Ibmmbj32.exe File created C:\Windows\SysWOW64\Dampal32.exe Dhdkig32.exe File created C:\Windows\SysWOW64\Jaadfkaa.dll Medqmb32.exe File created C:\Windows\SysWOW64\Bjjcea32.dll Oiihkncb.exe File opened for modification C:\Windows\SysWOW64\Bfchcijo.exe Bmkcjd32.exe File created C:\Windows\SysWOW64\Imfill32.exe Igmqpbab.exe File created C:\Windows\SysWOW64\Lqhdlc32.exe Lfbpnjjd.exe File created C:\Windows\SysWOW64\Phmknd32.dll Kjopbd32.exe File created C:\Windows\SysWOW64\Iibaeb32.exe Hommhi32.exe File opened for modification C:\Windows\SysWOW64\Dfjgjf32.exe Dpqonl32.exe File opened for modification C:\Windows\SysWOW64\Aepklffh.exe Qkjgomgb.exe File created C:\Windows\SysWOW64\Ojigbcoh.dll Boeelcmm.exe File created C:\Windows\SysWOW64\Hbjonepq.exe Cninnnfe.exe File opened for modification C:\Windows\SysWOW64\Diopep32.exe Dhpdkm32.exe File opened for modification C:\Windows\SysWOW64\Fkbkoo32.exe Fiaogfai.exe File created C:\Windows\SysWOW64\Gbjlgj32.exe Gbhpajlj.exe File created C:\Windows\SysWOW64\Bjcfeola.exe Bcinie32.exe File created C:\Windows\SysWOW64\Kadnfkji.exe Jnalem32.exe File created C:\Windows\SysWOW64\Lgnpeenp.dll Pplcnf32.exe File opened for modification C:\Windows\SysWOW64\Mgngih32.exe Mkgfdgpq.exe File created C:\Windows\SysWOW64\Jedjkkmo.exe Jojboa32.exe File created C:\Windows\SysWOW64\Ohgokknb.exe Oookbega.exe File created C:\Windows\SysWOW64\Bdcngdld.dll Ajcdhj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfniafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcojdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appaki32.dll" Ggnenagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnlgk32.dll" Olphlcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohahkojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblidkhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgqdal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oagpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emioab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdaqhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlnbhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqbjnc32.dll" Lflpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pblhalfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhkdjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqdpfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgcej32.dll" Cnokhonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfbja32.dll" Ebnocpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjpppbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hingefqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paapjc32.dll" Pmlmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncmld32.dll" Cmdhnhkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqnofkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donjdabe.dll" Mncmck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkddeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnedl32.dll" Gnkajapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbneij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgicccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbcmknk.dll" Bbbkbbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olqqdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnol32.dll" Hbegakcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfddi32.dll" Acjjpllp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidaleei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpihlbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbcimhh.dll" Feifgnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imjgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqmddce.dll" Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniekq32.dll" Dnmgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmmabm.dll" Ehifpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inkjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbikdbnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncmdhlq.dll" Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaimko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqbagd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phioej32.dll" Mflidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modffifb.dll" Plhgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejaecdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkhbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopmaddf.dll" Igdnkhoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beomhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfelqpk.dll" Jmplbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfcelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnnomfq.dll" Foonjd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 2620 3264 0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe 95 PID 3264 wrote to memory of 2620 3264 0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe 95 PID 3264 wrote to memory of 2620 3264 0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe 95 PID 2620 wrote to memory of 748 2620 Mmmqhl32.exe 96 PID 2620 wrote to memory of 748 2620 Mmmqhl32.exe 96 PID 2620 wrote to memory of 748 2620 Mmmqhl32.exe 96 PID 748 wrote to memory of 1008 748 Njjdho32.exe 97 PID 748 wrote to memory of 1008 748 Njjdho32.exe 97 PID 748 wrote to memory of 1008 748 Njjdho32.exe 97 PID 1008 wrote to memory of 2336 1008 Nfaemp32.exe 98 PID 1008 wrote to memory of 2336 1008 Nfaemp32.exe 98 PID 1008 wrote to memory of 2336 1008 Nfaemp32.exe 98 PID 2336 wrote to memory of 5048 2336 Npiiffqe.exe 99 PID 2336 wrote to memory of 5048 2336 Npiiffqe.exe 99 PID 2336 wrote to memory of 5048 2336 Npiiffqe.exe 99 PID 5048 wrote to memory of 3360 5048 Ogcnmc32.exe 100 PID 5048 wrote to memory of 3360 5048 Ogcnmc32.exe 100 PID 5048 wrote to memory of 3360 5048 Ogcnmc32.exe 100 PID 3360 wrote to memory of 1648 3360 Oclkgccf.exe 101 PID 3360 wrote to memory of 1648 3360 Oclkgccf.exe 101 PID 3360 wrote to memory of 1648 3360 Oclkgccf.exe 101 PID 1648 wrote to memory of 3508 1648 Ocohmc32.exe 102 PID 1648 wrote to memory of 3508 1648 Ocohmc32.exe 102 PID 1648 wrote to memory of 3508 1648 Ocohmc32.exe 102 PID 3508 wrote to memory of 1924 3508 Paeelgnj.exe 103 PID 3508 wrote to memory of 1924 3508 Paeelgnj.exe 103 PID 3508 wrote to memory of 1924 3508 Paeelgnj.exe 103 PID 1924 wrote to memory of 3656 1924 Pnifekmd.exe 104 PID 1924 wrote to memory of 3656 1924 Pnifekmd.exe 104 PID 1924 wrote to memory of 3656 1924 Pnifekmd.exe 104 PID 3656 wrote to memory of 1812 3656 Pjbcplpe.exe 105 PID 3656 wrote to memory of 1812 3656 Pjbcplpe.exe 105 PID 3656 wrote to memory of 1812 3656 Pjbcplpe.exe 105 PID 1812 wrote to memory of 1204 1812 Phfcipoo.exe 106 PID 1812 wrote to memory of 1204 1812 Phfcipoo.exe 106 PID 1812 wrote to memory of 1204 1812 Phfcipoo.exe 106 PID 1204 wrote to memory of 1232 1204 Qfkqjmdg.exe 107 PID 1204 wrote to memory of 1232 1204 Qfkqjmdg.exe 107 PID 1204 wrote to memory of 1232 1204 Qfkqjmdg.exe 107 PID 1232 wrote to memory of 1752 1232 Qfmmplad.exe 108 PID 1232 wrote to memory of 1752 1232 Qfmmplad.exe 108 PID 1232 wrote to memory of 1752 1232 Qfmmplad.exe 108 PID 1752 wrote to memory of 560 1752 Ahmjjoig.exe 109 PID 1752 wrote to memory of 560 1752 Ahmjjoig.exe 109 PID 1752 wrote to memory of 560 1752 Ahmjjoig.exe 109 PID 560 wrote to memory of 1624 560 Adcjop32.exe 110 PID 560 wrote to memory of 1624 560 Adcjop32.exe 110 PID 560 wrote to memory of 1624 560 Adcjop32.exe 110 PID 1624 wrote to memory of 2360 1624 Aajhndkb.exe 111 PID 1624 wrote to memory of 2360 1624 Aajhndkb.exe 111 PID 1624 wrote to memory of 2360 1624 Aajhndkb.exe 111 PID 2360 wrote to memory of 2004 2360 Amcehdod.exe 112 PID 2360 wrote to memory of 2004 2360 Amcehdod.exe 112 PID 2360 wrote to memory of 2004 2360 Amcehdod.exe 112 PID 2004 wrote to memory of 1516 2004 Bhhiemoj.exe 113 PID 2004 wrote to memory of 1516 2004 Bhhiemoj.exe 113 PID 2004 wrote to memory of 1516 2004 Bhhiemoj.exe 113 PID 1516 wrote to memory of 1004 1516 Bgnffj32.exe 114 PID 1516 wrote to memory of 1004 1516 Bgnffj32.exe 114 PID 1516 wrote to memory of 1004 1516 Bgnffj32.exe 114 PID 1004 wrote to memory of 1636 1004 Bdagpnbk.exe 115 PID 1004 wrote to memory of 1636 1004 Bdagpnbk.exe 115 PID 1004 wrote to memory of 1636 1004 Bdagpnbk.exe 115 PID 1636 wrote to memory of 3816 1636 Bkphhgfc.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe"C:\Users\Admin\AppData\Local\Temp\0a2c6fe5f0c6260358684c0a305efea5c54ead121a2d06f82c2c14edb60eec65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe23⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe24⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe25⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe26⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe27⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe29⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe30⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe32⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe33⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe36⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe37⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe38⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe40⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe41⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe42⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe43⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe44⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe45⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe46⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe48⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe49⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe50⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe51⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe52⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe53⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe54⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe55⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe56⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe57⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Apjdikqd.exeC:\Windows\system32\Apjdikqd.exe58⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe59⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe60⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe62⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe64⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe66⤵PID:3772
-
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe67⤵
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe69⤵PID:3632
-
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe70⤵PID:3312
-
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe71⤵PID:3368
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe72⤵PID:5140
-
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe74⤵PID:5240
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe75⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe76⤵PID:5328
-
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe77⤵PID:5372
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe78⤵PID:5412
-
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe79⤵PID:5460
-
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe80⤵PID:5504
-
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe81⤵PID:5552
-
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe82⤵PID:5592
-
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe84⤵PID:5708
-
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe86⤵PID:5800
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe87⤵PID:5900
-
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe88⤵PID:5948
-
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe89⤵PID:5988
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe90⤵PID:6028
-
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe91⤵PID:6108
-
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe92⤵PID:5132
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe93⤵PID:5312
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe94⤵PID:5400
-
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe96⤵PID:5656
-
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe97⤵PID:5684
-
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe98⤵PID:5784
-
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe99⤵PID:5840
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe100⤵PID:5980
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe101⤵PID:6036
-
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe102⤵PID:3712
-
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe103⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe104⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe105⤵PID:5688
-
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe106⤵PID:5864
-
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe107⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe108⤵PID:4748
-
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe109⤵PID:5152
-
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe110⤵PID:5360
-
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe111⤵PID:5788
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe112⤵PID:5920
-
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe113⤵PID:5428
-
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe114⤵PID:5696
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe116⤵PID:5632
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe117⤵PID:6088
-
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe118⤵PID:1688
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe119⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe120⤵PID:6152
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe121⤵PID:6196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-