Analysis
-
max time kernel
162s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 21:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0db90cde50d17eeb4f1b5ba622e2e53b.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0db90cde50d17eeb4f1b5ba622e2e53b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0db90cde50d17eeb4f1b5ba622e2e53b.exe
-
Size
276KB
-
MD5
0db90cde50d17eeb4f1b5ba622e2e53b
-
SHA1
6fa90c6bda8d884ffa73ede538fd415847f96311
-
SHA256
cf6411eb00bf2f29f21b8578cce8e9f2bdef57dc2e21b0522603ca1aa7131e47
-
SHA512
3869a51ac953c57ba8b7716251da3554701093e4142cd93f37efb2c293e81d885298ea2e456b54fb623d8d0d6049cae8267ca25fc93229dc6bee0bdf2f034682
-
SSDEEP
6144:VZKbCT0I5fdWZHEFJ7aWN1rtMsQBOSGaF+:LOCTBH2HEGWN1RMs1S7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffggdmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhfhnfhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjafha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfclmfhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccinggcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkgii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmkiiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdacbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqdqilph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkchoaif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhepnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ichkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkanbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhpjohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejaecdnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejfjocb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedhihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eodjdocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmkfjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhhphebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cneknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfdlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbeaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aploae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgnkgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jahnkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjimaole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecgcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebgpkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnfmcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkoiqjdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doiabgqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmipdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolodqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbegmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjbpmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olqqdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmdmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polpim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daolgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabmcdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomnmfid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohceqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfnhlfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glebbpbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdlke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfbihll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obqopddf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokceaoa.exe -
Executes dropped EXE 64 IoCs
pid Process 4908 Ohmepbki.exe 3564 Ajhndgjj.exe 4712 Aqfolqna.exe 2280 Agcdnjcl.exe 2348 Bqkigp32.exe 1672 Bqnemp32.exe 4872 Bjfjee32.exe 2708 Bhgjcmfi.exe 3644 Bndblcdq.exe 2940 Cegnol32.exe 1652 Cejjdlap.exe 3252 Dlhlleeh.exe 4412 Decmjjie.exe 1280 Dbijinfl.exe 3500 Ejdonq32.exe 4816 Eejcki32.exe 3308 Eelpqi32.exe 4184 Eeomfioh.exe 4352 Ebejem32.exe 5012 Fbggkl32.exe 392 Fhdocc32.exe 4372 Flddoa32.exe 5100 Flgadake.exe 2428 Glpdjpbj.exe 4640 Gekeie32.exe 612 Hcofbifb.exe 4732 Jkcfch32.exe 4992 Kmhlijpm.exe 1172 Komoed32.exe 64 Lfnmcnjn.exe 2800 Lmheph32.exe 1688 Lmkbeg32.exe 2524 Mbjgcnll.exe 4808 Mmokpglb.exe 1572 Mfhpilbc.exe 3576 Mimbfg32.exe 4916 Nfcoekhe.exe 3180 Npldnp32.exe 1624 Nmpdgdmp.exe 2696 Odqbdnod.exe 3672 Odcojm32.exe 1836 Olndnp32.exe 4044 Okodlgbl.exe 2840 Olqqdo32.exe 804 Offeahhp.exe 3960 Ppccemjk.exe 4928 Pdalkk32.exe 776 Pmipdq32.exe 4792 Pgbdmfnc.exe 540 Qmlmjq32.exe 4072 Qibmoa32.exe 1760 Qpmfklbq.exe 3684 Akbjidbf.exe 4032 Acmomgoa.exe 2192 Ajggjq32.exe 4376 Anjikoip.exe 4600 Addahh32.exe 3436 Bpkbmi32.exe 1176 Bdhkchlg.exe 1644 Bdpqcg32.exe 2252 Cnhell32.exe 3768 Cgbfka32.exe 2532 Ccigpbga.exe 384 Cjcolm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hqklahgj.dll Cediab32.exe File created C:\Windows\SysWOW64\Iofmpb32.exe Ihlechfj.exe File opened for modification C:\Windows\SysWOW64\Dcnqid32.exe Dbndoa32.exe File created C:\Windows\SysWOW64\Lqikfi32.exe Ldbjah32.exe File opened for modification C:\Windows\SysWOW64\Ofjgmdgg.exe Opqopj32.exe File created C:\Windows\SysWOW64\Hodioegj.dll Bdhkchlg.exe File opened for modification C:\Windows\SysWOW64\Ppeipfdm.exe Pbahgbfc.exe File created C:\Windows\SysWOW64\Dcpffk32.exe Dncnnd32.exe File opened for modification C:\Windows\SysWOW64\Fagjolao.exe Fgbfbc32.exe File created C:\Windows\SysWOW64\Nhmejf32.exe Nkieab32.exe File opened for modification C:\Windows\SysWOW64\Mfqlph32.exe Mogccnfg.exe File opened for modification C:\Windows\SysWOW64\Qahkch32.exe Opfedb32.exe File created C:\Windows\SysWOW64\Pipniemf.dll Mgggaamn.exe File opened for modification C:\Windows\SysWOW64\Behbkmgb.exe Bonjnc32.exe File created C:\Windows\SysWOW64\Gdfhil32.exe Goipae32.exe File created C:\Windows\SysWOW64\Dnekcd32.exe Dcpffk32.exe File created C:\Windows\SysWOW64\Fpflql32.dll Phlqlgmg.exe File created C:\Windows\SysWOW64\Gibhihko.exe Fpjcpbdn.exe File created C:\Windows\SysWOW64\Lqdakjak.exe Kkgicccd.exe File created C:\Windows\SysWOW64\Dhcdnq32.exe Cjpcel32.exe File created C:\Windows\SysWOW64\Gdacoimi.dll Hglaookl.exe File created C:\Windows\SysWOW64\Pfqafh32.dll Jgjnpm32.exe File created C:\Windows\SysWOW64\Malpdh32.dll Icdmqg32.exe File created C:\Windows\SysWOW64\Cjpcel32.exe Cnicpk32.exe File created C:\Windows\SysWOW64\Miofcked.exe Mlhidg32.exe File opened for modification C:\Windows\SysWOW64\Dkokma32.exe Cakghn32.exe File opened for modification C:\Windows\SysWOW64\Gpkbaekd.exe Geenclkn.exe File created C:\Windows\SysWOW64\Cqkgbc32.dll Pdalkk32.exe File opened for modification C:\Windows\SysWOW64\Fjlmdmqj.exe Fcbehbim.exe File opened for modification C:\Windows\SysWOW64\Eoaianan.exe Eehdii32.exe File created C:\Windows\SysWOW64\Mnhmoi32.dll Baocpnmf.exe File created C:\Windows\SysWOW64\Gdckjqqj.dll Jeolonem.exe File created C:\Windows\SysWOW64\Lijjba32.dll Dmglmpkn.exe File created C:\Windows\SysWOW64\Cinghhip.dll Jcoapami.exe File opened for modification C:\Windows\SysWOW64\Ilfehcnp.exe Iaaakj32.exe File created C:\Windows\SysWOW64\Aaimiagp.dll Npipnjmm.exe File opened for modification C:\Windows\SysWOW64\Pjffkhpl.exe Panabc32.exe File opened for modification C:\Windows\SysWOW64\Ankdbf32.exe Qgalelin.exe File created C:\Windows\SysWOW64\Dencgm32.dll Ihpcbdba.exe File opened for modification C:\Windows\SysWOW64\Nckkoe32.exe Nhegblcd.exe File created C:\Windows\SysWOW64\Pmlkomdo.dll Dafbhkhl.exe File created C:\Windows\SysWOW64\Nhhabe32.dll Eehdii32.exe File created C:\Windows\SysWOW64\Leihlj32.exe Kfoapo32.exe File created C:\Windows\SysWOW64\Pcfcdnqn.dll Ajnkmjqj.exe File created C:\Windows\SysWOW64\Fhablf32.exe Fagjolao.exe File opened for modification C:\Windows\SysWOW64\Anjikoip.exe Ajggjq32.exe File opened for modification C:\Windows\SysWOW64\Omdghmfo.exe Nmajbnha.exe File created C:\Windows\SysWOW64\Aeemop32.exe Ankdbf32.exe File created C:\Windows\SysWOW64\Ckphamkp.exe Cpkddd32.exe File opened for modification C:\Windows\SysWOW64\Cgnogmkl.exe Cneknh32.exe File opened for modification C:\Windows\SysWOW64\Hpdegdci.exe Hijmjj32.exe File created C:\Windows\SysWOW64\Jdddjq32.exe Jjopmh32.exe File created C:\Windows\SysWOW64\Nelfnd32.exe Nnbnaj32.exe File created C:\Windows\SysWOW64\Bhhiocdg.exe Bkdieo32.exe File opened for modification C:\Windows\SysWOW64\Bonjnc32.exe Bdhfaj32.exe File created C:\Windows\SysWOW64\Fdijkmbl.exe Edmjpoli.exe File created C:\Windows\SysWOW64\Nqkihpie.exe Mfqlph32.exe File created C:\Windows\SysWOW64\Nhheepbk.exe Nmbaggce.exe File opened for modification C:\Windows\SysWOW64\Ameipl32.exe Qhhphebj.exe File created C:\Windows\SysWOW64\Kpkfkgmd.dll Ofjqbndk.exe File created C:\Windows\SysWOW64\Ebejem32.exe Eeomfioh.exe File opened for modification C:\Windows\SysWOW64\Fhalcm32.exe Ejmkiiha.exe File created C:\Windows\SysWOW64\Cneopj32.dll Pokjnd32.exe File created C:\Windows\SysWOW64\Fppqjcli.exe Fifhmi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2544 9316 WerFault.exe 1020 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbpnomm.dll" Ldnjndpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffbnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdckjqqj.dll" Jeolonem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbggkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajggjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicjjkaq.dll" Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibchnb32.dll" Kpkqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpdli32.dll" Ilfhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcqife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hddbmedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdenghpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faijmmkf.dll" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhalcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Galfhpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegeic32.dll" Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdflo32.dll" Ngodlgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjpffmj.dll" Fcdbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmmai32.dll" Qaegcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iehfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmbea32.dll" Hcofbifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkbmp32.dll" Jqhaolli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iecclhak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gielinlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfoen32.dll" Onaieifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgnkgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhhphebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objnfe32.dll" Ncpejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmfecgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecloegl.dll" Daolgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkojihg.dll" Gfkjef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffekom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efhcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcaiacdi.dll" Mbigapjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlibpihh.dll" Nladpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpfmmcl.dll" Dkbgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kabkpqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchfpmcd.dll" Qifnaecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghemnje.dll" Hgdedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoighje.dll" Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdnkhoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbahgbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifhh32.dll" Blbodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkahhe32.dll" Fnpmej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqfbihll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnfnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cediab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oialpm32.dll" Bajjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokceaoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfedhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjdkeaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbijinfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgcang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iphihnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfnhlfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eilomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mofmhhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpbhmcg.dll" Nmpdgdmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdbchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehbgjenf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 4908 2024 0db90cde50d17eeb4f1b5ba622e2e53b.exe 98 PID 2024 wrote to memory of 4908 2024 0db90cde50d17eeb4f1b5ba622e2e53b.exe 98 PID 2024 wrote to memory of 4908 2024 0db90cde50d17eeb4f1b5ba622e2e53b.exe 98 PID 4908 wrote to memory of 3564 4908 Ohmepbki.exe 99 PID 4908 wrote to memory of 3564 4908 Ohmepbki.exe 99 PID 4908 wrote to memory of 3564 4908 Ohmepbki.exe 99 PID 3564 wrote to memory of 4712 3564 Ajhndgjj.exe 100 PID 3564 wrote to memory of 4712 3564 Ajhndgjj.exe 100 PID 3564 wrote to memory of 4712 3564 Ajhndgjj.exe 100 PID 4712 wrote to memory of 2280 4712 Aqfolqna.exe 101 PID 4712 wrote to memory of 2280 4712 Aqfolqna.exe 101 PID 4712 wrote to memory of 2280 4712 Aqfolqna.exe 101 PID 2280 wrote to memory of 2348 2280 Agcdnjcl.exe 102 PID 2280 wrote to memory of 2348 2280 Agcdnjcl.exe 102 PID 2280 wrote to memory of 2348 2280 Agcdnjcl.exe 102 PID 2348 wrote to memory of 1672 2348 Bqkigp32.exe 103 PID 2348 wrote to memory of 1672 2348 Bqkigp32.exe 103 PID 2348 wrote to memory of 1672 2348 Bqkigp32.exe 103 PID 1672 wrote to memory of 4872 1672 Bqnemp32.exe 104 PID 1672 wrote to memory of 4872 1672 Bqnemp32.exe 104 PID 1672 wrote to memory of 4872 1672 Bqnemp32.exe 104 PID 4872 wrote to memory of 2708 4872 Bjfjee32.exe 105 PID 4872 wrote to memory of 2708 4872 Bjfjee32.exe 105 PID 4872 wrote to memory of 2708 4872 Bjfjee32.exe 105 PID 2708 wrote to memory of 3644 2708 Bhgjcmfi.exe 107 PID 2708 wrote to memory of 3644 2708 Bhgjcmfi.exe 107 PID 2708 wrote to memory of 3644 2708 Bhgjcmfi.exe 107 PID 3644 wrote to memory of 2940 3644 Bndblcdq.exe 108 PID 3644 wrote to memory of 2940 3644 Bndblcdq.exe 108 PID 3644 wrote to memory of 2940 3644 Bndblcdq.exe 108 PID 2940 wrote to memory of 1652 2940 Cegnol32.exe 109 PID 2940 wrote to memory of 1652 2940 Cegnol32.exe 109 PID 2940 wrote to memory of 1652 2940 Cegnol32.exe 109 PID 1652 wrote to memory of 3252 1652 Cejjdlap.exe 110 PID 1652 wrote to memory of 3252 1652 Cejjdlap.exe 110 PID 1652 wrote to memory of 3252 1652 Cejjdlap.exe 110 PID 3252 wrote to memory of 4412 3252 Dlhlleeh.exe 111 PID 3252 wrote to memory of 4412 3252 Dlhlleeh.exe 111 PID 3252 wrote to memory of 4412 3252 Dlhlleeh.exe 111 PID 4412 wrote to memory of 1280 4412 Decmjjie.exe 112 PID 4412 wrote to memory of 1280 4412 Decmjjie.exe 112 PID 4412 wrote to memory of 1280 4412 Decmjjie.exe 112 PID 1280 wrote to memory of 3500 1280 Dbijinfl.exe 113 PID 1280 wrote to memory of 3500 1280 Dbijinfl.exe 113 PID 1280 wrote to memory of 3500 1280 Dbijinfl.exe 113 PID 3500 wrote to memory of 4816 3500 Ejdonq32.exe 114 PID 3500 wrote to memory of 4816 3500 Ejdonq32.exe 114 PID 3500 wrote to memory of 4816 3500 Ejdonq32.exe 114 PID 4816 wrote to memory of 3308 4816 Eejcki32.exe 115 PID 4816 wrote to memory of 3308 4816 Eejcki32.exe 115 PID 4816 wrote to memory of 3308 4816 Eejcki32.exe 115 PID 3308 wrote to memory of 4184 3308 Eelpqi32.exe 116 PID 3308 wrote to memory of 4184 3308 Eelpqi32.exe 116 PID 3308 wrote to memory of 4184 3308 Eelpqi32.exe 116 PID 4184 wrote to memory of 4352 4184 Eeomfioh.exe 117 PID 4184 wrote to memory of 4352 4184 Eeomfioh.exe 117 PID 4184 wrote to memory of 4352 4184 Eeomfioh.exe 117 PID 4352 wrote to memory of 5012 4352 Ebejem32.exe 118 PID 4352 wrote to memory of 5012 4352 Ebejem32.exe 118 PID 4352 wrote to memory of 5012 4352 Ebejem32.exe 118 PID 5012 wrote to memory of 392 5012 Fbggkl32.exe 119 PID 5012 wrote to memory of 392 5012 Fbggkl32.exe 119 PID 5012 wrote to memory of 392 5012 Fbggkl32.exe 119 PID 392 wrote to memory of 4372 392 Fhdocc32.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db90cde50d17eeb4f1b5ba622e2e53b.exe"C:\Users\Admin\AppData\Local\Temp\0db90cde50d17eeb4f1b5ba622e2e53b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Ajhndgjj.exeC:\Windows\system32\Ajhndgjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Agcdnjcl.exeC:\Windows\system32\Agcdnjcl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Dbijinfl.exeC:\Windows\system32\Dbijinfl.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Eejcki32.exeC:\Windows\system32\Eejcki32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe23⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe24⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe25⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe26⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Jkcfch32.exeC:\Windows\system32\Jkcfch32.exe28⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe29⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe30⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe31⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe32⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe33⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe34⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe35⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe36⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe37⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe38⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Npldnp32.exeC:\Windows\system32\Npldnp32.exe39⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe41⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Odcojm32.exeC:\Windows\system32\Odcojm32.exe42⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe43⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe44⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe46⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe47⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe50⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe51⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe52⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe53⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe54⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Acmomgoa.exeC:\Windows\system32\Acmomgoa.exe55⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe57⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe58⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Bpkbmi32.exeC:\Windows\system32\Bpkbmi32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe61⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe62⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe63⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe64⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe65⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe66⤵PID:3540
-
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe67⤵PID:4040
-
C:\Windows\SysWOW64\Dcnqkb32.exeC:\Windows\system32\Dcnqkb32.exe68⤵PID:904
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe69⤵
- Modifies registry class
PID:4784 -
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe70⤵PID:5104
-
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe71⤵PID:3544
-
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe72⤵PID:3008
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe73⤵PID:4668
-
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe74⤵PID:2960
-
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe75⤵PID:1632
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe76⤵PID:5040
-
C:\Windows\SysWOW64\Eenflbll.exeC:\Windows\system32\Eenflbll.exe77⤵PID:5144
-
C:\Windows\SysWOW64\Ejmkiiha.exeC:\Windows\system32\Ejmkiiha.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe79⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe80⤵PID:5268
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe81⤵PID:5304
-
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe82⤵PID:5352
-
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe83⤵PID:5448
-
C:\Windows\SysWOW64\Goipae32.exeC:\Windows\system32\Goipae32.exe84⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Gdfhil32.exeC:\Windows\system32\Gdfhil32.exe85⤵PID:5532
-
C:\Windows\SysWOW64\Gdheol32.exeC:\Windows\system32\Gdheol32.exe86⤵PID:5584
-
C:\Windows\SysWOW64\Gkbnkfei.exeC:\Windows\system32\Gkbnkfei.exe87⤵PID:5624
-
C:\Windows\SysWOW64\Galfhpmf.exeC:\Windows\system32\Galfhpmf.exe88⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Gkdjaf32.exeC:\Windows\system32\Gkdjaf32.exe89⤵PID:5716
-
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe90⤵PID:5772
-
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe91⤵PID:5812
-
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe92⤵PID:5856
-
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe93⤵PID:5900
-
C:\Windows\SysWOW64\Hlipfh32.exeC:\Windows\system32\Hlipfh32.exe94⤵PID:5940
-
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe95⤵PID:5984
-
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe96⤵PID:6032
-
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe97⤵PID:6068
-
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe98⤵PID:6120
-
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe99⤵PID:5152
-
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe100⤵PID:5228
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Jolodqcp.exeC:\Windows\system32\Jolodqcp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe103⤵PID:5472
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe105⤵PID:5620
-
C:\Windows\SysWOW64\Jndhkmfe.exeC:\Windows\system32\Jndhkmfe.exe106⤵PID:5708
-
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Kfpjgi32.exeC:\Windows\system32\Kfpjgi32.exe108⤵PID:5844
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe109⤵PID:5888
-
C:\Windows\SysWOW64\Kbigajfc.exeC:\Windows\system32\Kbigajfc.exe110⤵PID:5972
-
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe111⤵PID:6048
-
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe112⤵PID:6112
-
C:\Windows\SysWOW64\Lndaaj32.exeC:\Windows\system32\Lndaaj32.exe113⤵PID:3508
-
C:\Windows\SysWOW64\Ldnjndpo.exeC:\Windows\system32\Ldnjndpo.exe114⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe115⤵PID:5340
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe116⤵PID:5480
-
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe117⤵PID:5576
-
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Mmlhpaji.exeC:\Windows\system32\Mmlhpaji.exe119⤵PID:556
-
C:\Windows\SysWOW64\Mfdlif32.exeC:\Windows\system32\Mfdlif32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe121⤵PID:5916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-