Analysis
-
max time kernel
154s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 00:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe
-
Size
144KB
-
MD5
0fb344a0e6fddfdee399405e522511c6
-
SHA1
0a37985e57cac962c3edf7d10c820d8a236719dd
-
SHA256
9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40
-
SHA512
dfb984d8eaf483ba65099d32ec4ade640bbe3256ca258fa4ea3e11566732132c08569c3505866953cef0aec74fc9499c0231f354ed5c4d21717812979cc901f4
-
SSDEEP
3072:glLjK9XECDH+MQH2qC7ZQOlzSLUK6MwGsGnDc9nhVizLrId0:gO90UH+MQWfdQOhwJ6MwGsmLrId0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompjamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanodnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaiadel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqmjhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moglkikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmajmaoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfpoqog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adccnpqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekngob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papnhbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdcpoid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnodmijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcnmogm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkeonggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolgbpei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkalmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehhjfif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehnaqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaepgacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjbfclk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepnli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkbenbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmgladi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmdhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhkcmib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpejmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbcpkjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icoodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjhicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafaem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhjinpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjqeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haceil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaemgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekckpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggilbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgamhjja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfcbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpdgjid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkoolil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgncihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqmej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdkkjl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Phneqf32.exe 2852 Ciogobcm.exe 5396 Dijgjpip.exe 4532 Ehpmbj32.exe 3384 Fidbgm32.exe 3080 Fochecog.exe 5908 Gebimmco.exe 5888 Gckcap32.exe 4980 Hlhaee32.exe 5504 Igghilhi.exe 4600 Icbbimih.exe 5564 Jqklnp32.exe 4668 Kcehejic.exe 5876 Kgemahmg.exe 1084 Maeaajpl.exe 5400 Nhcbidcd.exe 4012 Nkghqo32.exe 3804 Odaiodbp.exe 6036 Onngci32.exe 3388 Ppamjcpj.exe 1144 Pjoknhbe.exe 5000 Adnbapjp.exe 3872 Ajodef32.exe 5176 Njfafhjf.exe 4764 Pidamcgd.exe 2932 Pilgnb32.exe 4952 Pgphggpe.exe 3516 Qmlmjq32.exe 648 Qnniopcm.exe 4044 Aiejda32.exe 4440 Adjnaj32.exe 4904 Bjeckojo.exe 3800 Cnmoglij.exe 1820 Cmdhnhkp.exe 5308 Dmnkdfce.exe 4304 Ekahhn32.exe 3876 Gaepgacn.exe 5004 Gmlplbib.exe 3948 Hhmdeink.exe 416 Jafaem32.exe 4040 Kdpmmf32.exe 1452 Khbpndnp.exe 5416 Omfcmm32.exe 1964 Pbjbfclk.exe 6080 Pifghmae.exe 5568 Ppeipfdm.exe 4476 Qmkfoj32.exe 2196 Abmhbplf.exe 5932 Amdiei32.exe 5976 Aepmjk32.exe 5484 Bgdcom32.exe 1600 Blqlgdhi.exe 2188 Ccajdmin.exe 5544 Cfeplh32.exe 4584 Dodjemee.exe 2424 Eqpfknbj.exe 5292 Fnjmea32.exe 3884 Fcibchgq.exe 2168 Fclohg32.exe 1508 Gmkibl32.exe 6032 Hjmfmnhp.exe 700 Ipaeedpp.exe 4816 Jaekkfcm.exe 2052 Jmlkpgia.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfilfm32.exe Pplcnf32.exe File opened for modification C:\Windows\SysWOW64\Adccnpqm.exe Amikae32.exe File opened for modification C:\Windows\SysWOW64\Fpfppl32.exe Fealcc32.exe File opened for modification C:\Windows\SysWOW64\Jpnhof32.exe Imkbglei.exe File created C:\Windows\SysWOW64\Gckcap32.exe Gebimmco.exe File created C:\Windows\SysWOW64\Nfjljb32.dll Olcklj32.exe File created C:\Windows\SysWOW64\Allpnplb.exe Pibdff32.exe File created C:\Windows\SysWOW64\Ijqmacpl.exe Idceim32.exe File created C:\Windows\SysWOW64\Ndblob32.dll Pmgcidqm.exe File created C:\Windows\SysWOW64\Bhohfj32.exe Papnhbgi.exe File opened for modification C:\Windows\SysWOW64\Ggkiha32.exe Gmcdolbn.exe File created C:\Windows\SysWOW64\Hmbflc32.exe Hpjlgp32.exe File created C:\Windows\SysWOW64\Jhkbnbhd.exe Jocnem32.exe File created C:\Windows\SysWOW64\Nhpoieid.dll Dodjemee.exe File created C:\Windows\SysWOW64\Jiageecb.exe Jkmgladi.exe File created C:\Windows\SysWOW64\Fnbjkj32.exe Fldnoo32.exe File created C:\Windows\SysWOW64\Nhjfbjeo.dll Enfceefi.exe File opened for modification C:\Windows\SysWOW64\Jpgmaf32.exe Iifodmak.exe File created C:\Windows\SysWOW64\Oondhocf.exe Olphlcdb.exe File created C:\Windows\SysWOW64\Lgpecele.dll Ecpmod32.exe File created C:\Windows\SysWOW64\Hmbqdiko.dll Adjnaj32.exe File created C:\Windows\SysWOW64\Andlfi32.dll Cnmoglij.exe File created C:\Windows\SysWOW64\Cfeplh32.exe Ccajdmin.exe File created C:\Windows\SysWOW64\Onkbenbi.exe Opfedb32.exe File created C:\Windows\SysWOW64\Hgjfklli.dll Dacebkko.exe File created C:\Windows\SysWOW64\Jgaldkid.dll Gfkbnk32.exe File opened for modification C:\Windows\SysWOW64\Qopbjf32.exe Pehnaqid.exe File opened for modification C:\Windows\SysWOW64\Bpfkiepp.exe Bpcnceab.exe File created C:\Windows\SysWOW64\Anodai32.dll Nokfcg32.exe File created C:\Windows\SysWOW64\Caadnc32.dll Mkjnop32.exe File created C:\Windows\SysWOW64\Hopigjbp.dll Bobalm32.exe File opened for modification C:\Windows\SysWOW64\Amfokf32.exe Acnjbpdb.exe File created C:\Windows\SysWOW64\Lplgpkah.dll Pejdmh32.exe File created C:\Windows\SysWOW64\Amhpbl32.dll Pngbam32.exe File created C:\Windows\SysWOW64\Kehhjfif.exe Jiageecb.exe File created C:\Windows\SysWOW64\Nhcbidcd.exe Maeaajpl.exe File created C:\Windows\SysWOW64\Bdiimbin.dll Hoaocf32.exe File created C:\Windows\SysWOW64\Nkgmmpab.exe Ndmepe32.exe File created C:\Windows\SysWOW64\Npglho32.dll Ndcdfnpa.exe File created C:\Windows\SysWOW64\Gkjcegnh.dll Olphlcdb.exe File opened for modification C:\Windows\SysWOW64\Efepln32.exe Eplgod32.exe File created C:\Windows\SysWOW64\Ginnokej.exe Edgbbo32.exe File created C:\Windows\SysWOW64\Efcnhmeg.dll Fbiooolb.exe File created C:\Windows\SysWOW64\Clmjcfdb.exe Cliahf32.exe File created C:\Windows\SysWOW64\Hbbbbj32.dll Bmkcjd32.exe File opened for modification C:\Windows\SysWOW64\Ijqmacpl.exe Idceim32.exe File opened for modification C:\Windows\SysWOW64\Ihkigd32.exe Iaaakj32.exe File opened for modification C:\Windows\SysWOW64\Fclohg32.exe Fcibchgq.exe File opened for modification C:\Windows\SysWOW64\Epgndedc.exe Ejjelnfl.exe File opened for modification C:\Windows\SysWOW64\Cdcldmbj.exe Bmidhc32.exe File created C:\Windows\SysWOW64\Ceckleii.exe Cjmgomjc.exe File created C:\Windows\SysWOW64\Eoilfidj.exe Deokhc32.exe File created C:\Windows\SysWOW64\Ddklbkoo.dll Jqihjbod.exe File created C:\Windows\SysWOW64\Ggmock32.exe Gmdjjemp.exe File created C:\Windows\SysWOW64\Hnkonpeo.exe Hagodlge.exe File opened for modification C:\Windows\SysWOW64\Pfilfm32.exe Pplcnf32.exe File created C:\Windows\SysWOW64\Bpcnceab.exe Bobalm32.exe File created C:\Windows\SysWOW64\Ojelio32.dll Pbjbfclk.exe File created C:\Windows\SysWOW64\Pkmfbjni.dll Cldgmgml.exe File opened for modification C:\Windows\SysWOW64\Hfodnd32.exe Hpdlajfe.exe File created C:\Windows\SysWOW64\Opbedffg.dll Cbeaib32.exe File created C:\Windows\SysWOW64\Hpbglkge.dll Cdcldmbj.exe File opened for modification C:\Windows\SysWOW64\Igghilhi.exe Hlhaee32.exe File opened for modification C:\Windows\SysWOW64\Gaepgacn.exe Ekahhn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fojlhmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddligi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bciddihj.dll" Ibffbnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncggqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiackied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocofijd.dll" Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobfkj32.dll" Bdocin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnohphp.dll" Oioojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Banjhbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keabkkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnilk32.dll" Jijaef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indfedih.dll" Hiackied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejojepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbffmlj.dll" Pncggqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnhdae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecoa32.dll" Pgihppgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbmaehm.dll" Bminokil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qleahgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbnkhcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhohfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbkdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocfhc32.dll" Gmcdolbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpjgmbe.dll" Eeqclfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clldhljp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncenga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejoogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllofkhq.dll" Fojlhmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aichng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gammgo32.dll" Oloaamqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndenjmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fochecog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpihlbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nliakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnnmmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeqclfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbglkge.dll" Cdcldmbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphikllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilndhie.dll" Dkbgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnapp32.dll" Jnfcbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdalfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmncgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdlphjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfeoobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fechhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbjbfclk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbcfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mceccbpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhncp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caijca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlmjq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 2224 3544 9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe 93 PID 3544 wrote to memory of 2224 3544 9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe 93 PID 3544 wrote to memory of 2224 3544 9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe 93 PID 2224 wrote to memory of 2852 2224 Phneqf32.exe 94 PID 2224 wrote to memory of 2852 2224 Phneqf32.exe 94 PID 2224 wrote to memory of 2852 2224 Phneqf32.exe 94 PID 2852 wrote to memory of 5396 2852 Ciogobcm.exe 95 PID 2852 wrote to memory of 5396 2852 Ciogobcm.exe 95 PID 2852 wrote to memory of 5396 2852 Ciogobcm.exe 95 PID 5396 wrote to memory of 4532 5396 Dijgjpip.exe 96 PID 5396 wrote to memory of 4532 5396 Dijgjpip.exe 96 PID 5396 wrote to memory of 4532 5396 Dijgjpip.exe 96 PID 4532 wrote to memory of 3384 4532 Ehpmbj32.exe 97 PID 4532 wrote to memory of 3384 4532 Ehpmbj32.exe 97 PID 4532 wrote to memory of 3384 4532 Ehpmbj32.exe 97 PID 3384 wrote to memory of 3080 3384 Fidbgm32.exe 98 PID 3384 wrote to memory of 3080 3384 Fidbgm32.exe 98 PID 3384 wrote to memory of 3080 3384 Fidbgm32.exe 98 PID 3080 wrote to memory of 5908 3080 Fochecog.exe 99 PID 3080 wrote to memory of 5908 3080 Fochecog.exe 99 PID 3080 wrote to memory of 5908 3080 Fochecog.exe 99 PID 5908 wrote to memory of 5888 5908 Gebimmco.exe 100 PID 5908 wrote to memory of 5888 5908 Gebimmco.exe 100 PID 5908 wrote to memory of 5888 5908 Gebimmco.exe 100 PID 5888 wrote to memory of 4980 5888 Gckcap32.exe 101 PID 5888 wrote to memory of 4980 5888 Gckcap32.exe 101 PID 5888 wrote to memory of 4980 5888 Gckcap32.exe 101 PID 4980 wrote to memory of 5504 4980 Hlhaee32.exe 102 PID 4980 wrote to memory of 5504 4980 Hlhaee32.exe 102 PID 4980 wrote to memory of 5504 4980 Hlhaee32.exe 102 PID 5504 wrote to memory of 4600 5504 Igghilhi.exe 103 PID 5504 wrote to memory of 4600 5504 Igghilhi.exe 103 PID 5504 wrote to memory of 4600 5504 Igghilhi.exe 103 PID 4600 wrote to memory of 5564 4600 Icbbimih.exe 104 PID 4600 wrote to memory of 5564 4600 Icbbimih.exe 104 PID 4600 wrote to memory of 5564 4600 Icbbimih.exe 104 PID 5564 wrote to memory of 4668 5564 Jqklnp32.exe 105 PID 5564 wrote to memory of 4668 5564 Jqklnp32.exe 105 PID 5564 wrote to memory of 4668 5564 Jqklnp32.exe 105 PID 4668 wrote to memory of 5876 4668 Kcehejic.exe 106 PID 4668 wrote to memory of 5876 4668 Kcehejic.exe 106 PID 4668 wrote to memory of 5876 4668 Kcehejic.exe 106 PID 5876 wrote to memory of 1084 5876 Kgemahmg.exe 107 PID 5876 wrote to memory of 1084 5876 Kgemahmg.exe 107 PID 5876 wrote to memory of 1084 5876 Kgemahmg.exe 107 PID 1084 wrote to memory of 5400 1084 Maeaajpl.exe 108 PID 1084 wrote to memory of 5400 1084 Maeaajpl.exe 108 PID 1084 wrote to memory of 5400 1084 Maeaajpl.exe 108 PID 5400 wrote to memory of 4012 5400 Nhcbidcd.exe 109 PID 5400 wrote to memory of 4012 5400 Nhcbidcd.exe 109 PID 5400 wrote to memory of 4012 5400 Nhcbidcd.exe 109 PID 4012 wrote to memory of 3804 4012 Nkghqo32.exe 110 PID 4012 wrote to memory of 3804 4012 Nkghqo32.exe 110 PID 4012 wrote to memory of 3804 4012 Nkghqo32.exe 110 PID 3804 wrote to memory of 6036 3804 Odaiodbp.exe 111 PID 3804 wrote to memory of 6036 3804 Odaiodbp.exe 111 PID 3804 wrote to memory of 6036 3804 Odaiodbp.exe 111 PID 6036 wrote to memory of 3388 6036 Onngci32.exe 112 PID 6036 wrote to memory of 3388 6036 Onngci32.exe 112 PID 6036 wrote to memory of 3388 6036 Onngci32.exe 112 PID 3388 wrote to memory of 1144 3388 Ppamjcpj.exe 113 PID 3388 wrote to memory of 1144 3388 Ppamjcpj.exe 113 PID 3388 wrote to memory of 1144 3388 Ppamjcpj.exe 113 PID 1144 wrote to memory of 5000 1144 Pjoknhbe.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe"C:\Users\Admin\AppData\Local\Temp\9ca5e907b1b38925104269fe9fd881351bf67fdab8a1e959e2e01880e7783c40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5908 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5888 -
C:\Windows\SysWOW64\Hlhaee32.exeC:\Windows\system32\Hlhaee32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\SysWOW64\Maeaajpl.exeC:\Windows\system32\Maeaajpl.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6036 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe24⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe25⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Pidamcgd.exeC:\Windows\system32\Pidamcgd.exe26⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Pilgnb32.exeC:\Windows\system32\Pilgnb32.exe27⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe28⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe30⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe31⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe33⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe35⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe36⤵
- Executes dropped EXE
PID:5308 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Gmlplbib.exeC:\Windows\system32\Gmlplbib.exe39⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Hhmdeink.exeC:\Windows\system32\Hhmdeink.exe40⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Jafaem32.exeC:\Windows\system32\Jafaem32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Kdpmmf32.exeC:\Windows\system32\Kdpmmf32.exe42⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe43⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Omfcmm32.exeC:\Windows\system32\Omfcmm32.exe44⤵
- Executes dropped EXE
PID:5416 -
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pifghmae.exeC:\Windows\system32\Pifghmae.exe46⤵
- Executes dropped EXE
PID:6080 -
C:\Windows\SysWOW64\Ppeipfdm.exeC:\Windows\system32\Ppeipfdm.exe47⤵
- Executes dropped EXE
PID:5568 -
C:\Windows\SysWOW64\Qmkfoj32.exeC:\Windows\system32\Qmkfoj32.exe48⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe49⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Amdiei32.exeC:\Windows\system32\Amdiei32.exe50⤵
- Executes dropped EXE
PID:5932 -
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe51⤵
- Executes dropped EXE
PID:5976 -
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe52⤵
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Cfeplh32.exeC:\Windows\system32\Cfeplh32.exe55⤵
- Executes dropped EXE
PID:5544 -
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe57⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe58⤵
- Executes dropped EXE
PID:5292 -
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe61⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe62⤵
- Executes dropped EXE
PID:6032 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe63⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe64⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe65⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe66⤵PID:2008
-
C:\Windows\SysWOW64\Jpoagb32.exeC:\Windows\system32\Jpoagb32.exe67⤵PID:4820
-
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe68⤵PID:1492
-
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe69⤵PID:5216
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe70⤵PID:2856
-
C:\Windows\SysWOW64\Nkjqme32.exeC:\Windows\system32\Nkjqme32.exe71⤵PID:1988
-
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe72⤵PID:748
-
C:\Windows\SysWOW64\Nkojheoe.exeC:\Windows\system32\Nkojheoe.exe73⤵PID:456
-
C:\Windows\SysWOW64\Oigdmh32.exeC:\Windows\system32\Oigdmh32.exe74⤵PID:864
-
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe75⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4308 -
C:\Windows\SysWOW64\Pnplqn32.exeC:\Windows\system32\Pnplqn32.exe77⤵PID:6100
-
C:\Windows\SysWOW64\Pejdmh32.exeC:\Windows\system32\Pejdmh32.exe78⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe79⤵PID:3568
-
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe80⤵PID:968
-
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe81⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Aaldngqg.exeC:\Windows\system32\Aaldngqg.exe82⤵PID:5328
-
C:\Windows\SysWOW64\Aoqegk32.exeC:\Windows\system32\Aoqegk32.exe83⤵PID:3496
-
C:\Windows\SysWOW64\Clldhljp.exeC:\Windows\system32\Clldhljp.exe84⤵
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Cojqdhid.exeC:\Windows\system32\Cojqdhid.exe85⤵PID:5984
-
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe86⤵PID:3308
-
C:\Windows\SysWOW64\Dljqjjnp.exeC:\Windows\system32\Dljqjjnp.exe87⤵PID:2180
-
C:\Windows\SysWOW64\Ejpnin32.exeC:\Windows\system32\Ejpnin32.exe88⤵PID:2420
-
C:\Windows\SysWOW64\Ejbknnid.exeC:\Windows\system32\Ejbknnid.exe89⤵PID:1380
-
C:\Windows\SysWOW64\Eplckh32.exeC:\Windows\system32\Eplckh32.exe90⤵PID:5780
-
C:\Windows\SysWOW64\Ejiqom32.exeC:\Windows\system32\Ejiqom32.exe91⤵PID:5352
-
C:\Windows\SysWOW64\Fqcilgji.exeC:\Windows\system32\Fqcilgji.exe92⤵PID:5396
-
C:\Windows\SysWOW64\Fbeeco32.exeC:\Windows\system32\Fbeeco32.exe93⤵PID:464
-
C:\Windows\SysWOW64\Fbgbione.exeC:\Windows\system32\Fbgbione.exe94⤵PID:5908
-
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe95⤵PID:4944
-
C:\Windows\SysWOW64\Fbiooolb.exeC:\Windows\system32\Fbiooolb.exe96⤵
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Ficgkico.exeC:\Windows\system32\Ficgkico.exe97⤵PID:4980
-
C:\Windows\SysWOW64\Fomohc32.exeC:\Windows\system32\Fomohc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Gflapl32.exeC:\Windows\system32\Gflapl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3744 -
C:\Windows\SysWOW64\Gjocaj32.exeC:\Windows\system32\Gjocaj32.exe100⤵PID:5532
-
C:\Windows\SysWOW64\Gjapfjnb.exeC:\Windows\system32\Gjapfjnb.exe101⤵PID:5360
-
C:\Windows\SysWOW64\Iffmmihf.exeC:\Windows\system32\Iffmmihf.exe102⤵PID:4424
-
C:\Windows\SysWOW64\Kaemgn32.exeC:\Windows\system32\Kaemgn32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Lgikpc32.exeC:\Windows\system32\Lgikpc32.exe104⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Ljlagndl.exeC:\Windows\system32\Ljlagndl.exe105⤵PID:5400
-
C:\Windows\SysWOW64\Mkkmaalo.exeC:\Windows\system32\Mkkmaalo.exe106⤵PID:4404
-
C:\Windows\SysWOW64\Mphfjhjf.exeC:\Windows\system32\Mphfjhjf.exe107⤵PID:1580
-
C:\Windows\SysWOW64\Mahbck32.exeC:\Windows\system32\Mahbck32.exe108⤵PID:1952
-
C:\Windows\SysWOW64\Mkepgp32.exeC:\Windows\system32\Mkepgp32.exe109⤵PID:5040
-
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe110⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe111⤵PID:5776
-
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe112⤵PID:3388
-
C:\Windows\SysWOW64\Nkijbooo.exeC:\Windows\system32\Nkijbooo.exe113⤵PID:4544
-
C:\Windows\SysWOW64\Ncenga32.exeC:\Windows\system32\Ncenga32.exe114⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Nnjbdj32.exeC:\Windows\system32\Nnjbdj32.exe115⤵PID:4460
-
C:\Windows\SysWOW64\Nddkaddm.exeC:\Windows\system32\Nddkaddm.exe116⤵PID:3468
-
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe117⤵PID:4036
-
C:\Windows\SysWOW64\Oggqho32.exeC:\Windows\system32\Oggqho32.exe118⤵PID:1056
-
C:\Windows\SysWOW64\Obanqgkl.exeC:\Windows\system32\Obanqgkl.exe119⤵PID:4792
-
C:\Windows\SysWOW64\Ocegnoog.exeC:\Windows\system32\Ocegnoog.exe120⤵PID:1092
-
C:\Windows\SysWOW64\Pkcepl32.exeC:\Windows\system32\Pkcepl32.exe121⤵PID:6028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-