Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 00:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe
-
Size
56KB
-
MD5
9703af7424041369ff37a222a0571914
-
SHA1
a330861ae14a279623d0cb1bf6040b22e2d1e08d
-
SHA256
a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b
-
SHA512
c362961fd0dd08689071290a9b0adfa151da73d7d6f7859d002df0478ec6022699dbd2040a76c5ba4b2dbbaf6255b68f1f2dac25a8c7bc073c647e6747780277
-
SSDEEP
768:TZxHMRvGahbiinf+YKCL0L9K/CHd/QEnjvBRbWIQKAG/pFYTkrwuDrNfQR1E/1Hp:T/sRvGdgOLnHdlQxgpskrwuD9vCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfjhkjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbileede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbfii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqhcpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbifelba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoibflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inpccihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goljqnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldomc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbdah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1648 Obfhba32.exe 1188 Odednmpm.exe 3092 Ogcpjhoq.exe 1748 Onmhgb32.exe 2200 Odgqdlnj.exe 3200 Pgemphmn.exe 1212 Pnpemb32.exe 1592 Peimil32.exe 2068 Pghieg32.exe 3136 Pnbbbabh.exe 4132 Pqpnombl.exe 1824 Pkfblfab.exe 3652 Pndohaqe.exe 3472 Pengdk32.exe 1344 Pkhoae32.exe 2100 Pbbgnpgl.exe 1012 Peqcjkfp.exe 1876 Pnihcq32.exe 4112 Qgallfcq.exe 2704 Qeemej32.exe 4252 Qgciaf32.exe 2656 Qnnanphk.exe 2708 Aegikj32.exe 1548 Alabgd32.exe 744 Ajdbcano.exe 4716 Aejfpjne.exe 4632 Aldomc32.exe 3228 Ajfoiqll.exe 2660 Aaqgek32.exe 5004 Alfkbc32.exe 1032 Andgoobc.exe 4740 Aacckjaf.exe 2256 Ahmlgd32.exe 3580 Alhhhcal.exe 4944 Abbpem32.exe 4088 Aealah32.exe 4516 Alkdnboj.exe 2652 Abemjmgg.exe 4720 Bdfibe32.exe 1572 Bjpaooda.exe 4864 Bbgipldd.exe 3108 Bdhfhe32.exe 1736 Bjbndobo.exe 3088 Bbifelba.exe 3384 Bdkcmdhp.exe 4836 Bhfonc32.exe 3784 Bblckl32.exe 5064 Bdmpcdfm.exe 4340 Bldgdago.exe 3556 Bobcpmfc.exe 3032 Bemlmgnp.exe 436 Bdolhc32.exe 2424 Bkidenlg.exe 3796 Cbqlfkmi.exe 4644 Ceoibflm.exe 4084 Cliaoq32.exe 3360 Cbcilkjg.exe 836 Chpada32.exe 4476 Cojjqlpk.exe 4728 Cbefaj32.exe 5016 Cecbmf32.exe 116 Ckpjfm32.exe 1064 Cbgbgj32.exe 3624 Cefoce32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ihdafkdg.exe Iakiia32.exe File opened for modification C:\Windows\SysWOW64\Jjjghcfp.exe Jglklggl.exe File created C:\Windows\SysWOW64\Ofcmimpk.dll Fpbmfn32.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Amddjegd.exe File created C:\Windows\SysWOW64\Bcpcam32.dll Bcinna32.exe File created C:\Windows\SysWOW64\Bdifpa32.dll Process not Found File created C:\Windows\SysWOW64\Hpchib32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nqbpojnp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Process not Found File created C:\Windows\SysWOW64\Gghocf32.dll Nkqkhk32.exe File opened for modification C:\Windows\SysWOW64\Ahippdbe.exe Process not Found File created C:\Windows\SysWOW64\Jmbhoeid.exe Process not Found File created C:\Windows\SysWOW64\Nghjpm32.dll Gododflk.exe File created C:\Windows\SysWOW64\Ocdjpmac.exe Oljaccjf.exe File created C:\Windows\SysWOW64\Dcjnoece.exe Dakacjdb.exe File created C:\Windows\SysWOW64\Epgkpagl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Process not Found File created C:\Windows\SysWOW64\Gldglf32.exe Process not Found File created C:\Windows\SysWOW64\Npdopj32.dll Process not Found File created C:\Windows\SysWOW64\Ojhpimhp.exe Process not Found File created C:\Windows\SysWOW64\Gfameb32.dll Mleoafmn.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Dhjckcgi.exe File created C:\Windows\SysWOW64\Pdkjmfeo.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Pjnppabn.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Fajbad32.dll Hmbfbn32.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Ikkpgafg.exe File created C:\Windows\SysWOW64\Ffiipfmi.dll Process not Found File created C:\Windows\SysWOW64\Pcijeb32.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Agbkmijg.exe Qqhcpo32.exe File opened for modification C:\Windows\SysWOW64\Djqblj32.exe Dbjkkl32.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Process not Found File created C:\Windows\SysWOW64\Lfcpgb32.dll Process not Found File created C:\Windows\SysWOW64\Iblhpckf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bqkill32.exe Bidqko32.exe File created C:\Windows\SysWOW64\Ocaikjof.dll Hkpheidp.exe File created C:\Windows\SysWOW64\Cmncbodd.dll Olgncmim.exe File created C:\Windows\SysWOW64\Ohhnbhok.exe Process not Found File created C:\Windows\SysWOW64\Eecphp32.exe Process not Found File created C:\Windows\SysWOW64\Feoodn32.exe Process not Found File created C:\Windows\SysWOW64\Alkdnboj.exe Aealah32.exe File opened for modification C:\Windows\SysWOW64\Nchjdo32.exe Nlnbgddc.exe File opened for modification C:\Windows\SysWOW64\Fbajbi32.exe Fpbmfn32.exe File created C:\Windows\SysWOW64\Omnlgb32.dll Fddqghpd.exe File opened for modification C:\Windows\SysWOW64\Aggegh32.exe Aopmfk32.exe File created C:\Windows\SysWOW64\Nbnimm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Process not Found File created C:\Windows\SysWOW64\Idmdhm32.dll Lbjelc32.exe File created C:\Windows\SysWOW64\Locbfd32.exe Lppbkgcj.exe File opened for modification C:\Windows\SysWOW64\Dldpkoil.exe Ddmhja32.exe File opened for modification C:\Windows\SysWOW64\Eagaoh32.exe Eipinkib.exe File created C:\Windows\SysWOW64\Edflhb32.dll Process not Found File created C:\Windows\SysWOW64\Dlkhie32.dll Ipdqba32.exe File created C:\Windows\SysWOW64\Eifbkgjd.dll Ibcmom32.exe File created C:\Windows\SysWOW64\Bpqhgk32.dll Gkdhjknm.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fjjnifbl.exe File created C:\Windows\SysWOW64\Gggpfopn.dll Fffhifdk.exe File opened for modification C:\Windows\SysWOW64\Qachgk32.exe Process not Found File created C:\Windows\SysWOW64\Ddgplado.exe Process not Found File created C:\Windows\SysWOW64\Hplbickp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hhnbpb32.exe Hbdjchgn.exe File created C:\Windows\SysWOW64\Noloin32.dll Mhgfkg32.exe File created C:\Windows\SysWOW64\Oejbgd32.dll Nlnbgddc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12712 11956 Process not Found 1585 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffgqqaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhakafh.dll" Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejlkojm.dll" Bhldpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfbfnl.dll" Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll" Kdqejn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhnbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqiipljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdgelp.dll" Dfoiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmkiclm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndokbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoadkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfqmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll" Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" Fjjnifbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjfln32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nddbqe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbolp32.dll" Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiaqcnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmodnoo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moobbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipbdikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjecpkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbajbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnmcjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmonnmjm.dll" Fnjhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolfj32.dll" Nojanpej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjcmebie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpleig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbkfkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebommi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 1648 5088 a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe 81 PID 5088 wrote to memory of 1648 5088 a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe 81 PID 5088 wrote to memory of 1648 5088 a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe 81 PID 1648 wrote to memory of 1188 1648 Obfhba32.exe 82 PID 1648 wrote to memory of 1188 1648 Obfhba32.exe 82 PID 1648 wrote to memory of 1188 1648 Obfhba32.exe 82 PID 1188 wrote to memory of 3092 1188 Odednmpm.exe 83 PID 1188 wrote to memory of 3092 1188 Odednmpm.exe 83 PID 1188 wrote to memory of 3092 1188 Odednmpm.exe 83 PID 3092 wrote to memory of 1748 3092 Ogcpjhoq.exe 84 PID 3092 wrote to memory of 1748 3092 Ogcpjhoq.exe 84 PID 3092 wrote to memory of 1748 3092 Ogcpjhoq.exe 84 PID 1748 wrote to memory of 2200 1748 Onmhgb32.exe 85 PID 1748 wrote to memory of 2200 1748 Onmhgb32.exe 85 PID 1748 wrote to memory of 2200 1748 Onmhgb32.exe 85 PID 2200 wrote to memory of 3200 2200 Odgqdlnj.exe 86 PID 2200 wrote to memory of 3200 2200 Odgqdlnj.exe 86 PID 2200 wrote to memory of 3200 2200 Odgqdlnj.exe 86 PID 3200 wrote to memory of 1212 3200 Pgemphmn.exe 87 PID 3200 wrote to memory of 1212 3200 Pgemphmn.exe 87 PID 3200 wrote to memory of 1212 3200 Pgemphmn.exe 87 PID 1212 wrote to memory of 1592 1212 Pnpemb32.exe 88 PID 1212 wrote to memory of 1592 1212 Pnpemb32.exe 88 PID 1212 wrote to memory of 1592 1212 Pnpemb32.exe 88 PID 1592 wrote to memory of 2068 1592 Peimil32.exe 89 PID 1592 wrote to memory of 2068 1592 Peimil32.exe 89 PID 1592 wrote to memory of 2068 1592 Peimil32.exe 89 PID 2068 wrote to memory of 3136 2068 Pghieg32.exe 90 PID 2068 wrote to memory of 3136 2068 Pghieg32.exe 90 PID 2068 wrote to memory of 3136 2068 Pghieg32.exe 90 PID 3136 wrote to memory of 4132 3136 Pnbbbabh.exe 91 PID 3136 wrote to memory of 4132 3136 Pnbbbabh.exe 91 PID 3136 wrote to memory of 4132 3136 Pnbbbabh.exe 91 PID 4132 wrote to memory of 1824 4132 Pqpnombl.exe 92 PID 4132 wrote to memory of 1824 4132 Pqpnombl.exe 92 PID 4132 wrote to memory of 1824 4132 Pqpnombl.exe 92 PID 1824 wrote to memory of 3652 1824 Pkfblfab.exe 93 PID 1824 wrote to memory of 3652 1824 Pkfblfab.exe 93 PID 1824 wrote to memory of 3652 1824 Pkfblfab.exe 93 PID 3652 wrote to memory of 3472 3652 Pndohaqe.exe 94 PID 3652 wrote to memory of 3472 3652 Pndohaqe.exe 94 PID 3652 wrote to memory of 3472 3652 Pndohaqe.exe 94 PID 3472 wrote to memory of 1344 3472 Pengdk32.exe 95 PID 3472 wrote to memory of 1344 3472 Pengdk32.exe 95 PID 3472 wrote to memory of 1344 3472 Pengdk32.exe 95 PID 1344 wrote to memory of 2100 1344 Pkhoae32.exe 96 PID 1344 wrote to memory of 2100 1344 Pkhoae32.exe 96 PID 1344 wrote to memory of 2100 1344 Pkhoae32.exe 96 PID 2100 wrote to memory of 1012 2100 Pbbgnpgl.exe 97 PID 2100 wrote to memory of 1012 2100 Pbbgnpgl.exe 97 PID 2100 wrote to memory of 1012 2100 Pbbgnpgl.exe 97 PID 1012 wrote to memory of 1876 1012 Peqcjkfp.exe 98 PID 1012 wrote to memory of 1876 1012 Peqcjkfp.exe 98 PID 1012 wrote to memory of 1876 1012 Peqcjkfp.exe 98 PID 1876 wrote to memory of 4112 1876 Pnihcq32.exe 99 PID 1876 wrote to memory of 4112 1876 Pnihcq32.exe 99 PID 1876 wrote to memory of 4112 1876 Pnihcq32.exe 99 PID 4112 wrote to memory of 2704 4112 Qgallfcq.exe 100 PID 4112 wrote to memory of 2704 4112 Qgallfcq.exe 100 PID 4112 wrote to memory of 2704 4112 Qgallfcq.exe 100 PID 2704 wrote to memory of 4252 2704 Qeemej32.exe 101 PID 2704 wrote to memory of 4252 2704 Qeemej32.exe 101 PID 2704 wrote to memory of 4252 2704 Qeemej32.exe 101 PID 4252 wrote to memory of 2656 4252 Qgciaf32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe"C:\Users\Admin\AppData\Local\Temp\a0667243e92573965e2c7c27a1ad3a247caf5b77dedd5627a94ba0df7e33f53b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe23⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe25⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe26⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe27⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe29⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe30⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe31⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe32⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe33⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe34⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe35⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe36⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe38⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe39⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe40⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe41⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe42⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe43⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe44⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe46⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe47⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe48⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe49⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe51⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe52⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe53⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe54⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe55⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe57⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe58⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe59⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe60⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe61⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe62⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe63⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe64⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe66⤵PID:4360
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe67⤵PID:1308
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe68⤵PID:4456
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe69⤵PID:3932
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe70⤵PID:3800
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe71⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe72⤵PID:4080
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe73⤵PID:4344
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe74⤵PID:1832
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe75⤵PID:4904
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe76⤵PID:4300
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe77⤵PID:4984
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe78⤵PID:5104
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe79⤵PID:1412
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe80⤵PID:4328
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe81⤵PID:3832
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe82⤵PID:2584
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe83⤵PID:3656
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe84⤵PID:4452
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe85⤵PID:3412
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe86⤵PID:2880
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe87⤵PID:220
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe88⤵PID:3548
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe89⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe90⤵PID:3604
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe92⤵PID:3780
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe93⤵PID:2032
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe94⤵PID:4304
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe95⤵PID:1644
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe96⤵PID:3408
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe98⤵PID:2072
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe99⤵PID:1416
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe100⤵PID:1408
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe101⤵PID:3764
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe102⤵PID:2900
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe103⤵PID:2620
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe104⤵PID:1900
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe105⤵PID:3532
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe106⤵PID:3608
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe107⤵PID:456
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe108⤵PID:2912
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe109⤵PID:3260
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe110⤵PID:404
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe111⤵PID:1740
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe112⤵
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4444 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe114⤵PID:4808
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe116⤵PID:4656
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe117⤵PID:4028
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe118⤵PID:4928
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe119⤵PID:2320
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe120⤵PID:4060
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe121⤵PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-