Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 00:30
Static task
static1
Behavioral task
behavioral1
Sample
fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe
-
Size
84KB
-
MD5
49da9a3a09576f9bc201af36b45df079
-
SHA1
62d25f6bbd605fa8181b848ae7b2a29c90c253f8
-
SHA256
fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d
-
SHA512
76873e18ee7690ebf7e73edbdcc8c242f8799636e22a8feea1d50aaadcd9142cf37f07ddbcb5a02b611adaaf24f87ea48e7d3e2db77710e17bd8a510544448e5
-
SSDEEP
1536:V2klExyqjW5b8r179OOzBCm1pXg2r3XsyoRiiQfMvf2SL:xExy95b8B7BlXgy8yoznfzL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkookjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgeengd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofloeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfqbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkcgodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaaojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgelni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdicpphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knphmefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdfbpai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebjfeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feooik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqajpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqajpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndjmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjmao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clohom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnecfpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alooho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphncnoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmehe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaocpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpkejfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alooho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnndipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpgkbhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpchead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkhlgnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpflf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdcicio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbjkhdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilfboik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdebqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhpbfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaamhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqdcjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhppfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnknlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfmdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfimdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifnhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdoolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfejbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficlcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcikmnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfofpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgpqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agobdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcaop32.exe -
Executes dropped EXE 64 IoCs
pid Process 2040 Nfnjinob.exe 4696 Nkjcaenj.exe 3280 Nadkno32.exe 4452 Nohkgcdp.exe 4544 Nkolmd32.exe 4536 Ofdqjm32.exe 460 Okdehdeo.exe 4956 Omcbag32.exe 4764 Ocmjna32.exe 5072 Oflfjl32.exe 4732 Okhocc32.exe 4628 Obbgpmif.exe 1596 Odaclihj.exe 1568 Pkklhc32.exe 4932 Pbedemgd.exe 3444 Piolagnq.exe 428 Pcdqopng.exe 1424 Pfbmkkmj.exe 1660 Pmmehe32.exe 2380 Pbimpl32.exe 2256 Pmoamebd.exe 5008 Pfgffk32.exe 348 Popkoppe.exe 3980 Cpqlml32.exe 4420 Cfjeifjm.exe 3876 Clgmbmid.exe 3388 Ciknka32.exe 3872 Cljjgl32.exe 1212 Cbcbdfno.exe 3648 Cmifaond.exe 3460 Cbfojfll.exe 452 Dmkcgo32.exe 3984 Dbhlof32.exe 1724 Dibdlpaf.exe 2044 Ddhhihal.exe 2052 Dmpmbn32.exe 3152 Dekafqeg.exe 4876 Ddladh32.exe 2656 Dennlpce.exe 4292 Dpcbii32.exe 3100 Egmjfcjh.exe 4952 Eilfboik.exe 312 Epeooh32.exe 2456 Egpgkbhe.exe 3156 Edcgeg32.exe 4284 Elolii32.exe 3708 Ecidfclf.exe 4404 Eibmbn32.exe 4176 Epmepgkp.exe 1976 Eckalcjd.exe 2364 Enqeil32.exe 3784 Fcmnab32.exe 3832 Fncbnk32.exe 4144 Fpanjg32.exe 2452 Fgkgga32.exe 1600 Fneodked.exe 1856 Fgncmq32.exe 4280 Fpfhefbe.exe 3972 Ffcpnmam.exe 3236 Fcgqga32.exe 4508 Gcinma32.exe 4656 Ggdimpfm.exe 4228 Gpmnfemn.exe 5084 Gjebok32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pebaog32.exe Pohibm32.exe File opened for modification C:\Windows\SysWOW64\Qbjkckhk.exe Qplogpih.exe File created C:\Windows\SysWOW64\Bondjnnn.dll Egpgkbhe.exe File opened for modification C:\Windows\SysWOW64\Jgjefjeb.exe Jnbpme32.exe File created C:\Windows\SysWOW64\Maehbknk.exe Mklpfa32.exe File opened for modification C:\Windows\SysWOW64\Qhinii32.exe Qaofloeo.exe File created C:\Windows\SysWOW64\Lhhnic32.dll Mpfcoeib.exe File created C:\Windows\SysWOW64\Nbglpp32.exe Nkmdcfof.exe File created C:\Windows\SysWOW64\Aeafgjga.dll Alelbpmi.exe File created C:\Windows\SysWOW64\Agkcnfoa.dll Neopdhjd.exe File created C:\Windows\SysWOW64\Qhnegj32.dll Bfchnpmi.exe File created C:\Windows\SysWOW64\Mdlgca32.exe Kfmgnojo.exe File created C:\Windows\SysWOW64\Cpejoldk.dll Nmpdnohb.exe File created C:\Windows\SysWOW64\Apaqan32.dll Plgpqb32.exe File created C:\Windows\SysWOW64\Gacbeo32.dll Apjkin32.exe File created C:\Windows\SysWOW64\Cpmqekmb.exe Cnndipmo.exe File created C:\Windows\SysWOW64\Dennlpce.exe Ddladh32.exe File opened for modification C:\Windows\SysWOW64\Kfmnienj.exe Kelaam32.exe File created C:\Windows\SysWOW64\Llblbnmp.exe Lfecjg32.exe File created C:\Windows\SysWOW64\Ikbipljn.dll Aphendbf.exe File created C:\Windows\SysWOW64\Jjglef32.dll Memjhjji.exe File opened for modification C:\Windows\SysWOW64\Adfndbil.exe Apkbcd32.exe File created C:\Windows\SysWOW64\Cpmbod32.dll Clcajlbf.exe File opened for modification C:\Windows\SysWOW64\Demgajpi.exe Dbokenpe.exe File opened for modification C:\Windows\SysWOW64\Mkdamgga.exe Mieealhn.exe File created C:\Windows\SysWOW64\Jlapcj32.dll Oiandh32.exe File created C:\Windows\SysWOW64\Djmbif32.exe Dgnfmj32.exe File created C:\Windows\SysWOW64\Nkmdcfof.exe Miohgjpc.exe File created C:\Windows\SysWOW64\Jbccdmoc.dll Pmmehe32.exe File opened for modification C:\Windows\SysWOW64\Jmkpoj32.exe Joebpfoa.exe File created C:\Windows\SysWOW64\Apadhpeb.dll Kjepogao.exe File created C:\Windows\SysWOW64\Cofqqp32.dll Bgnmfmpe.exe File opened for modification C:\Windows\SysWOW64\Cnpihb32.exe Cpnimeag.exe File created C:\Windows\SysWOW64\Fpgfnf32.dll Lkhbai32.exe File created C:\Windows\SysWOW64\Eljbcn32.dll Clmkimho.exe File created C:\Windows\SysWOW64\Ndbbfj32.dll Obbgpmif.exe File created C:\Windows\SysWOW64\Gmhhfenl.exe Gglpnope.exe File created C:\Windows\SysWOW64\Kbaklhpe.dll Moleao32.exe File created C:\Windows\SysWOW64\Eijimb32.exe Ebpqqhkg.exe File created C:\Windows\SysWOW64\Ikjmim32.exe Ilglnqeg.exe File created C:\Windows\SysWOW64\Kakibhdn.dll Keonfl32.exe File created C:\Windows\SysWOW64\Clfljp32.dll Dhifheqp.exe File opened for modification C:\Windows\SysWOW64\Lciccknb.exe Llblbnmp.exe File created C:\Windows\SysWOW64\Addanc32.exe Aphendbf.exe File created C:\Windows\SysWOW64\Joebpfoa.exe Ionmpgej.exe File created C:\Windows\SysWOW64\Amgeac32.exe Aikiadip.exe File created C:\Windows\SysWOW64\Akofhnnj.dll Flaaef32.exe File opened for modification C:\Windows\SysWOW64\Gmqjnl32.exe Gjbnbq32.exe File opened for modification C:\Windows\SysWOW64\Oeffeg32.exe Okqbhn32.exe File opened for modification C:\Windows\SysWOW64\Eahjgdml.exe Ebejlg32.exe File opened for modification C:\Windows\SysWOW64\Mjfhfe32.exe Mboqdh32.exe File created C:\Windows\SysWOW64\Ponoha32.dll Pibmel32.exe File created C:\Windows\SysWOW64\Mojedjhg.dll Okdnnq32.exe File created C:\Windows\SysWOW64\Jlnbopoo.exe Iddnhb32.exe File opened for modification C:\Windows\SysWOW64\Dqkmfi32.exe Dmoafjhi.exe File opened for modification C:\Windows\SysWOW64\Pkqddebh.exe Phbhhjcd.exe File created C:\Windows\SysWOW64\Ijnqgk32.exe Iohljb32.exe File created C:\Windows\SysWOW64\Endgek32.dll Liofkc32.exe File created C:\Windows\SysWOW64\Cimjbo32.dll Nljkjjhe.exe File created C:\Windows\SysWOW64\Kdlmoold.exe Kfimdb32.exe File created C:\Windows\SysWOW64\Cjeenqcc.exe Cggibe32.exe File created C:\Windows\SysWOW64\Cnqaoo32.exe Cjeenqcc.exe File created C:\Windows\SysWOW64\Okifbd32.dll Ofdqjm32.exe File opened for modification C:\Windows\SysWOW64\Janpdqph.exe Jnpchead.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6592 7172 WerFault.exe 975 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boqhik32.dll" Ikmpicmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnipb32.dll" Nbjppfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habnio32.dll" Lkbmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbfqeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnnejok.dll" Qhjecoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ionmpgej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdghc32.dll" Jmkpoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkghgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjiaicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfkpn32.dll" Oidjignk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomkdjcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feojkebc.dll" Cngoiabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palbgg32.dll" Jlnbopoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagffdca.dll" Lkohbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocpgnjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmholm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adiadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfnfbji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqajpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iobcll32.dll" Mminmpnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmipkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigi32.dll" Apaome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmcdn32.dll" Qaofloeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhikkpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebjfeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heodcg32.dll" Aedgkema.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnbaoqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnbpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcdlmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fameaj32.dll" Kkalajgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkodfcl.dll" Diepbbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifmbeci.dll" Kkdoap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmgli32.dll" Amibgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maehbknk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkcgodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfgmhbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapbcbid.dll" Pnmjeggj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdlh32.dll" Eplneagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiajjena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlpaiemd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmjfcjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfnfoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnidja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpcbii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Memjhjji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjnooga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjclhocn.dll" Nplddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonebd32.dll" Qmnbkdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqnfmf32.dll" Apceho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfilad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnldpnfj.dll" Bcenkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbapji32.dll" Lkiiloej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2040 3136 fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe 81 PID 3136 wrote to memory of 2040 3136 fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe 81 PID 3136 wrote to memory of 2040 3136 fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe 81 PID 2040 wrote to memory of 4696 2040 Nfnjinob.exe 82 PID 2040 wrote to memory of 4696 2040 Nfnjinob.exe 82 PID 2040 wrote to memory of 4696 2040 Nfnjinob.exe 82 PID 4696 wrote to memory of 3280 4696 Nkjcaenj.exe 83 PID 4696 wrote to memory of 3280 4696 Nkjcaenj.exe 83 PID 4696 wrote to memory of 3280 4696 Nkjcaenj.exe 83 PID 3280 wrote to memory of 4452 3280 Nadkno32.exe 84 PID 3280 wrote to memory of 4452 3280 Nadkno32.exe 84 PID 3280 wrote to memory of 4452 3280 Nadkno32.exe 84 PID 4452 wrote to memory of 4544 4452 Nohkgcdp.exe 85 PID 4452 wrote to memory of 4544 4452 Nohkgcdp.exe 85 PID 4452 wrote to memory of 4544 4452 Nohkgcdp.exe 85 PID 4544 wrote to memory of 4536 4544 Nkolmd32.exe 86 PID 4544 wrote to memory of 4536 4544 Nkolmd32.exe 86 PID 4544 wrote to memory of 4536 4544 Nkolmd32.exe 86 PID 4536 wrote to memory of 460 4536 Ofdqjm32.exe 87 PID 4536 wrote to memory of 460 4536 Ofdqjm32.exe 87 PID 4536 wrote to memory of 460 4536 Ofdqjm32.exe 87 PID 460 wrote to memory of 4956 460 Okdehdeo.exe 88 PID 460 wrote to memory of 4956 460 Okdehdeo.exe 88 PID 460 wrote to memory of 4956 460 Okdehdeo.exe 88 PID 4956 wrote to memory of 4764 4956 Omcbag32.exe 89 PID 4956 wrote to memory of 4764 4956 Omcbag32.exe 89 PID 4956 wrote to memory of 4764 4956 Omcbag32.exe 89 PID 4764 wrote to memory of 5072 4764 Ocmjna32.exe 90 PID 4764 wrote to memory of 5072 4764 Ocmjna32.exe 90 PID 4764 wrote to memory of 5072 4764 Ocmjna32.exe 90 PID 5072 wrote to memory of 4732 5072 Oflfjl32.exe 91 PID 5072 wrote to memory of 4732 5072 Oflfjl32.exe 91 PID 5072 wrote to memory of 4732 5072 Oflfjl32.exe 91 PID 4732 wrote to memory of 4628 4732 Okhocc32.exe 92 PID 4732 wrote to memory of 4628 4732 Okhocc32.exe 92 PID 4732 wrote to memory of 4628 4732 Okhocc32.exe 92 PID 4628 wrote to memory of 1596 4628 Obbgpmif.exe 93 PID 4628 wrote to memory of 1596 4628 Obbgpmif.exe 93 PID 4628 wrote to memory of 1596 4628 Obbgpmif.exe 93 PID 1596 wrote to memory of 1568 1596 Odaclihj.exe 94 PID 1596 wrote to memory of 1568 1596 Odaclihj.exe 94 PID 1596 wrote to memory of 1568 1596 Odaclihj.exe 94 PID 1568 wrote to memory of 4932 1568 Pkklhc32.exe 95 PID 1568 wrote to memory of 4932 1568 Pkklhc32.exe 95 PID 1568 wrote to memory of 4932 1568 Pkklhc32.exe 95 PID 4932 wrote to memory of 3444 4932 Pbedemgd.exe 96 PID 4932 wrote to memory of 3444 4932 Pbedemgd.exe 96 PID 4932 wrote to memory of 3444 4932 Pbedemgd.exe 96 PID 3444 wrote to memory of 428 3444 Piolagnq.exe 97 PID 3444 wrote to memory of 428 3444 Piolagnq.exe 97 PID 3444 wrote to memory of 428 3444 Piolagnq.exe 97 PID 428 wrote to memory of 1424 428 Pcdqopng.exe 98 PID 428 wrote to memory of 1424 428 Pcdqopng.exe 98 PID 428 wrote to memory of 1424 428 Pcdqopng.exe 98 PID 1424 wrote to memory of 1660 1424 Pfbmkkmj.exe 99 PID 1424 wrote to memory of 1660 1424 Pfbmkkmj.exe 99 PID 1424 wrote to memory of 1660 1424 Pfbmkkmj.exe 99 PID 1660 wrote to memory of 2380 1660 Pmmehe32.exe 100 PID 1660 wrote to memory of 2380 1660 Pmmehe32.exe 100 PID 1660 wrote to memory of 2380 1660 Pmmehe32.exe 100 PID 2380 wrote to memory of 2256 2380 Pbimpl32.exe 101 PID 2380 wrote to memory of 2256 2380 Pbimpl32.exe 101 PID 2380 wrote to memory of 2256 2380 Pbimpl32.exe 101 PID 2256 wrote to memory of 5008 2256 Pmoamebd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe"C:\Users\Admin\AppData\Local\Temp\fcef7ac954564b1e6f98f70606a95a5cfa28bf527dba9a6315599018faf00b8d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Nfnjinob.exeC:\Windows\system32\Nfnjinob.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Nkjcaenj.exeC:\Windows\system32\Nkjcaenj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Nadkno32.exeC:\Windows\system32\Nadkno32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Nohkgcdp.exeC:\Windows\system32\Nohkgcdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Nkolmd32.exeC:\Windows\system32\Nkolmd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Ofdqjm32.exeC:\Windows\system32\Ofdqjm32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Okdehdeo.exeC:\Windows\system32\Okdehdeo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Omcbag32.exeC:\Windows\system32\Omcbag32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ocmjna32.exeC:\Windows\system32\Ocmjna32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Oflfjl32.exeC:\Windows\system32\Oflfjl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Okhocc32.exeC:\Windows\system32\Okhocc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Obbgpmif.exeC:\Windows\system32\Obbgpmif.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Odaclihj.exeC:\Windows\system32\Odaclihj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Pkklhc32.exeC:\Windows\system32\Pkklhc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Pbedemgd.exeC:\Windows\system32\Pbedemgd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Piolagnq.exeC:\Windows\system32\Piolagnq.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Pcdqopng.exeC:\Windows\system32\Pcdqopng.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Pfbmkkmj.exeC:\Windows\system32\Pfbmkkmj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Pmmehe32.exeC:\Windows\system32\Pmmehe32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Pbimpl32.exeC:\Windows\system32\Pbimpl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Pmoamebd.exeC:\Windows\system32\Pmoamebd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Pfgffk32.exeC:\Windows\system32\Pfgffk32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Popkoppe.exeC:\Windows\system32\Popkoppe.exe24⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Cpqlml32.exeC:\Windows\system32\Cpqlml32.exe25⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Cfjeifjm.exeC:\Windows\system32\Cfjeifjm.exe26⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Clgmbmid.exeC:\Windows\system32\Clgmbmid.exe27⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ciknka32.exeC:\Windows\system32\Ciknka32.exe28⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Cljjgl32.exeC:\Windows\system32\Cljjgl32.exe29⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Cbcbdfno.exeC:\Windows\system32\Cbcbdfno.exe30⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Cmifaond.exeC:\Windows\system32\Cmifaond.exe31⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Cbfojfll.exeC:\Windows\system32\Cbfojfll.exe32⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Dmkcgo32.exeC:\Windows\system32\Dmkcgo32.exe33⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Dbhlof32.exeC:\Windows\system32\Dbhlof32.exe34⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Dibdlpaf.exeC:\Windows\system32\Dibdlpaf.exe35⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ddhhihal.exeC:\Windows\system32\Ddhhihal.exe36⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Dmpmbn32.exeC:\Windows\system32\Dmpmbn32.exe37⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Dekafqeg.exeC:\Windows\system32\Dekafqeg.exe38⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Ddladh32.exeC:\Windows\system32\Ddladh32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Dennlpce.exeC:\Windows\system32\Dennlpce.exe40⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Dpcbii32.exeC:\Windows\system32\Dpcbii32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Egmjfcjh.exeC:\Windows\system32\Egmjfcjh.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Eilfboik.exeC:\Windows\system32\Eilfboik.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Epeooh32.exeC:\Windows\system32\Epeooh32.exe44⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Egpgkbhe.exeC:\Windows\system32\Egpgkbhe.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Edcgeg32.exeC:\Windows\system32\Edcgeg32.exe46⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Elolii32.exeC:\Windows\system32\Elolii32.exe47⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Ecidfclf.exeC:\Windows\system32\Ecidfclf.exe48⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Eibmbn32.exeC:\Windows\system32\Eibmbn32.exe49⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Epmepgkp.exeC:\Windows\system32\Epmepgkp.exe50⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Eckalcjd.exeC:\Windows\system32\Eckalcjd.exe51⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Enqeil32.exeC:\Windows\system32\Enqeil32.exe52⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Fcmnab32.exeC:\Windows\system32\Fcmnab32.exe53⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Fncbnk32.exeC:\Windows\system32\Fncbnk32.exe54⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Fpanjg32.exeC:\Windows\system32\Fpanjg32.exe55⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Fgkgga32.exeC:\Windows\system32\Fgkgga32.exe56⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Fneodked.exeC:\Windows\system32\Fneodked.exe57⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fgncmq32.exeC:\Windows\system32\Fgncmq32.exe58⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Fpfhefbe.exeC:\Windows\system32\Fpfhefbe.exe59⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Ffcpnmam.exeC:\Windows\system32\Ffcpnmam.exe60⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Fcgqga32.exeC:\Windows\system32\Fcgqga32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Gcinma32.exeC:\Windows\system32\Gcinma32.exe62⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ggdimpfm.exeC:\Windows\system32\Ggdimpfm.exe63⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Gpmnfemn.exeC:\Windows\system32\Gpmnfemn.exe64⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Gjebok32.exeC:\Windows\system32\Gjebok32.exe65⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Ggicho32.exeC:\Windows\system32\Ggicho32.exe66⤵PID:4624
-
C:\Windows\SysWOW64\Gjhoej32.exeC:\Windows\system32\Gjhoej32.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Gqagad32.exeC:\Windows\system32\Gqagad32.exe68⤵PID:4336
-
C:\Windows\SysWOW64\Gglpnope.exeC:\Windows\system32\Gglpnope.exe69⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Gmhhfenl.exeC:\Windows\system32\Gmhhfenl.exe70⤵PID:368
-
C:\Windows\SysWOW64\Gqddgd32.exeC:\Windows\system32\Gqddgd32.exe71⤵PID:3768
-
C:\Windows\SysWOW64\Ggnlcnnb.exeC:\Windows\system32\Ggnlcnnb.exe72⤵PID:3780
-
C:\Windows\SysWOW64\Gmkelelj.exeC:\Windows\system32\Gmkelelj.exe73⤵PID:1672
-
C:\Windows\SysWOW64\Hdbmmb32.exeC:\Windows\system32\Hdbmmb32.exe74⤵PID:216
-
C:\Windows\SysWOW64\Hfciekbj.exeC:\Windows\system32\Hfciekbj.exe75⤵PID:5032
-
C:\Windows\SysWOW64\Hmmaae32.exeC:\Windows\system32\Hmmaae32.exe76⤵PID:2872
-
C:\Windows\SysWOW64\Hqinbcbp.exeC:\Windows\system32\Hqinbcbp.exe77⤵PID:2360
-
C:\Windows\SysWOW64\Hfefjjqg.exeC:\Windows\system32\Hfefjjqg.exe78⤵PID:5080
-
C:\Windows\SysWOW64\Hnmnkhaj.exeC:\Windows\system32\Hnmnkhaj.exe79⤵PID:3116
-
C:\Windows\SysWOW64\Hqkjgcpn.exeC:\Windows\system32\Hqkjgcpn.exe80⤵PID:1836
-
C:\Windows\SysWOW64\Hdgfhbig.exeC:\Windows\system32\Hdgfhbig.exe81⤵PID:3340
-
C:\Windows\SysWOW64\Hfhbpj32.exeC:\Windows\system32\Hfhbpj32.exe82⤵PID:4588
-
C:\Windows\SysWOW64\Hggojmfh.exeC:\Windows\system32\Hggojmfh.exe83⤵PID:4472
-
C:\Windows\SysWOW64\Hqpcbb32.exeC:\Windows\system32\Hqpcbb32.exe84⤵PID:4832
-
C:\Windows\SysWOW64\Hcnpon32.exeC:\Windows\system32\Hcnpon32.exe85⤵PID:1796
-
C:\Windows\SysWOW64\Hgjlom32.exeC:\Windows\system32\Hgjlom32.exe86⤵PID:4192
-
C:\Windows\SysWOW64\Hnddlgkb.exeC:\Windows\system32\Hnddlgkb.exe87⤵PID:2580
-
C:\Windows\SysWOW64\Idnlia32.exeC:\Windows\system32\Idnlia32.exe88⤵PID:4448
-
C:\Windows\SysWOW64\Ifoiqihm.exeC:\Windows\system32\Ifoiqihm.exe89⤵PID:4692
-
C:\Windows\SysWOW64\Imiamc32.exeC:\Windows\system32\Imiamc32.exe90⤵PID:2204
-
C:\Windows\SysWOW64\Ignejlpp.exeC:\Windows\system32\Ignejlpp.exe91⤵PID:2088
-
C:\Windows\SysWOW64\Ijmaggoc.exeC:\Windows\system32\Ijmaggoc.exe92⤵PID:888
-
C:\Windows\SysWOW64\Iqgjca32.exeC:\Windows\system32\Iqgjca32.exe93⤵PID:984
-
C:\Windows\SysWOW64\Ifcblh32.exeC:\Windows\system32\Ifcblh32.exe94⤵PID:3760
-
C:\Windows\SysWOW64\Inkjmf32.exeC:\Windows\system32\Inkjmf32.exe95⤵PID:8
-
C:\Windows\SysWOW64\Ieebiplg.exeC:\Windows\system32\Ieebiplg.exe96⤵PID:1152
-
C:\Windows\SysWOW64\Igcoeklj.exeC:\Windows\system32\Igcoeklj.exe97⤵PID:4748
-
C:\Windows\SysWOW64\Inmgbecg.exeC:\Windows\system32\Inmgbecg.exe98⤵PID:1828
-
C:\Windows\SysWOW64\Iakcoabk.exeC:\Windows\system32\Iakcoabk.exe99⤵PID:5124
-
C:\Windows\SysWOW64\Icjoklao.exeC:\Windows\system32\Icjoklao.exe100⤵PID:5148
-
C:\Windows\SysWOW64\Jnpchead.exeC:\Windows\system32\Jnpchead.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Janpdqph.exeC:\Windows\system32\Janpdqph.exe102⤵PID:5196
-
C:\Windows\SysWOW64\Jcllplol.exeC:\Windows\system32\Jcllplol.exe103⤵PID:5224
-
C:\Windows\SysWOW64\Jfkhlgnp.exeC:\Windows\system32\Jfkhlgnp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Jnbpme32.exeC:\Windows\system32\Jnbpme32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Jgjefjeb.exeC:\Windows\system32\Jgjefjeb.exe106⤵PID:5276
-
C:\Windows\SysWOW64\Jceofkga.exeC:\Windows\system32\Jceofkga.exe107⤵PID:5300
-
C:\Windows\SysWOW64\Kaiopo32.exeC:\Windows\system32\Kaiopo32.exe108⤵PID:5316
-
C:\Windows\SysWOW64\Kffhhf32.exeC:\Windows\system32\Kffhhf32.exe109⤵PID:5336
-
C:\Windows\SysWOW64\Kalleo32.exeC:\Windows\system32\Kalleo32.exe110⤵PID:5352
-
C:\Windows\SysWOW64\Kcjhaj32.exeC:\Windows\system32\Kcjhaj32.exe111⤵PID:5368
-
C:\Windows\SysWOW64\Kjdqndji.exeC:\Windows\system32\Kjdqndji.exe112⤵PID:5384
-
C:\Windows\SysWOW64\Kanikn32.exeC:\Windows\system32\Kanikn32.exe113⤵PID:5400
-
C:\Windows\SysWOW64\Khhagh32.exeC:\Windows\system32\Khhagh32.exe114⤵PID:5416
-
C:\Windows\SysWOW64\Kfkacepm.exeC:\Windows\system32\Kfkacepm.exe115⤵PID:5432
-
C:\Windows\SysWOW64\Knbidbqo.exeC:\Windows\system32\Knbidbqo.exe116⤵PID:5448
-
C:\Windows\SysWOW64\Kaqeqnpc.exeC:\Windows\system32\Kaqeqnpc.exe117⤵PID:5464
-
C:\Windows\SysWOW64\Kelaam32.exeC:\Windows\system32\Kelaam32.exe118⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Kfmnienj.exeC:\Windows\system32\Kfmnienj.exe119⤵PID:5496
-
C:\Windows\SysWOW64\Kjijic32.exeC:\Windows\system32\Kjijic32.exe120⤵PID:5512
-
C:\Windows\SysWOW64\Kacbfnnp.exeC:\Windows\system32\Kacbfnnp.exe121⤵PID:5540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-