Analysis
-
max time kernel
139s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe
-
Size
548KB
-
MD5
a8cb99fe29e02f904d75d4bf31153c70
-
SHA1
4ae4e11eb07f35741e45e662a7a28ad8bca1b86f
-
SHA256
98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7
-
SHA512
b27db8c07f31b782d9943dee00a81148e810d45eda50852f4041b4193c5dfb78bca0ca7d0519240e24ec246319ef7b7fc96dc0bd3167c04c7d7df7cfa41cc272
-
SSDEEP
12288:GttG39vV6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:IYq5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limioiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pboblika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miqlpbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdpakii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaekkfcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabglnco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcmfchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjemle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmmnnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhipj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aghdco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Focakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikngeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklpaeno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmmnnpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqopeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfnqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjelibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knldfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcccdkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aooolbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgloiqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjafd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdihfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcibca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbadf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfiiggpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leqkeajd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkplilgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijqcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmnengg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjegb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmeldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmmcbdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haafnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckqoapgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jopaejlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngekmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqdkkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijlkfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnpbgajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfakcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkepeaaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdnkhn32.exe -
Executes dropped EXE 64 IoCs
pid Process 3348 Mjnnbk32.exe 1812 Nijqcf32.exe 2156 Ooibkpmi.exe 3188 Omalpc32.exe 1840 Oqoefand.exe 3356 Pbekii32.exe 5000 Pciqnk32.exe 1548 Qclmck32.exe 1016 Apeknk32.exe 4116 Amkhmoap.exe 2276 Affikdfn.exe 2708 Bpcgpihi.exe 1488 Bipecnkd.exe 4388 Cmedjl32.exe 3540 Dcibca32.exe 916 Egkddo32.exe 224 Edaaccbj.exe 4376 Fgiaemic.exe 4380 Fqdbdbna.exe 1136 Fqikob32.exe 1580 Gcnnllcg.exe 3644 Hqdkkp32.exe 756 Halaloif.exe 2548 Hghfnioq.exe 4356 Iabglnco.exe 3652 Jnnnfalp.exe 3656 Janghmia.exe 2060 Kopcbo32.exe 1228 Lknjhokg.exe 3832 Loopdmpk.exe 544 Odgqopeb.exe 4268 Qmckbjdl.exe 4352 Afqifo32.exe 4944 Ammnhilb.exe 4152 Abjfqpji.exe 2808 Albkieqj.exe 1240 Bifkcioc.exe 400 Bboplo32.exe 1184 Bbalaoda.exe 4836 Bpemkcck.exe 4164 Cdgolq32.exe 3564 Cfjeckpj.exe 1972 Dfakcj32.exe 4284 Dibdeegc.exe 4536 Digmqe32.exe 532 Eepkkefp.exe 3408 Eeddfe32.exe 3112 Ecidpiad.exe 1712 Fnqebaog.exe 2208 Fcddkggf.exe 4832 Gqkajk32.exe 3168 Gfjfhbpb.exe 3860 Gflcnanp.exe 2524 Hnmnengg.exe 3256 Hmbkfjko.exe 5020 Inagpm32.exe 4804 Igjlibib.exe 4260 Incdem32.exe 220 Icciccmd.exe 4488 Jgekdq32.exe 3988 Jeneidji.exe 3252 Kceoppmo.exe 2132 Kffhakjp.exe 4280 Kdmeqo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bbalaoda.exe Bboplo32.exe File created C:\Windows\SysWOW64\Mjkmck32.dll Eijigg32.exe File created C:\Windows\SysWOW64\Kmlcae32.dll Hebkid32.exe File created C:\Windows\SysWOW64\Pibfhink.dll Olgnnqpe.exe File created C:\Windows\SysWOW64\Qkmqne32.exe Pphlpl32.exe File opened for modification C:\Windows\SysWOW64\Dcdpakii.exe Djlkhe32.exe File created C:\Windows\SysWOW64\Lmlccq32.dll Kkqepi32.exe File created C:\Windows\SysWOW64\Namnmp32.exe Nnoefagj.exe File created C:\Windows\SysWOW64\Eoladdeo.exe Dfemdcba.exe File opened for modification C:\Windows\SysWOW64\Mbcjimda.exe Mikepg32.exe File opened for modification C:\Windows\SysWOW64\Qkmqne32.exe Pphlpl32.exe File created C:\Windows\SysWOW64\Nmobjokj.dll Feella32.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Pidjcm32.exe File created C:\Windows\SysWOW64\Aqhhdgfp.dll Bidlqhgc.exe File opened for modification C:\Windows\SysWOW64\Feella32.exe Fcepbooa.exe File created C:\Windows\SysWOW64\Ohcigb32.dll Eepkkefp.exe File opened for modification C:\Windows\SysWOW64\Jgekdq32.exe Icciccmd.exe File created C:\Windows\SysWOW64\Pkjegb32.exe Odkcpi32.exe File created C:\Windows\SysWOW64\Ahdjej32.dll Lglcag32.exe File created C:\Windows\SysWOW64\Iooodacm.dll Mjiloqjb.exe File created C:\Windows\SysWOW64\Lelncp32.dll Pjoknhbe.exe File created C:\Windows\SysWOW64\Dcknnglh.dll Jkomhhae.exe File created C:\Windows\SysWOW64\Enonclfe.dll Kdpfbp32.exe File created C:\Windows\SysWOW64\Gggikgqe.dll Nijqcf32.exe File created C:\Windows\SysWOW64\Hlddal32.dll Jondojna.exe File created C:\Windows\SysWOW64\Ngaabfio.exe Nbdijpjh.exe File opened for modification C:\Windows\SysWOW64\Edaaccbj.exe Egkddo32.exe File created C:\Windows\SysWOW64\Bdicce32.dll Qnamofdf.exe File created C:\Windows\SysWOW64\Djbbhafj.exe Dajnol32.exe File created C:\Windows\SysWOW64\Ohcoob32.dll Focakm32.exe File created C:\Windows\SysWOW64\Ljoboloa.exe Llmbqdfb.exe File opened for modification C:\Windows\SysWOW64\Npgjbabk.exe Mbcjimda.exe File opened for modification C:\Windows\SysWOW64\Idfkednq.exe Hjmfmnhp.exe File opened for modification C:\Windows\SysWOW64\Bknidbhi.exe Anjikoip.exe File opened for modification C:\Windows\SysWOW64\Pbokab32.exe Pfhklabb.exe File created C:\Windows\SysWOW64\Qchgccaf.dll Kfbfmi32.exe File opened for modification C:\Windows\SysWOW64\Ihjafd32.exe Icminm32.exe File opened for modification C:\Windows\SysWOW64\Joaojf32.exe Jjefao32.exe File created C:\Windows\SysWOW64\Cjneikmp.dll Pkigbfja.exe File opened for modification C:\Windows\SysWOW64\Gebimmco.exe Fljedg32.exe File opened for modification C:\Windows\SysWOW64\Mhhcne32.exe Migcpneb.exe File created C:\Windows\SysWOW64\Fkgeph32.dll Nmpkakak.exe File created C:\Windows\SysWOW64\Aqilaplo.exe Ahngmnnd.exe File opened for modification C:\Windows\SysWOW64\Hphbpehj.exe Hhmmkcko.exe File opened for modification C:\Windows\SysWOW64\Niihlkdm.exe Nhhldc32.exe File created C:\Windows\SysWOW64\Bdnkhn32.exe Bjhgke32.exe File opened for modification C:\Windows\SysWOW64\Gaoihfoo.exe Gammbfqa.exe File created C:\Windows\SysWOW64\Kkmgenjm.dll Npqmipjq.exe File created C:\Windows\SysWOW64\Cegjdgdl.dll Iokocmnf.exe File created C:\Windows\SysWOW64\Dfpjjnpk.dll Dfemdcba.exe File created C:\Windows\SysWOW64\Oflkqc32.exe Oihkgo32.exe File created C:\Windows\SysWOW64\Jajdff32.exe Jkplilgk.exe File created C:\Windows\SysWOW64\Mpchbhjl.exe Mhhcne32.exe File created C:\Windows\SysWOW64\Ejbonb32.dll Agikne32.exe File opened for modification C:\Windows\SysWOW64\Enoddi32.exe Dgcoaock.exe File created C:\Windows\SysWOW64\Pdofpb32.exe Pkgaglpp.exe File created C:\Windows\SysWOW64\Hinklh32.dll Bnfoac32.exe File created C:\Windows\SysWOW64\Lihpdj32.exe Kifcnjpi.exe File opened for modification C:\Windows\SysWOW64\Oikngeoo.exe Obafjk32.exe File created C:\Windows\SysWOW64\Ijlamjlh.dll Jopaejlo.exe File created C:\Windows\SysWOW64\Lopeamfc.dll Oapllk32.exe File created C:\Windows\SysWOW64\Omalpc32.exe Ooibkpmi.exe File opened for modification C:\Windows\SysWOW64\Bboplo32.exe Bifkcioc.exe File created C:\Windows\SysWOW64\Bpdfpmoo.exe Bgfhnpde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4524 800 WerFault.exe 552 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lennpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhiemil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkkhnpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfnqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngaabfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meocjp32.dll" Kdbjbfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fapobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjfhbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahnljade.dll" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocicekcm.dll" Aiejda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adohmidb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjoilop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgqopeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbpoi32.dll" Nnoefagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckqoapgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppldflod.dll" Kklbop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjfqpji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgnnqpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecgli.dll" Ghmkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djlkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plimpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganjgf32.dll" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imobclfe.dll" Koiejemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adohmidb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnbnchlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidjcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Janghmia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbfgflc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipohpdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfakcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dibdeegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfhoiabf.dll" Pdjeklfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feella32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laofhbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaflio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqilaplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oapllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgiaemic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmckbjdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmpgpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdihfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcnchpa.dll" Djlkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaflio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehgejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hedhoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkmgali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doljemai.dll" Jgekdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nahdapae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihlahjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hligqnjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ileflmpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqpdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jondojna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhofbma.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3348 4900 98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe 90 PID 4900 wrote to memory of 3348 4900 98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe 90 PID 4900 wrote to memory of 3348 4900 98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe 90 PID 3348 wrote to memory of 1812 3348 Mjnnbk32.exe 91 PID 3348 wrote to memory of 1812 3348 Mjnnbk32.exe 91 PID 3348 wrote to memory of 1812 3348 Mjnnbk32.exe 91 PID 1812 wrote to memory of 2156 1812 Nijqcf32.exe 92 PID 1812 wrote to memory of 2156 1812 Nijqcf32.exe 92 PID 1812 wrote to memory of 2156 1812 Nijqcf32.exe 92 PID 2156 wrote to memory of 3188 2156 Ooibkpmi.exe 93 PID 2156 wrote to memory of 3188 2156 Ooibkpmi.exe 93 PID 2156 wrote to memory of 3188 2156 Ooibkpmi.exe 93 PID 3188 wrote to memory of 1840 3188 Omalpc32.exe 94 PID 3188 wrote to memory of 1840 3188 Omalpc32.exe 94 PID 3188 wrote to memory of 1840 3188 Omalpc32.exe 94 PID 1840 wrote to memory of 3356 1840 Oqoefand.exe 95 PID 1840 wrote to memory of 3356 1840 Oqoefand.exe 95 PID 1840 wrote to memory of 3356 1840 Oqoefand.exe 95 PID 3356 wrote to memory of 5000 3356 Pbekii32.exe 96 PID 3356 wrote to memory of 5000 3356 Pbekii32.exe 96 PID 3356 wrote to memory of 5000 3356 Pbekii32.exe 96 PID 5000 wrote to memory of 1548 5000 Pciqnk32.exe 97 PID 5000 wrote to memory of 1548 5000 Pciqnk32.exe 97 PID 5000 wrote to memory of 1548 5000 Pciqnk32.exe 97 PID 1548 wrote to memory of 1016 1548 Qclmck32.exe 98 PID 1548 wrote to memory of 1016 1548 Qclmck32.exe 98 PID 1548 wrote to memory of 1016 1548 Qclmck32.exe 98 PID 1016 wrote to memory of 4116 1016 Apeknk32.exe 99 PID 1016 wrote to memory of 4116 1016 Apeknk32.exe 99 PID 1016 wrote to memory of 4116 1016 Apeknk32.exe 99 PID 4116 wrote to memory of 2276 4116 Amkhmoap.exe 100 PID 4116 wrote to memory of 2276 4116 Amkhmoap.exe 100 PID 4116 wrote to memory of 2276 4116 Amkhmoap.exe 100 PID 2276 wrote to memory of 2708 2276 Affikdfn.exe 101 PID 2276 wrote to memory of 2708 2276 Affikdfn.exe 101 PID 2276 wrote to memory of 2708 2276 Affikdfn.exe 101 PID 2708 wrote to memory of 1488 2708 Bpcgpihi.exe 102 PID 2708 wrote to memory of 1488 2708 Bpcgpihi.exe 102 PID 2708 wrote to memory of 1488 2708 Bpcgpihi.exe 102 PID 1488 wrote to memory of 4388 1488 Bipecnkd.exe 103 PID 1488 wrote to memory of 4388 1488 Bipecnkd.exe 103 PID 1488 wrote to memory of 4388 1488 Bipecnkd.exe 103 PID 4388 wrote to memory of 3540 4388 Cmedjl32.exe 104 PID 4388 wrote to memory of 3540 4388 Cmedjl32.exe 104 PID 4388 wrote to memory of 3540 4388 Cmedjl32.exe 104 PID 3540 wrote to memory of 916 3540 Dcibca32.exe 105 PID 3540 wrote to memory of 916 3540 Dcibca32.exe 105 PID 3540 wrote to memory of 916 3540 Dcibca32.exe 105 PID 916 wrote to memory of 224 916 Egkddo32.exe 106 PID 916 wrote to memory of 224 916 Egkddo32.exe 106 PID 916 wrote to memory of 224 916 Egkddo32.exe 106 PID 224 wrote to memory of 4376 224 Edaaccbj.exe 107 PID 224 wrote to memory of 4376 224 Edaaccbj.exe 107 PID 224 wrote to memory of 4376 224 Edaaccbj.exe 107 PID 4376 wrote to memory of 4380 4376 Fgiaemic.exe 108 PID 4376 wrote to memory of 4380 4376 Fgiaemic.exe 108 PID 4376 wrote to memory of 4380 4376 Fgiaemic.exe 108 PID 4380 wrote to memory of 1136 4380 Fqdbdbna.exe 109 PID 4380 wrote to memory of 1136 4380 Fqdbdbna.exe 109 PID 4380 wrote to memory of 1136 4380 Fqdbdbna.exe 109 PID 1136 wrote to memory of 1580 1136 Fqikob32.exe 110 PID 1136 wrote to memory of 1580 1136 Fqikob32.exe 110 PID 1136 wrote to memory of 1580 1136 Fqikob32.exe 110 PID 1580 wrote to memory of 3644 1580 Gcnnllcg.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe"C:\Users\Admin\AppData\Local\Temp\98fae8e5a3e99541337fabf8ddda3a8110bb37dba47d65d16dac35ca4900f4f7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe24⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe25⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe27⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe29⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe30⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe31⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe35⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe37⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe40⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe42⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe43⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe46⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe49⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe51⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe52⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe54⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe56⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe57⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe58⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe59⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe62⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe63⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe64⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe66⤵PID:3800
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe67⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe68⤵PID:1168
-
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe70⤵PID:4964
-
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe71⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe72⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe74⤵PID:1568
-
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe75⤵PID:1716
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe76⤵PID:5132
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe77⤵PID:5184
-
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe78⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe80⤵PID:5312
-
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe81⤵PID:5368
-
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe82⤵PID:5412
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe83⤵PID:5460
-
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe84⤵PID:5500
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe85⤵PID:5544
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe87⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe88⤵PID:5680
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe89⤵PID:5740
-
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe90⤵PID:5784
-
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe91⤵PID:5856
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe92⤵PID:5904
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe93⤵PID:5948
-
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe94⤵PID:6008
-
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe95⤵PID:6060
-
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe96⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe97⤵PID:1788
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe98⤵
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe99⤵PID:5244
-
C:\Windows\SysWOW64\Gpgnjebd.exeC:\Windows\system32\Gpgnjebd.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe101⤵PID:5376
-
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe102⤵PID:5452
-
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe103⤵PID:5480
-
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe104⤵PID:1996
-
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe105⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe108⤵PID:5844
-
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe111⤵
- Drops file in System32 directory
PID:6052 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6092 -
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe113⤵PID:5168
-
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe114⤵PID:5216
-
C:\Windows\SysWOW64\Ijlkfg32.exeC:\Windows\system32\Ijlkfg32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe116⤵PID:5524
-
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe117⤵PID:5608
-
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe119⤵PID:5864
-
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe120⤵PID:5984
-
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe121⤵
- Modifies registry class
PID:6088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-