Analysis
-
max time kernel
93s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe
-
Size
427KB
-
MD5
66675dd48e5dfe0805bac7e4f10dc8a5
-
SHA1
9d0993f612382e60e0a4647358cd85d9d00fadda
-
SHA256
fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090
-
SHA512
28331cbd9e07a82e14b0cc574d64ca05517541835c71510ba6b8ee373bc9f4a3c668019708e4c38c957479e6498e0b64f3da24402341c94ed61aaa64514d12e0
-
SSDEEP
3072:ebqlxF2/4y+A8heNJyRCSTWqAhELy1MTT6e:m8egy+FeNWCSTYaT1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlleepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhikacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhngolpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllgnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgipldd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobcpmfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafndi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefdbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoopgnf.exe -
Executes dropped EXE 64 IoCs
pid Process 1164 Odpjcm32.exe 944 Okjbpglo.exe 228 Okloegjl.exe 4212 Odednmpm.exe 1552 Onmhgb32.exe 4100 Pgemphmn.exe 5068 Pnpemb32.exe 400 Pclneicb.exe 2988 Pbmncp32.exe 4812 Pgjfkg32.exe 4752 Pndohaqe.exe 4936 Pabkdmpi.exe 404 Pcagphom.exe 608 Pagdol32.exe 2992 Qcepkg32.exe 4512 Qnkdhpjn.exe 2948 Qajadlja.exe 2440 Qeemej32.exe 3508 Qgciaf32.exe 3136 Qloebdig.exe 1972 Qnnanphk.exe 4084 Qbimoo32.exe 1320 Aegikj32.exe 2080 Agffge32.exe 3428 Anpncp32.exe 3348 Aanjpk32.exe 1844 Aejfpjne.exe 2732 Acmflf32.exe 3548 Ahhblemi.exe 444 Aldomc32.exe 784 Anbkio32.exe 3992 Abngjnmo.exe 3864 Aaqgek32.exe 1044 Aelcfilb.exe 3084 Ahkobekf.exe 4308 Ajiknpjj.exe 1832 Abpcon32.exe 4848 Aacckjaf.exe 924 Aeopki32.exe 4948 Ahmlgd32.exe 2096 Alhhhcal.exe 4440 Ajkhdp32.exe 1572 Abbpem32.exe 3080 Aaepqjpd.exe 3772 Adcmmeog.exe 4524 Alkdnboj.exe 2324 Ajneip32.exe 3048 Abemjmgg.exe 3708 Becifhfj.exe 2172 Bdfibe32.exe 1160 Bjpaooda.exe 460 Bnlnon32.exe 2224 Bbgipldd.exe 2236 Bajjli32.exe 1528 Beeflhdh.exe 4332 Bhdbhcck.exe 4120 Blpnib32.exe 3656 Bnnjen32.exe 2504 Bbifelba.exe 3064 Behbag32.exe 1532 Bhfonc32.exe 4928 Blbknaib.exe 956 Bopgjmhe.exe 2884 Bobcpmfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fndchiip.dll Mblcnj32.exe File opened for modification C:\Windows\SysWOW64\Fkofga32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahkobekf.exe Aelcfilb.exe File created C:\Windows\SysWOW64\Cleqadmh.dll Aacckjaf.exe File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe Kfoafi32.exe File created C:\Windows\SysWOW64\Ijfjal32.dll Medgncoe.exe File opened for modification C:\Windows\SysWOW64\Hhgloc32.exe Hbmcbime.exe File created C:\Windows\SysWOW64\Neclenfo.exe Nnicid32.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Process not Found File created C:\Windows\SysWOW64\Nmipdk32.exe Process not Found File created C:\Windows\SysWOW64\Dgeenfog.exe Process not Found File created C:\Windows\SysWOW64\Inpocg32.dll Kipkhdeq.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mpablkhc.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Leenhhdn.exe File created C:\Windows\SysWOW64\Nddbqe32.dll Jklinohd.exe File created C:\Windows\SysWOW64\Pmapoggk.dll Process not Found File created C:\Windows\SysWOW64\Aejfpjne.exe Aanjpk32.exe File opened for modification C:\Windows\SysWOW64\Ddjmba32.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Hbobhb32.dll Process not Found File created C:\Windows\SysWOW64\Aecqac32.dll Cliaoq32.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Bqmeal32.exe Bjcmebie.exe File opened for modification C:\Windows\SysWOW64\Pedlgbkh.exe Pcepkfld.exe File created C:\Windows\SysWOW64\Cjkoqgjn.dll Gfheof32.exe File opened for modification C:\Windows\SysWOW64\Eoepebho.exe Process not Found File created C:\Windows\SysWOW64\Hapfpelh.dll Process not Found File created C:\Windows\SysWOW64\Fcmnpe32.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Ebcdpe32.dll Hakgmjoh.exe File created C:\Windows\SysWOW64\Aggegh32.exe Amaqjp32.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Ajmdgelp.dll Dbcmakpl.exe File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe Process not Found File created C:\Windows\SysWOW64\Cfiedd32.dll Process not Found File created C:\Windows\SysWOW64\Nciopppp.exe Process not Found File created C:\Windows\SysWOW64\Cjcjni32.dll Ppmcdq32.exe File created C:\Windows\SysWOW64\Bbikhdcm.dll Process not Found File created C:\Windows\SysWOW64\Fjiepeok.dll Ejpfhnpe.exe File created C:\Windows\SysWOW64\Bhaomhld.dll Kmdqgd32.exe File created C:\Windows\SysWOW64\Mlkonq32.dll Fipbdikp.exe File created C:\Windows\SysWOW64\Mblcnj32.exe Mjellmbp.exe File created C:\Windows\SysWOW64\Jomnmjjb.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Process not Found File created C:\Windows\SysWOW64\Bkgppbgc.dll Process not Found File created C:\Windows\SysWOW64\Kplcdidf.dll Edihepnm.exe File created C:\Windows\SysWOW64\Gbdhjm32.dll Ngbpidjh.exe File created C:\Windows\SysWOW64\Pgpecj32.dll Process not Found File created C:\Windows\SysWOW64\Mlampmdo.exe Mibpda32.exe File opened for modification C:\Windows\SysWOW64\Pocfpf32.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Igajal32.exe Process not Found File created C:\Windows\SysWOW64\Npgmpf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhdckaeo.exe Meefofek.exe File opened for modification C:\Windows\SysWOW64\Ikkpgafg.exe Idahjg32.exe File created C:\Windows\SysWOW64\Aefjii32.exe Aolblopj.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Eblimcdf.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bajjli32.exe File created C:\Windows\SysWOW64\Booogccm.dll Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Lbkkgl32.exe Lkabjbih.exe File created C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Ppcbba32.dll Process not Found File created C:\Windows\SysWOW64\Kpiqfima.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Process not Found File created C:\Windows\SysWOW64\Pmdkch32.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Ccdlci32.dll Pqdqof32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15172 14976 Process not Found 1571 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libddmim.dll" Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibbqicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaagldf.dll" Fngcmcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdhao32.dll" Iigdfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefdbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfeidbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll" Coohhlpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjkkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idjlpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophpeg32.dll" Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijgdejm.dll" Oehlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigqjdgo.dll" Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dphefd32.dll" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlggjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhpakim.dll" Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaccdk32.dll" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll" Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamhmbej.dll" Dpdaepai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaepqjpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 1164 3380 fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe 81 PID 3380 wrote to memory of 1164 3380 fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe 81 PID 3380 wrote to memory of 1164 3380 fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe 81 PID 1164 wrote to memory of 944 1164 Odpjcm32.exe 82 PID 1164 wrote to memory of 944 1164 Odpjcm32.exe 82 PID 1164 wrote to memory of 944 1164 Odpjcm32.exe 82 PID 944 wrote to memory of 228 944 Okjbpglo.exe 83 PID 944 wrote to memory of 228 944 Okjbpglo.exe 83 PID 944 wrote to memory of 228 944 Okjbpglo.exe 83 PID 228 wrote to memory of 4212 228 Okloegjl.exe 84 PID 228 wrote to memory of 4212 228 Okloegjl.exe 84 PID 228 wrote to memory of 4212 228 Okloegjl.exe 84 PID 4212 wrote to memory of 1552 4212 Odednmpm.exe 85 PID 4212 wrote to memory of 1552 4212 Odednmpm.exe 85 PID 4212 wrote to memory of 1552 4212 Odednmpm.exe 85 PID 1552 wrote to memory of 4100 1552 Onmhgb32.exe 86 PID 1552 wrote to memory of 4100 1552 Onmhgb32.exe 86 PID 1552 wrote to memory of 4100 1552 Onmhgb32.exe 86 PID 4100 wrote to memory of 5068 4100 Pgemphmn.exe 87 PID 4100 wrote to memory of 5068 4100 Pgemphmn.exe 87 PID 4100 wrote to memory of 5068 4100 Pgemphmn.exe 87 PID 5068 wrote to memory of 400 5068 Pnpemb32.exe 88 PID 5068 wrote to memory of 400 5068 Pnpemb32.exe 88 PID 5068 wrote to memory of 400 5068 Pnpemb32.exe 88 PID 400 wrote to memory of 2988 400 Pclneicb.exe 89 PID 400 wrote to memory of 2988 400 Pclneicb.exe 89 PID 400 wrote to memory of 2988 400 Pclneicb.exe 89 PID 2988 wrote to memory of 4812 2988 Pbmncp32.exe 90 PID 2988 wrote to memory of 4812 2988 Pbmncp32.exe 90 PID 2988 wrote to memory of 4812 2988 Pbmncp32.exe 90 PID 4812 wrote to memory of 4752 4812 Pgjfkg32.exe 91 PID 4812 wrote to memory of 4752 4812 Pgjfkg32.exe 91 PID 4812 wrote to memory of 4752 4812 Pgjfkg32.exe 91 PID 4752 wrote to memory of 4936 4752 Pndohaqe.exe 92 PID 4752 wrote to memory of 4936 4752 Pndohaqe.exe 92 PID 4752 wrote to memory of 4936 4752 Pndohaqe.exe 92 PID 4936 wrote to memory of 404 4936 Pabkdmpi.exe 93 PID 4936 wrote to memory of 404 4936 Pabkdmpi.exe 93 PID 4936 wrote to memory of 404 4936 Pabkdmpi.exe 93 PID 404 wrote to memory of 608 404 Pcagphom.exe 94 PID 404 wrote to memory of 608 404 Pcagphom.exe 94 PID 404 wrote to memory of 608 404 Pcagphom.exe 94 PID 608 wrote to memory of 2992 608 Pagdol32.exe 95 PID 608 wrote to memory of 2992 608 Pagdol32.exe 95 PID 608 wrote to memory of 2992 608 Pagdol32.exe 95 PID 2992 wrote to memory of 4512 2992 Qcepkg32.exe 96 PID 2992 wrote to memory of 4512 2992 Qcepkg32.exe 96 PID 2992 wrote to memory of 4512 2992 Qcepkg32.exe 96 PID 4512 wrote to memory of 2948 4512 Qnkdhpjn.exe 97 PID 4512 wrote to memory of 2948 4512 Qnkdhpjn.exe 97 PID 4512 wrote to memory of 2948 4512 Qnkdhpjn.exe 97 PID 2948 wrote to memory of 2440 2948 Qajadlja.exe 98 PID 2948 wrote to memory of 2440 2948 Qajadlja.exe 98 PID 2948 wrote to memory of 2440 2948 Qajadlja.exe 98 PID 2440 wrote to memory of 3508 2440 Qeemej32.exe 99 PID 2440 wrote to memory of 3508 2440 Qeemej32.exe 99 PID 2440 wrote to memory of 3508 2440 Qeemej32.exe 99 PID 3508 wrote to memory of 3136 3508 Qgciaf32.exe 100 PID 3508 wrote to memory of 3136 3508 Qgciaf32.exe 100 PID 3508 wrote to memory of 3136 3508 Qgciaf32.exe 100 PID 3136 wrote to memory of 1972 3136 Qloebdig.exe 101 PID 3136 wrote to memory of 1972 3136 Qloebdig.exe 101 PID 3136 wrote to memory of 1972 3136 Qloebdig.exe 101 PID 1972 wrote to memory of 4084 1972 Qnnanphk.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe"C:\Users\Admin\AppData\Local\Temp\fc4ff36f2fccf75c0ccf63fb16fd00c541efe71cc4452d3d1d239e84cde64090.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe23⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe24⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe25⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe26⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe28⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe29⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe30⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe31⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe32⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe34⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe36⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe37⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe38⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe40⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe41⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe43⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe44⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe46⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe47⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe49⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe50⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe51⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe52⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe53⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe56⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe58⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe60⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe61⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe62⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe63⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe64⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe66⤵PID:2764
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe67⤵PID:4876
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe68⤵PID:1452
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe69⤵PID:3876
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe70⤵PID:4304
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe71⤵PID:1924
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe72⤵PID:60
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe73⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe74⤵PID:4788
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe75⤵PID:468
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe76⤵PID:3212
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe77⤵PID:3848
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe78⤵PID:1508
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe79⤵PID:3384
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe80⤵PID:3660
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe81⤵PID:3092
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe82⤵PID:3684
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe83⤵PID:1916
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe84⤵PID:4780
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe85⤵PID:344
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe86⤵PID:4404
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe87⤵PID:3972
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe88⤵PID:4316
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe89⤵PID:4008
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe90⤵PID:4772
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe91⤵PID:3764
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe92⤵PID:3328
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe93⤵PID:1672
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe94⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe95⤵PID:4424
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe96⤵PID:1736
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe97⤵PID:3292
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe98⤵PID:1348
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe99⤵PID:4888
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe100⤵PID:3812
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe101⤵PID:1368
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe102⤵PID:3480
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe103⤵PID:544
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe104⤵PID:3156
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe105⤵PID:5088
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe106⤵PID:452
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe107⤵PID:1620
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe108⤵
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe109⤵PID:1216
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe110⤵PID:3396
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe112⤵PID:2972
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe113⤵PID:4136
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe114⤵PID:4824
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe115⤵
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe116⤵PID:624
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe117⤵PID:4800
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe118⤵PID:2436
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe119⤵PID:3608
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe120⤵PID:5160
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe121⤵PID:5204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-