Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe
-
Size
256KB
-
MD5
e50ab27d5c9f59bf8b51a9563c6d9689
-
SHA1
c8f7a7ef492fbc3dc71ab3b74ed3bfbf22e463d5
-
SHA256
b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c
-
SHA512
f04ca0b278a3e1519f8fab71336306649b8c62aef7b69a884bedff45bc1661f23a1a76d72abcb12f0bd78ea17d7f255bfc02f06b0788fe77cff2ba8df815ae6c
-
SSDEEP
6144:bEx2g7+tHNIsPaEMSTYaT15f7o+STYaT15fAK8yL:bEx2g7+tyyTYapJoTYapz8yL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkbdmbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phincl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdndloi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfogeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimbkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikpbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhadc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegjomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbfakec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgadgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cippgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccchof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilpmh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1540 Oekpkigo.exe 4828 Opadhb32.exe 2736 Ocopdn32.exe 3696 Olgemcli.exe 1292 Opcqnb32.exe 1060 Oepifi32.exe 2020 Oileggkb.exe 3600 Oljaccjf.exe 2012 Opemca32.exe 2132 Oebflhaf.exe 4384 Ojnblg32.exe 1916 Ollnhb32.exe 3036 Ophjiaql.exe 3256 Ocffempp.exe 2804 Pckppl32.exe 3752 Plcdiabk.exe 5104 Pcmlfl32.exe 2492 Pgihfj32.exe 3388 Pgkelj32.exe 4508 Plhnda32.exe 4740 Qcbfakec.exe 1556 Qjlnnemp.exe 1264 Qfbobf32.exe 4580 Qhakoa32.exe 3504 Acgolj32.exe 4768 Ahchda32.exe 408 Acilajpk.exe 1276 Ajcdnd32.exe 4392 Aopmfk32.exe 4472 Aqoiqn32.exe 5032 Aijnep32.exe 4136 Afnnnd32.exe 448 Bogcgj32.exe 708 Bgnkhg32.exe 1268 Biogppeg.exe 3980 Bqfoamfj.exe 1960 Bgpgng32.exe 4084 Biadeoce.exe 2512 Bqilgmdg.exe 776 Bcghch32.exe 1512 Bgbdcgld.exe 2320 Bidqko32.exe 1732 Bciehh32.exe 2184 Bfhadc32.exe 3544 Bifmqo32.exe 2848 Bqmeal32.exe 2996 Bjfjka32.exe 3308 Cgjjdf32.exe 116 Cmfclm32.exe 2392 Cpeohh32.exe 1088 Cfogeb32.exe 1736 Cimcan32.exe 4628 Ccchof32.exe 1676 Cippgm32.exe 4020 Cgqqdeod.exe 4376 Cibmlmeb.exe 3248 Cpleig32.exe 1492 Cffmfadl.exe 4640 Dmpfbk32.exe 1708 Dcjnoece.exe 5108 Djdflp32.exe 2068 Dannij32.exe 2728 Dfjgaq32.exe 3776 Diicml32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cgjjdf32.exe Bjfjka32.exe File created C:\Windows\SysWOW64\Gihgfk32.exe Gfjkjo32.exe File opened for modification C:\Windows\SysWOW64\Njjmni32.exe Nodiqp32.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Ogjembbd.dll Llodgnja.exe File created C:\Windows\SysWOW64\Efkphnbd.exe Eangpgcl.exe File created C:\Windows\SysWOW64\Pjoppf32.exe Process not Found File created C:\Windows\SysWOW64\Nllbhl32.dll Dpehof32.exe File created C:\Windows\SysWOW64\Jkdnhmdp.dll Opcqnb32.exe File created C:\Windows\SysWOW64\Flafeh32.dll Jlfpdh32.exe File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe Nfaemp32.exe File created C:\Windows\SysWOW64\Cgmbbe32.dll Jhgiim32.exe File created C:\Windows\SysWOW64\Cpeohh32.exe Cmfclm32.exe File opened for modification C:\Windows\SysWOW64\Oekiqccc.exe Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe Bfendmoc.exe File created C:\Windows\SysWOW64\Nlkppnab.dll Process not Found File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Ajbmdn32.exe File opened for modification C:\Windows\SysWOW64\Oldjcg32.exe Oejbfmpg.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Amqhbe32.exe Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Jgadgf32.exe Jqglkmlj.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Fgjhpcmo.exe File created C:\Windows\SysWOW64\Ppadalgj.dll Kheekkjl.exe File created C:\Windows\SysWOW64\Kdfepi32.dll Process not Found File created C:\Windows\SysWOW64\Anfmbd32.dll Doojec32.exe File created C:\Windows\SysWOW64\Gghdaa32.exe Gejhef32.exe File created C:\Windows\SysWOW64\Dndfnlpc.dll Oblhcj32.exe File opened for modification C:\Windows\SysWOW64\Gkhkjd32.exe Gdobnj32.exe File created C:\Windows\SysWOW64\Fnfmbmbi.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Llgdkbfj.dll Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Aomifecf.exe File opened for modification C:\Windows\SysWOW64\Kkgiimng.exe Kcpahpmd.exe File created C:\Windows\SysWOW64\Ncmkcc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ocopdn32.exe Opadhb32.exe File created C:\Windows\SysWOW64\Dcdepb32.dll Ggilil32.exe File opened for modification C:\Windows\SysWOW64\Jjlmclqa.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Nccokk32.exe File opened for modification C:\Windows\SysWOW64\Bfaigclq.exe Process not Found File created C:\Windows\SysWOW64\Plcdiabk.exe Pckppl32.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Akffafgg.exe File created C:\Windows\SysWOW64\Jcoong32.dll Elbhjp32.exe File created C:\Windows\SysWOW64\Lbopphio.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Mljmhflh.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Process not Found File created C:\Windows\SysWOW64\Mlihmi32.dll Mnkggfkb.exe File created C:\Windows\SysWOW64\Ahchda32.exe Acgolj32.exe File created C:\Windows\SysWOW64\Mnggge32.dll Ljbfpo32.exe File opened for modification C:\Windows\SysWOW64\Bcfahbpo.exe Bkoigdom.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dckdjomg.exe File created C:\Windows\SysWOW64\Hemdlj32.exe Hbohpn32.exe File opened for modification C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File opened for modification C:\Windows\SysWOW64\Omdieb32.exe Ofjqihnn.exe File created C:\Windows\SysWOW64\Ihgnkkbd.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Bdepoj32.dll Enmjlojd.exe File opened for modification C:\Windows\SysWOW64\Ohmhmh32.exe Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Bohbhmfm.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hmnmgnoh.exe File created C:\Windows\SysWOW64\Mcdibc32.dll Ckgohf32.exe File created C:\Windows\SysWOW64\Acokhc32.exe Ahjgjj32.exe File created C:\Windows\SysWOW64\Dfoiaj32.exe Dpdaepai.exe File created C:\Windows\SysWOW64\Pbbmemif.dll Bffcpg32.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Ljeafb32.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nagiji32.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Aokkahlo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6864 8284 Process not Found 1199 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Bnoddcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbajjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbmqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flqdlnde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljeafb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgmoc32.dll" Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdkai32.dll" Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijnep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epcdqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojnblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laphko32.dll" Acilajpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdigadjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbea32.dll" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" Eppjfgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enndkpea.dll" Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onpjichj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll" Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhefclee.dll" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll" Iacngdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpimlfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll" Nfaemp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1540 1508 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 84 PID 1508 wrote to memory of 1540 1508 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 84 PID 1508 wrote to memory of 1540 1508 b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe 84 PID 1540 wrote to memory of 4828 1540 Oekpkigo.exe 85 PID 1540 wrote to memory of 4828 1540 Oekpkigo.exe 85 PID 1540 wrote to memory of 4828 1540 Oekpkigo.exe 85 PID 4828 wrote to memory of 2736 4828 Opadhb32.exe 87 PID 4828 wrote to memory of 2736 4828 Opadhb32.exe 87 PID 4828 wrote to memory of 2736 4828 Opadhb32.exe 87 PID 2736 wrote to memory of 3696 2736 Ocopdn32.exe 88 PID 2736 wrote to memory of 3696 2736 Ocopdn32.exe 88 PID 2736 wrote to memory of 3696 2736 Ocopdn32.exe 88 PID 3696 wrote to memory of 1292 3696 Olgemcli.exe 89 PID 3696 wrote to memory of 1292 3696 Olgemcli.exe 89 PID 3696 wrote to memory of 1292 3696 Olgemcli.exe 89 PID 1292 wrote to memory of 1060 1292 Opcqnb32.exe 90 PID 1292 wrote to memory of 1060 1292 Opcqnb32.exe 90 PID 1292 wrote to memory of 1060 1292 Opcqnb32.exe 90 PID 1060 wrote to memory of 2020 1060 Oepifi32.exe 91 PID 1060 wrote to memory of 2020 1060 Oepifi32.exe 91 PID 1060 wrote to memory of 2020 1060 Oepifi32.exe 91 PID 2020 wrote to memory of 3600 2020 Oileggkb.exe 92 PID 2020 wrote to memory of 3600 2020 Oileggkb.exe 92 PID 2020 wrote to memory of 3600 2020 Oileggkb.exe 92 PID 3600 wrote to memory of 2012 3600 Oljaccjf.exe 93 PID 3600 wrote to memory of 2012 3600 Oljaccjf.exe 93 PID 3600 wrote to memory of 2012 3600 Oljaccjf.exe 93 PID 2012 wrote to memory of 2132 2012 Opemca32.exe 94 PID 2012 wrote to memory of 2132 2012 Opemca32.exe 94 PID 2012 wrote to memory of 2132 2012 Opemca32.exe 94 PID 2132 wrote to memory of 4384 2132 Oebflhaf.exe 95 PID 2132 wrote to memory of 4384 2132 Oebflhaf.exe 95 PID 2132 wrote to memory of 4384 2132 Oebflhaf.exe 95 PID 4384 wrote to memory of 1916 4384 Ojnblg32.exe 96 PID 4384 wrote to memory of 1916 4384 Ojnblg32.exe 96 PID 4384 wrote to memory of 1916 4384 Ojnblg32.exe 96 PID 1916 wrote to memory of 3036 1916 Ollnhb32.exe 97 PID 1916 wrote to memory of 3036 1916 Ollnhb32.exe 97 PID 1916 wrote to memory of 3036 1916 Ollnhb32.exe 97 PID 3036 wrote to memory of 3256 3036 Ophjiaql.exe 98 PID 3036 wrote to memory of 3256 3036 Ophjiaql.exe 98 PID 3036 wrote to memory of 3256 3036 Ophjiaql.exe 98 PID 3256 wrote to memory of 2804 3256 Ocffempp.exe 99 PID 3256 wrote to memory of 2804 3256 Ocffempp.exe 99 PID 3256 wrote to memory of 2804 3256 Ocffempp.exe 99 PID 2804 wrote to memory of 3752 2804 Pckppl32.exe 100 PID 2804 wrote to memory of 3752 2804 Pckppl32.exe 100 PID 2804 wrote to memory of 3752 2804 Pckppl32.exe 100 PID 3752 wrote to memory of 5104 3752 Plcdiabk.exe 101 PID 3752 wrote to memory of 5104 3752 Plcdiabk.exe 101 PID 3752 wrote to memory of 5104 3752 Plcdiabk.exe 101 PID 5104 wrote to memory of 2492 5104 Pcmlfl32.exe 102 PID 5104 wrote to memory of 2492 5104 Pcmlfl32.exe 102 PID 5104 wrote to memory of 2492 5104 Pcmlfl32.exe 102 PID 2492 wrote to memory of 3388 2492 Pgihfj32.exe 103 PID 2492 wrote to memory of 3388 2492 Pgihfj32.exe 103 PID 2492 wrote to memory of 3388 2492 Pgihfj32.exe 103 PID 3388 wrote to memory of 4508 3388 Pgkelj32.exe 104 PID 3388 wrote to memory of 4508 3388 Pgkelj32.exe 104 PID 3388 wrote to memory of 4508 3388 Pgkelj32.exe 104 PID 4508 wrote to memory of 4740 4508 Plhnda32.exe 105 PID 4508 wrote to memory of 4740 4508 Plhnda32.exe 105 PID 4508 wrote to memory of 4740 4508 Plhnda32.exe 105 PID 4740 wrote to memory of 1556 4740 Qcbfakec.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe"C:\Users\Admin\AppData\Local\Temp\b850568c18aa2a4e4d144aa5c531e1cd66e0a172cb89799eae5295820acbc58c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe23⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe24⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe25⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe27⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe29⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe30⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe31⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe33⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe34⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe35⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe36⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe37⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe38⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe39⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe40⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe42⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe43⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe46⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe47⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe49⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe51⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe53⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe56⤵PID:4512
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe58⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe59⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe60⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe61⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe62⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe63⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe64⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe65⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe66⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe67⤵PID:4776
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe69⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe70⤵PID:4288
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe71⤵PID:4476
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe72⤵PID:3340
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe73⤵PID:4668
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe74⤵
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe75⤵PID:4176
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe76⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe77⤵PID:4872
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe78⤵
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe79⤵PID:4592
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe80⤵PID:3396
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe81⤵PID:636
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe82⤵PID:1804
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe83⤵PID:4132
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe84⤵PID:4460
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe85⤵PID:648
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe86⤵PID:2488
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe87⤵PID:2260
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe88⤵PID:3840
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe89⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe90⤵PID:2980
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe91⤵PID:3572
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe92⤵PID:392
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe93⤵PID:1176
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe94⤵PID:2396
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3212 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe96⤵PID:4976
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe97⤵PID:2452
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe98⤵PID:4832
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe100⤵PID:4228
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe101⤵PID:4984
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4692 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe103⤵PID:1704
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe104⤵PID:3760
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe105⤵PID:5136
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe107⤵PID:5220
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe108⤵PID:5264
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe109⤵PID:5308
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe110⤵PID:5348
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe111⤵PID:5396
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe112⤵PID:5440
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe114⤵PID:5528
-
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe115⤵
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe117⤵PID:5660
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe119⤵PID:5740
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe120⤵PID:5788
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe121⤵PID:5832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-