Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 11:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc76cf28098ea14be30527c4e6a9b050N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
bc76cf28098ea14be30527c4e6a9b050N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
bc76cf28098ea14be30527c4e6a9b050N.exe
-
Size
368KB
-
MD5
bc76cf28098ea14be30527c4e6a9b050
-
SHA1
5b1b51f54e2b8328fbea17ecf413a5f0b76c38fe
-
SHA256
0b0f56844e631a2f01819a88aa54d797d58ae6ebbc17207f37dd0d459da234e1
-
SHA512
267d621d4a9b0efb351fb3f6b97206b88529b312da67796eaa602285ce2dda3cf381951bbf37031afbaacc0695f6175dd300b48e277afb589df3dfca00388c5e
-
SSDEEP
6144:SPw6iPOHJg9QO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwHlGrh/tOz:SPjiPOpe/+zrWAI5KFum/+zrWAIAqWiO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckpbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjbddpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonhghjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbaahf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpnda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqkondfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihlpfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icknfcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpapnfhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphiaffa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe -
Executes dropped EXE 64 IoCs
pid Process 3060 Oldamm32.exe 3560 Oocmii32.exe 3664 Oeoblb32.exe 1684 Oohgdhfn.exe 2816 Oimkbaed.exe 1816 Piphgq32.exe 1968 Pefhlaie.exe 5072 Plpqil32.exe 3596 Pamiaboj.exe 3104 Pidabppl.exe 4672 Plbmokop.exe 1592 Papfgbmg.exe 1700 Pifnhpmi.exe 4900 Plejdkmm.exe 2520 Pcobaedj.exe 5084 Pemomqcn.exe 4120 Qhlkilba.exe 2568 Qkjgegae.exe 3792 Qcaofebg.exe 1552 Qepkbpak.exe 5028 Qhngolpo.exe 4924 Qkmdkgob.exe 692 Qohpkf32.exe 2424 Qaflgago.exe 4380 Ajndioga.exe 1748 Allpejfe.exe 4812 Akoqpg32.exe 4792 Acfhad32.exe 2908 Aaiimadl.exe 3552 Ajpqnneo.exe 1892 Alnmjjdb.exe 3472 Aomifecf.exe 5100 Achegd32.exe 3976 Afgacokc.exe 5024 Ahenokjf.exe 4576 Akcjkfij.exe 1636 Ackbmcjl.exe 4880 Ajdjin32.exe 1396 Alcfei32.exe 3084 Aoabad32.exe 5108 Abponp32.exe 744 Ajggomog.exe 212 Aleckinj.exe 1176 Aodogdmn.exe 3872 Abbkcpma.exe 932 Bjicdmmd.exe 3164 Blhpqhlh.exe 1956 Boflmdkk.exe 2724 Bcahmb32.exe 1620 Bhoqeibl.exe 1172 Bohibc32.exe 3608 Bbgeno32.exe 1660 Bjnmpl32.exe 1868 Bhamkipi.exe 2148 Bkoigdom.exe 2780 Bokehc32.exe 3540 Bbiado32.exe 4056 Bfendmoc.exe 3248 Bhcjqinf.exe 3616 Bkafmd32.exe 5016 Bcinna32.exe 4492 Bblnindg.exe 2860 Bjbfklei.exe 5076 Bmabggdm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iondqhpl.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Dhblne32.dll Boflmdkk.exe File created C:\Windows\SysWOW64\Dmalne32.exe Dfgcakon.exe File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Pfoann32.exe Opeiadfg.exe File created C:\Windows\SysWOW64\Gpaihooo.exe Geldkfpi.exe File opened for modification C:\Windows\SysWOW64\Blhpqhlh.exe Bjicdmmd.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Flngfn32.exe File created C:\Windows\SysWOW64\Knenkbio.exe Kgkfnh32.exe File created C:\Windows\SysWOW64\Bkodbfgo.dll Daeifj32.exe File created C:\Windows\SysWOW64\Jnakbdid.dll Dcffnbee.exe File opened for modification C:\Windows\SysWOW64\Abbkcpma.exe Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Jnjejjgh.exe Jdaaaeqg.exe File created C:\Windows\SysWOW64\Pehngkcg.exe Pmaffnce.exe File opened for modification C:\Windows\SysWOW64\Bedgjgkg.exe Bllbaa32.exe File opened for modification C:\Windows\SysWOW64\Geldkfpi.exe Gbnhoj32.exe File opened for modification C:\Windows\SysWOW64\Dfdpad32.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File created C:\Windows\SysWOW64\Ecbjkngo.exe Dimenegi.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jlhljhbg.exe File created C:\Windows\SysWOW64\Ncchae32.exe Nmipdk32.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Khbiello.exe File created C:\Windows\SysWOW64\Jendmajn.dll Qaflgago.exe File opened for modification C:\Windows\SysWOW64\Onapdl32.exe Ofkgcobj.exe File created C:\Windows\SysWOW64\Bmgjnl32.dll Omfekbdh.exe File created C:\Windows\SysWOW64\Hoaojp32.exe Hlbcnd32.exe File created C:\Windows\SysWOW64\Dcnlnaom.exe Dnqcfjae.exe File created C:\Windows\SysWOW64\Bjicdmmd.exe Abbkcpma.exe File created C:\Windows\SysWOW64\Eeelnp32.exe Eiokinbk.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Mpagaf32.dll Piapkbeg.exe File created C:\Windows\SysWOW64\Obhehh32.dll Apeknk32.exe File created C:\Windows\SysWOW64\Nnckgmik.dll Fbdehlip.exe File created C:\Windows\SysWOW64\Mbddol32.dll Ccppmc32.exe File opened for modification C:\Windows\SysWOW64\Icnklbmj.exe Ipoopgnf.exe File opened for modification C:\Windows\SysWOW64\Fndpmndl.exe Figgdg32.exe File created C:\Windows\SysWOW64\Fgmdec32.exe Fndpmndl.exe File created C:\Windows\SysWOW64\Fbbicl32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lafmjp32.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Cacmpj32.exe File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe Gclafmej.exe File created C:\Windows\SysWOW64\Hcmhel32.dll Iefphb32.exe File created C:\Windows\SysWOW64\Plpqil32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Afgacokc.exe Achegd32.exe File created C:\Windows\SysWOW64\Ahenokjf.exe Afgacokc.exe File created C:\Windows\SysWOW64\Mepfiq32.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Idfaefkd.exe Ijqmhnko.exe File created C:\Windows\SysWOW64\Eiekog32.exe Eqncnj32.exe File created C:\Windows\SysWOW64\Ckdkhq32.exe Cpogkhnl.exe File created C:\Windows\SysWOW64\Eclmamod.exe Embddb32.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Onapdl32.exe Ofkgcobj.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Fgmdec32.exe File opened for modification C:\Windows\SysWOW64\Ckfphc32.exe Cihclh32.exe File created C:\Windows\SysWOW64\Ibqnkh32.exe Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Aibibp32.exe Adepji32.exe File opened for modification C:\Windows\SysWOW64\Jcphab32.exe Jlfpdh32.exe File created C:\Windows\SysWOW64\Odaodc32.dll Geoapenf.exe File opened for modification C:\Windows\SysWOW64\Dphiaffa.exe Daeifj32.exe File created C:\Windows\SysWOW64\Iefphb32.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Obgohklm.exe Niojoeel.exe File opened for modification C:\Windows\SysWOW64\Dcnlnaom.exe Dnqcfjae.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Qfjjpf32.exe Qclmck32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 812 4388 WerFault.exe 726 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll" Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdaaaeqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihejacdm.dll" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfecjhc.dll" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpejlmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjophm.dll" Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jcbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflbkcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhgnlj.dll" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Aogbfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnqcfjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flqdlnde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Njhgbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdjon32.dll" Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladfllde.dll" Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhkgijk.dll" Mjdebfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll" Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceknlgnl.dll" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipihpkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll" Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll" Coegoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfgklkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opngmi32.dll" Cihclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll" Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpjgaoqm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 3060 2836 bc76cf28098ea14be30527c4e6a9b050N.exe 84 PID 2836 wrote to memory of 3060 2836 bc76cf28098ea14be30527c4e6a9b050N.exe 84 PID 2836 wrote to memory of 3060 2836 bc76cf28098ea14be30527c4e6a9b050N.exe 84 PID 3060 wrote to memory of 3560 3060 Oldamm32.exe 85 PID 3060 wrote to memory of 3560 3060 Oldamm32.exe 85 PID 3060 wrote to memory of 3560 3060 Oldamm32.exe 85 PID 3560 wrote to memory of 3664 3560 Oocmii32.exe 86 PID 3560 wrote to memory of 3664 3560 Oocmii32.exe 86 PID 3560 wrote to memory of 3664 3560 Oocmii32.exe 86 PID 3664 wrote to memory of 1684 3664 Oeoblb32.exe 87 PID 3664 wrote to memory of 1684 3664 Oeoblb32.exe 87 PID 3664 wrote to memory of 1684 3664 Oeoblb32.exe 87 PID 1684 wrote to memory of 2816 1684 Oohgdhfn.exe 89 PID 1684 wrote to memory of 2816 1684 Oohgdhfn.exe 89 PID 1684 wrote to memory of 2816 1684 Oohgdhfn.exe 89 PID 2816 wrote to memory of 1816 2816 Oimkbaed.exe 91 PID 2816 wrote to memory of 1816 2816 Oimkbaed.exe 91 PID 2816 wrote to memory of 1816 2816 Oimkbaed.exe 91 PID 1816 wrote to memory of 1968 1816 Piphgq32.exe 92 PID 1816 wrote to memory of 1968 1816 Piphgq32.exe 92 PID 1816 wrote to memory of 1968 1816 Piphgq32.exe 92 PID 1968 wrote to memory of 5072 1968 Pefhlaie.exe 93 PID 1968 wrote to memory of 5072 1968 Pefhlaie.exe 93 PID 1968 wrote to memory of 5072 1968 Pefhlaie.exe 93 PID 5072 wrote to memory of 3596 5072 Plpqil32.exe 94 PID 5072 wrote to memory of 3596 5072 Plpqil32.exe 94 PID 5072 wrote to memory of 3596 5072 Plpqil32.exe 94 PID 3596 wrote to memory of 3104 3596 Pamiaboj.exe 95 PID 3596 wrote to memory of 3104 3596 Pamiaboj.exe 95 PID 3596 wrote to memory of 3104 3596 Pamiaboj.exe 95 PID 3104 wrote to memory of 4672 3104 Pidabppl.exe 96 PID 3104 wrote to memory of 4672 3104 Pidabppl.exe 96 PID 3104 wrote to memory of 4672 3104 Pidabppl.exe 96 PID 4672 wrote to memory of 1592 4672 Plbmokop.exe 97 PID 4672 wrote to memory of 1592 4672 Plbmokop.exe 97 PID 4672 wrote to memory of 1592 4672 Plbmokop.exe 97 PID 1592 wrote to memory of 1700 1592 Papfgbmg.exe 98 PID 1592 wrote to memory of 1700 1592 Papfgbmg.exe 98 PID 1592 wrote to memory of 1700 1592 Papfgbmg.exe 98 PID 1700 wrote to memory of 4900 1700 Pifnhpmi.exe 99 PID 1700 wrote to memory of 4900 1700 Pifnhpmi.exe 99 PID 1700 wrote to memory of 4900 1700 Pifnhpmi.exe 99 PID 4900 wrote to memory of 2520 4900 Plejdkmm.exe 100 PID 4900 wrote to memory of 2520 4900 Plejdkmm.exe 100 PID 4900 wrote to memory of 2520 4900 Plejdkmm.exe 100 PID 2520 wrote to memory of 5084 2520 Pcobaedj.exe 101 PID 2520 wrote to memory of 5084 2520 Pcobaedj.exe 101 PID 2520 wrote to memory of 5084 2520 Pcobaedj.exe 101 PID 5084 wrote to memory of 4120 5084 Pemomqcn.exe 102 PID 5084 wrote to memory of 4120 5084 Pemomqcn.exe 102 PID 5084 wrote to memory of 4120 5084 Pemomqcn.exe 102 PID 4120 wrote to memory of 2568 4120 Qhlkilba.exe 103 PID 4120 wrote to memory of 2568 4120 Qhlkilba.exe 103 PID 4120 wrote to memory of 2568 4120 Qhlkilba.exe 103 PID 2568 wrote to memory of 3792 2568 Qkjgegae.exe 104 PID 2568 wrote to memory of 3792 2568 Qkjgegae.exe 104 PID 2568 wrote to memory of 3792 2568 Qkjgegae.exe 104 PID 3792 wrote to memory of 1552 3792 Qcaofebg.exe 105 PID 3792 wrote to memory of 1552 3792 Qcaofebg.exe 105 PID 3792 wrote to memory of 1552 3792 Qcaofebg.exe 105 PID 1552 wrote to memory of 5028 1552 Qepkbpak.exe 106 PID 1552 wrote to memory of 5028 1552 Qepkbpak.exe 106 PID 1552 wrote to memory of 5028 1552 Qepkbpak.exe 106 PID 5028 wrote to memory of 4924 5028 Qhngolpo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc76cf28098ea14be30527c4e6a9b050N.exe"C:\Users\Admin\AppData\Local\Temp\bc76cf28098ea14be30527c4e6a9b050N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe24⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe26⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe27⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe28⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe29⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe30⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe31⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe32⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe33⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe36⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe37⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe38⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe39⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe40⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe41⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe42⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe45⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe49⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe51⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe52⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe53⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe54⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe55⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe56⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe57⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe58⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe59⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe60⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe61⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe62⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe63⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe66⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe67⤵PID:2924
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe68⤵PID:2872
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe69⤵PID:2508
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe70⤵PID:5068
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe72⤵PID:3492
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe73⤵PID:1528
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe74⤵PID:1104
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe75⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe76⤵PID:2848
-
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5020 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe78⤵PID:4788
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe79⤵PID:4388
-
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe80⤵PID:2592
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe81⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe82⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe83⤵PID:4784
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe84⤵PID:2268
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe85⤵PID:5008
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe86⤵PID:4860
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe87⤵PID:4368
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe88⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe90⤵PID:4384
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe91⤵PID:4668
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe92⤵PID:3440
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe93⤵PID:1488
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe95⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe96⤵PID:3352
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe97⤵PID:3720
-
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe98⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe99⤵PID:5112
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe101⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe103⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe104⤵PID:5220
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe105⤵PID:5264
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe106⤵PID:5304
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe107⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe108⤵PID:5384
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe109⤵PID:5432
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe111⤵PID:5512
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe112⤵PID:5548
-
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe114⤵PID:5628
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe115⤵PID:5672
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe116⤵PID:5716
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe117⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe118⤵PID:5796
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe119⤵PID:5852
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe120⤵PID:5912
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe121⤵PID:5968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-