Analysis
-
max time kernel
71s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 17:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe
-
Size
1.6MB
-
MD5
c01a06665691021bebd99cc7832c6ed4
-
SHA1
a6076eb8a81acca68f1ec9f8208c4348ac3d0362
-
SHA256
00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c
-
SHA512
d4de066a750752441b48dd7806d0a3f94b2865725426d20886f31e468d200a8dbcf5d490c950923002377c99983e810e5854cf56af44071a32ec23fb58f06ec1
-
SSDEEP
24576:m5h3q5hrq5h3q5hFw75h3q5hrq5h3q5hs:u
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okneldkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankgpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibkohef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoaijio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgncff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogjflhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaenkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcabhido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmplkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefjanml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifomlap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calbnnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjhcnbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgngqico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omlkmign.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgejncb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibaeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclpbqal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqebaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkabefqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndfchdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkegn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apobakpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjanml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfenmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loacdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcooaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajodef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeaiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqdfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndjhhjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emioab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndinck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkdkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookhfigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onngci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaidf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoijn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imofip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbknhqbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agnkck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkogqm.exe -
Executes dropped EXE 64 IoCs
pid Process 788 Gkdpbpih.exe 1372 Hhaggp32.exe 2420 Haaaaeim.exe 4664 Ipdndloi.exe 1944 Iialhaad.exe 1516 Jppnpjel.exe 2408 Jeocna32.exe 2484 Kapfiqoj.exe 5040 Lljdai32.exe 444 Lakfeodm.exe 3684 Loacdc32.exe 1928 Mbgeqmjp.exe 1728 Nckkfp32.exe 3216 Ncbafoge.exe 684 Oiccje32.exe 2252 Ppdbgncl.exe 3988 Ppikbm32.exe 3536 Qjhbfd32.exe 1548 Aiplmq32.exe 1092 Affikdfn.exe 416 Bpcgpihi.exe 4956 Bdeiqgkj.exe 2440 Dahfkimd.exe 3016 Daollh32.exe 2292 Gjaphgpl.exe 4216 Gcjdam32.exe 404 Hbdgec32.exe 2416 Halaloif.exe 4552 Ibbcfa32.exe 3808 Ihceigec.exe 2364 Jejbhk32.exe 4828 Jlfhke32.exe 892 Jeaiij32.exe 4636 Kemhei32.exe 3008 Mkepineo.exe 1592 Ndnnianm.exe 2668 Nocbfjmc.exe 3492 Nfpghccm.exe 3252 Ookhfigk.exe 1060 Pmmeak32.exe 2308 Qckfid32.exe 500 Qkfkng32.exe 1156 Abemep32.exe 4988 Amkabind.exe 5128 Aeffgkkp.exe 5184 Apkjddke.exe 5228 Amoknh32.exe 5276 Bfhofnpp.exe 5316 Bclppboi.exe 5356 Bmddihfj.exe 5392 Cpifeb32.exe 5444 Cibkohef.exe 5492 Cidgdg32.exe 5532 Cdjlap32.exe 5580 Cleqfb32.exe 5628 Cboibm32.exe 5668 Cpcila32.exe 5708 Cepadh32.exe 5752 Dbcbnlcl.exe 5796 Dllffa32.exe 5836 Dedkogqm.exe 5880 Dibdeegc.exe 5928 Ddhhbngi.exe 5972 Dmplkd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe Affikdfn.exe File created C:\Windows\SysWOW64\Jhclcf32.dll Mmdlflki.exe File created C:\Windows\SysWOW64\Cmpoch32.exe Cddjofbj.exe File created C:\Windows\SysWOW64\Fpbibenl.dll Digmqe32.exe File created C:\Windows\SysWOW64\Lkihaj32.dll Jjknakhq.exe File opened for modification C:\Windows\SysWOW64\Kemhei32.exe Jeaiij32.exe File created C:\Windows\SysWOW64\Cibkohef.exe Cpifeb32.exe File created C:\Windows\SysWOW64\Amqfdcji.dll Njahki32.exe File opened for modification C:\Windows\SysWOW64\Gdclcmba.exe Gaccbaeq.exe File opened for modification C:\Windows\SysWOW64\Jdiglgbg.exe Jhbfgflc.exe File created C:\Windows\SysWOW64\Diafqi32.exe Dnienqbi.exe File opened for modification C:\Windows\SysWOW64\Enpknplq.exe Dalkek32.exe File created C:\Windows\SysWOW64\Mkkpdokc.dll Aneppo32.exe File created C:\Windows\SysWOW64\Gcmaho32.dll Nkpijfgf.exe File opened for modification C:\Windows\SysWOW64\Afnefieo.exe Agmehamp.exe File created C:\Windows\SysWOW64\Iakllgni.dll Fifomlap.exe File created C:\Windows\SysWOW64\Imneeb32.dll Lpjelibg.exe File created C:\Windows\SysWOW64\Bhcdcbcl.dll Cghgpgqd.exe File created C:\Windows\SysWOW64\Miflehaf.exe Mlbllc32.exe File created C:\Windows\SysWOW64\Ofacao32.dll Agmehamp.exe File created C:\Windows\SysWOW64\Padkjq32.dll Bfnnmg32.exe File created C:\Windows\SysWOW64\Foakpc32.exe Fidbgm32.exe File opened for modification C:\Windows\SysWOW64\Njmejp32.exe Maeaajpl.exe File created C:\Windows\SysWOW64\Hocjaj32.exe Gaoihfoo.exe File created C:\Windows\SysWOW64\Fagcfc32.exe Ecccmo32.exe File created C:\Windows\SysWOW64\Haeino32.exe Haclio32.exe File created C:\Windows\SysWOW64\Ddjnng32.dll Hecadm32.exe File opened for modification C:\Windows\SysWOW64\Ncbafoge.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Iilpao32.dll Qckfid32.exe File created C:\Windows\SysWOW64\Dhbqalle.exe Dbehienn.exe File created C:\Windows\SysWOW64\Dliffkod.dll Dbehienn.exe File created C:\Windows\SysWOW64\Ollgiplp.exe Odqbdnod.exe File opened for modification C:\Windows\SysWOW64\Akdfndpd.exe Apobakpn.exe File created C:\Windows\SysWOW64\Dllffa32.exe Dbcbnlcl.exe File created C:\Windows\SysWOW64\Cmonod32.dll Dibdeegc.exe File opened for modification C:\Windows\SysWOW64\Ebeapc32.exe Efopjbjg.exe File opened for modification C:\Windows\SysWOW64\Oalpigkb.exe Oggllnkl.exe File created C:\Windows\SysWOW64\Jjpmfpid.exe Jkomhhae.exe File created C:\Windows\SysWOW64\Ldnemdgd.dll Ihceigec.exe File created C:\Windows\SysWOW64\Nocbfjmc.exe Ndnnianm.exe File opened for modification C:\Windows\SysWOW64\Fgmllpng.exe Fiilblom.exe File opened for modification C:\Windows\SysWOW64\Ajaqjfbp.exe Aqilaplo.exe File created C:\Windows\SysWOW64\Omkmhlpf.exe Omhpcm32.exe File created C:\Windows\SysWOW64\Lampbohh.dll Kfkamk32.exe File opened for modification C:\Windows\SysWOW64\Ndejcemn.exe Njmejp32.exe File created C:\Windows\SysWOW64\Kemhei32.exe Jeaiij32.exe File opened for modification C:\Windows\SysWOW64\Ebnddn32.exe Ehhpge32.exe File created C:\Windows\SysWOW64\Afoaho32.dll Fgkfqgce.exe File created C:\Windows\SysWOW64\Hfamia32.exe Hqddqj32.exe File opened for modification C:\Windows\SysWOW64\Cfedmfqd.exe Ceehcc32.exe File created C:\Windows\SysWOW64\Paaidf32.exe Pgkegn32.exe File opened for modification C:\Windows\SysWOW64\Aneppo32.exe Admkgifd.exe File opened for modification C:\Windows\SysWOW64\Dbcbnlcl.exe Cepadh32.exe File opened for modification C:\Windows\SysWOW64\Nhhldc32.exe Nmbhgjoi.exe File created C:\Windows\SysWOW64\Fchlhnlo.exe Fagcfc32.exe File created C:\Windows\SysWOW64\Gmfkjl32.exe Ggicbe32.exe File opened for modification C:\Windows\SysWOW64\Apobakpn.exe Agfnhf32.exe File created C:\Windows\SysWOW64\Lgcnle32.dll Jehcfj32.exe File created C:\Windows\SysWOW64\Kbnckjif.dll Pdlbpldg.exe File created C:\Windows\SysWOW64\Dmplkd32.exe Ddhhbngi.exe File opened for modification C:\Windows\SysWOW64\Ceehcc32.exe Cpipkl32.exe File created C:\Windows\SysWOW64\Njmejp32.exe Maeaajpl.exe File created C:\Windows\SysWOW64\Fdqekdcj.dll Cqiehnml.exe File created C:\Windows\SysWOW64\Pdlbpldg.exe Pignccea.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3116 5536 WerFault.exe 1112 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdchakoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoocnpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoengj32.dll" Fbggkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaoihfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikjcmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcaoahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjaphgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agnkck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekmph32.dll" Mkadam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmjmleo.dll" Logbigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeackh32.dll" Andqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlck32.dll" Fljedg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqagcpkg.dll" Falcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll" Daollh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ileflmpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepade32.dll" Kgngqico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjelibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdlflki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glngep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemhei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhiemil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgindb32.dll" Nnlqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okneldkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll" Bfhofnpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cepadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipoedpc.dll" Hfnpca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll" Bpcgpihi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pignccea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddjofbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdicje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcemmgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmbmdeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgghoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll" Npognfpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naqqmieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qajlje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhpge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endnohdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkepineo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffhakjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 788 1692 00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe 98 PID 1692 wrote to memory of 788 1692 00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe 98 PID 1692 wrote to memory of 788 1692 00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe 98 PID 788 wrote to memory of 1372 788 Gkdpbpih.exe 99 PID 788 wrote to memory of 1372 788 Gkdpbpih.exe 99 PID 788 wrote to memory of 1372 788 Gkdpbpih.exe 99 PID 1372 wrote to memory of 2420 1372 Hhaggp32.exe 100 PID 1372 wrote to memory of 2420 1372 Hhaggp32.exe 100 PID 1372 wrote to memory of 2420 1372 Hhaggp32.exe 100 PID 2420 wrote to memory of 4664 2420 Haaaaeim.exe 101 PID 2420 wrote to memory of 4664 2420 Haaaaeim.exe 101 PID 2420 wrote to memory of 4664 2420 Haaaaeim.exe 101 PID 4664 wrote to memory of 1944 4664 Ipdndloi.exe 102 PID 4664 wrote to memory of 1944 4664 Ipdndloi.exe 102 PID 4664 wrote to memory of 1944 4664 Ipdndloi.exe 102 PID 1944 wrote to memory of 1516 1944 Iialhaad.exe 103 PID 1944 wrote to memory of 1516 1944 Iialhaad.exe 103 PID 1944 wrote to memory of 1516 1944 Iialhaad.exe 103 PID 1516 wrote to memory of 2408 1516 Jppnpjel.exe 104 PID 1516 wrote to memory of 2408 1516 Jppnpjel.exe 104 PID 1516 wrote to memory of 2408 1516 Jppnpjel.exe 104 PID 2408 wrote to memory of 2484 2408 Jeocna32.exe 105 PID 2408 wrote to memory of 2484 2408 Jeocna32.exe 105 PID 2408 wrote to memory of 2484 2408 Jeocna32.exe 105 PID 2484 wrote to memory of 5040 2484 Kapfiqoj.exe 106 PID 2484 wrote to memory of 5040 2484 Kapfiqoj.exe 106 PID 2484 wrote to memory of 5040 2484 Kapfiqoj.exe 106 PID 5040 wrote to memory of 444 5040 Lljdai32.exe 107 PID 5040 wrote to memory of 444 5040 Lljdai32.exe 107 PID 5040 wrote to memory of 444 5040 Lljdai32.exe 107 PID 444 wrote to memory of 3684 444 Lakfeodm.exe 108 PID 444 wrote to memory of 3684 444 Lakfeodm.exe 108 PID 444 wrote to memory of 3684 444 Lakfeodm.exe 108 PID 3684 wrote to memory of 1928 3684 Loacdc32.exe 109 PID 3684 wrote to memory of 1928 3684 Loacdc32.exe 109 PID 3684 wrote to memory of 1928 3684 Loacdc32.exe 109 PID 1928 wrote to memory of 1728 1928 Mbgeqmjp.exe 110 PID 1928 wrote to memory of 1728 1928 Mbgeqmjp.exe 110 PID 1928 wrote to memory of 1728 1928 Mbgeqmjp.exe 110 PID 1728 wrote to memory of 3216 1728 Nckkfp32.exe 111 PID 1728 wrote to memory of 3216 1728 Nckkfp32.exe 111 PID 1728 wrote to memory of 3216 1728 Nckkfp32.exe 111 PID 3216 wrote to memory of 684 3216 Ncbafoge.exe 112 PID 3216 wrote to memory of 684 3216 Ncbafoge.exe 112 PID 3216 wrote to memory of 684 3216 Ncbafoge.exe 112 PID 684 wrote to memory of 2252 684 Oiccje32.exe 113 PID 684 wrote to memory of 2252 684 Oiccje32.exe 113 PID 684 wrote to memory of 2252 684 Oiccje32.exe 113 PID 2252 wrote to memory of 3988 2252 Ppdbgncl.exe 114 PID 2252 wrote to memory of 3988 2252 Ppdbgncl.exe 114 PID 2252 wrote to memory of 3988 2252 Ppdbgncl.exe 114 PID 3988 wrote to memory of 3536 3988 Ppikbm32.exe 115 PID 3988 wrote to memory of 3536 3988 Ppikbm32.exe 115 PID 3988 wrote to memory of 3536 3988 Ppikbm32.exe 115 PID 3536 wrote to memory of 1548 3536 Qjhbfd32.exe 116 PID 3536 wrote to memory of 1548 3536 Qjhbfd32.exe 116 PID 3536 wrote to memory of 1548 3536 Qjhbfd32.exe 116 PID 1548 wrote to memory of 1092 1548 Aiplmq32.exe 117 PID 1548 wrote to memory of 1092 1548 Aiplmq32.exe 117 PID 1548 wrote to memory of 1092 1548 Aiplmq32.exe 117 PID 1092 wrote to memory of 416 1092 Affikdfn.exe 118 PID 1092 wrote to memory of 416 1092 Affikdfn.exe 118 PID 1092 wrote to memory of 416 1092 Affikdfn.exe 118 PID 416 wrote to memory of 4956 416 Bpcgpihi.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe"C:\Users\Admin\AppData\Local\Temp\00590d6e140b6b89f21607ba2bcae0007def48efd1c8fbb65768b046955be94c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Iialhaad.exeC:\Windows\system32\Iialhaad.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Jppnpjel.exeC:\Windows\system32\Jppnpjel.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Bdeiqgkj.exeC:\Windows\system32\Bdeiqgkj.exe23⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe24⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe27⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe28⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe29⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe30⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3808 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe33⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Kemhei32.exeC:\Windows\system32\Kemhei32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe38⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe39⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe41⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe43⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe44⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe45⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe46⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe47⤵
- Executes dropped EXE
PID:5184 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe48⤵
- Executes dropped EXE
PID:5228 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe50⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe51⤵
- Executes dropped EXE
PID:5356 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5444 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5532 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe56⤵
- Executes dropped EXE
PID:5580 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe57⤵
- Executes dropped EXE
PID:5628 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5668 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe61⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5836 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5972 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe66⤵PID:6012
-
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe69⤵PID:6136
-
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe70⤵PID:3232
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe71⤵PID:1648
-
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe73⤵PID:5248
-
C:\Windows\SysWOW64\Epjhcnbp.exeC:\Windows\system32\Epjhcnbp.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe75⤵PID:5472
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe76⤵PID:5548
-
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe78⤵PID:5700
-
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe79⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe81⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe82⤵PID:5956
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe83⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe84⤵PID:6088
-
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe86⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe87⤵PID:5364
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe88⤵PID:5332
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe89⤵PID:5588
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe91⤵PID:5340
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe92⤵PID:5688
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe93⤵PID:6084
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe94⤵PID:1112
-
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe96⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe98⤵
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe99⤵PID:6080
-
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe100⤵PID:5216
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe101⤵PID:5208
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe102⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe103⤵PID:6072
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe104⤵PID:5452
-
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe105⤵PID:5652
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe106⤵PID:5288
-
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe107⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe108⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe109⤵
- Drops file in System32 directory
PID:6184 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe110⤵PID:6224
-
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6268 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe112⤵
- Modifies registry class
PID:6320 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe113⤵PID:6360
-
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe114⤵PID:6404
-
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe115⤵PID:6444
-
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe116⤵PID:6484
-
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe117⤵PID:6532
-
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe118⤵PID:6572
-
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe119⤵
- Modifies registry class
PID:6620 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe120⤵PID:6660
-
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe121⤵
- Modifies registry class
PID:6700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-